Computer Analysts Mull Computer Bugs

WASHINGTON (AP) â€” Some ``bug hunters'' who uncover security flaws in computer software and rush to issue public warnings may be helping hackers more than consumers, industry officials worry.

Monday, August 28th 2000, 12:00 am

By: News On 6

WASHINGTON (AP) â€” Some ``bug hunters'' who uncover security flaws in computer software and rush to issue public warnings may be helping hackers more than consumers, industry officials worry.

It's a thorny issue that divides security specialists. Many argue that fast, full disclosure of a vulnerability alerts computer users to take precautions and pushes software makers to provide a quick solution.

Others say telling about how software is vulnerable to hackers before companies have a chance to fix the problem only invites attack.

``There needs to be a Hippocratic Oath for security professionals,'' said Joel de la Garza of the Internet security company Securify. ``A rule like 'first, do no harm' would be a very good thing, but highly unlikely.''

Bug hunters, often working free-lance and spread across the globe, operate by their own personal codes. Some rush out information immediately, others give the maker a day's notice before a public announcement and still others will wait a week or more for a solution to be found.

Most are eager to be the first to claim credit for their discoveries.

Ron Moritz, chief technical officer for Symantec Corp., which makes antivirus software, takes the side of full disclosure, ready or not.

``Sometimes the threat is something that can't be solved instantaneously or immediately,'' he said. By exposing a hole as soon as it is found, Moritz said, ``the good guys and bad guys know, instead of just the bad guys.''

Recently, a security company found a major hole in Microsoft Outlook e-mail that could allow a hacker to break into a person's computer by merely sending the victim an e-mail message.

Microsoft was notified by the security company, and started to work on a patch. But another bug hunter found the problem and made it public without notifying the company. The remedy was still days away.

``By putting that kind of information out, the info may reach some people who could use it to take preventative steps,'' said Microsoft's security guru, Scott Culp. ``But it will definitely reach people who are going to use it to attack other customers.''

Culp wants bug hunters to first help Microsoft find a solution to a security hole â€” then take credit for the discovery. He said his group has received about 5,000 security hole reports so far this year. After weeding out customer errors, they resulted in 58 software patches and e-mailed bulletins.

``We're not averse to talking about vulnerabilities, but there's a right way to do it,'' Culp said.

Of course, few companies want an outsider publicizing glitches in their products. Likewise, bug hunters have their own self-interests, such as promoting themselves and their line of work.

``People like to see their name in the newspapers,'' said Richard Smith, chief technology officer for the Privacy Foundation, a research center at the University of Denver.

Smith, who has found many bugs himself, said security free-lancers perform a valuable service to software makers, often for free. But he doesn't believe discoverers should divulge enough to tip off hackers.

``I'm dead set against full disclosure, I think it's really wrong. If Microsoft has a bug, it's a good thing to give just vague details,'' not a blueprint for exploiting it, he said.

Georgi Guninski, a Bulgarian security expert who has found numerous bugs, says he typically gives companies about 24 hours to fix a problem before revealing it to the world, and offers interim solutions until it can be solved.

``I do not think that making a hole public does harm,'' said Guninski, who works for Netscape. ``I think that by discovering bugs I make products more secure.''

Elias Levy, who manages the BugTraq e-mail list, has seen software vendors get stung.

``There will always be people that simply forget about the vendor altogether or publish the vulnerability information with the full knowledge that they have not notified the vendor, simply to make them look bad,'' Levy said.

â€”â€”â€”

On the Net: Microsoft Security site: http://www.microsoft.com/security

BugTraq: http://www.securityfocus.com/forums/bugtraq/intro.html

Securify: http://www.securify.com