RSS Alerts

Share

More services

Related Links

  • Intevydis
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Microsoft and Adobe patch multiple critical security vulnerabilities
    Microsoft and Adobe both had a busy day on Tuesday, releasing multiple security updates to address various product vulnerabilities.
  • Automation is the key to IT vulnerability discovery
    Automation should be the main focus of enterprise IT departments if they want to discover their network security vulnerabilities, said experts at the recent Security Risk & Compliance Forum, held in London at the Royal Exchange Theatre
  • Fortinet highlight rise in malware
    The Threatscape report from UTM solution provider, Fortinet, detailing trends in vulnerabilities and malware in the first month of 2009, revealed the rise of the buffer overflow exploit to Microsoft Security Bulletin MS08-067, as well as a swell in online gaming malware.
  • Companies their own worst enemy says IBM X-Force report
    The annual report from IBM's X-Force security operation shows what many IT managers have suspected for some time, namely that Web application vulnerabilities represent the major risk for most organisations.
  • An injection of new ideas
    Securing IT means coping with Donald Rumsfeld’s ‘known unknowns’ – expected attacks whose nature is a surprise. Concepts from medicine, game theory and crowd sourcing may help, finds Danny Bradbury

Top 5 Stories

News

Russian IT security veteran plans to publish undisclosed security flaws live on a zero-day basis

13 January 2010

Evgeny Legerov, the 30-year-old IT security researcher, founder of Intevydis, the Moscow-based IT security consultancy, has caused a quiet storm in security research circles, after saying he plans to release zero-day flaws on a range of popular applications, but without having notified the vendors concerned.

In an interview with US security journalist Brian Krebs, Legerov said he plans to release flaws in a variety of packages that is likely to include Zeus and Sun's web server software, IBM DB2, Lotus Domino and Informix' directory server applications, including Novell, Sun and Tivoli directory.

In his interview with Krebs, Legerov said that, after working with vendors long enough, "we've come to (the) conclusion that, to put it simply, it is a waste of time".

According to the IT security researcher, he and his team no longer intend to contact vendors about security flaws, and no longer support the industry's 'responsible disclosure' policy.

Legerov's comments have drawn criticism from a wide range of security professionals, in particular Graham Cluley, senior technology consultant with Sophos, who said he can understand Legerov's frustration, but thinks it is wrong to release information about unpatched vulnerabilities.

According to Cluley, this approach may inevitably lead to innocent computer users finding their systems compromised by hackers exploiting the zero-day vulnerabilities before a patch is available.

"What I think Legerov has failed to realise is that there is another way to get vulnerabilities fixed, whilst still behaving responsibly", Cluley said in an overnight blog posting.

"If a software vendor has failed to respond in an appropriate time to a vulnerability that exists in its shipping code then you don't have to go public with details of the security hole. Instead, you could use the power of the media to your advantage", Cluley said.

Cluley argues that, rather than posting detailed specifics of how to exploit the vulnerability on the internet, researchers can work with a friendly journalist and demonstrate the security hole but without giving away details of the modus operandi.

The researcher, Cluley explained, can then rant as loud and long as they like about how frustrated s/he is with the software vendor.

It will, says Cluley, make a great news story, and that will pressure the vendor to take the necessary steps.

"Irresponsibly disclosing details of vulnerabilities is effectively putting a gun against the head of a software vendor, but risks shooting innocent users too", Cluley said.

"If you've found a serious vulnerability then a security journalist will be happy to discuss it, publicise it with their readers, and put pressure on the vendor to take appropriate action", Sophos' Cluley added.

 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012