Microsoft Releases Out-of-cycle IE Patch - An Issue of Responsiblility

Indeed, the company’s regularly-scheduled patch pack had barely cooled when a new, deep flaw had been announced to exist in Internet Explorer.

Apparently, the discovery was leaked, rather than intentionally disclosed, which finally brings us to the topic of this week’s article. Microsoft is reaping what they (and other major software companies) have sown – the huge media backlash is a direct consequence of the policy of “responsible disclosure”.

Under “responsible disclosure”, a researcher who finds an exploitable flaw first reports it to the vendor (let’s call this moment A). The vendor then issues a fix at some later time B and the bug is publicized along with the fix. Days, months or years may pass between A and B.

Now, this gives rise to the peculiar concept of a zero-day bug – a bug that is found and publicized before a fix for it is found. This is implied to be a BAD_THING(tm) and companies like Microsoft get criticized for letting it happen. This concept arised by forced analogy with that of “zero-day exploit” – an exploit published the same day a bug is made public.

The truth is that, of course, all found bugs are zero-day bugs.

How many people find out about about a particular bug depends on who finds it – a “responsible disclosure”-type researcher informs only the software manufacturer, while a black hat evil hacker type might create an exploit and not tell anyone about it, ever, using the exploit only sparingly, on high-value targets. A really responsible researcher would tell everyone, so that mitigating actions can be considered and the software company is pressured into releasing a fix quickly.

Which of these strikes you as a desirable situation? How about if you were a software company?