Microsoft Releases Out-of-cycle IE Patch – An Issue of Responsiblility

The software giant Microsoft landed in a lot of hot water this month, with the media and the blogosphere yelling at them in unison for failing to patch a critical IE flaw.

Indeed, the company’s regularly-scheduled patch pack had barely cooled when a new, deep flaw had been announced to exist in Internet Explorer.

Apparently, the discovery was leaked, rather than intentionally disclosed, which finally brings us to the topic of this week’s article. Microsoft is reaping what they (and other major software companies) have sown – the huge media backlash is a direct consequence of the policy of “responsible disclosure”.

Under “responsible disclosure”, a researcher who finds an exploitable flaw first reports it to the vendor (let’s call this moment A). The vendor then issues a fix at some later time B and the bug is publicized along with the fix. Days, months or years may pass between A and B.

Now, this gives rise to the peculiar concept of a zero-day bug – a bug that is found and publicized before a fix for it is found. This is implied to be a BAD_THING(tm) and companies like Microsoft get criticized for letting it happen. This concept arised by forced analogy with that of “zero-day exploit” – an exploit published the same day a bug is made public.

The truth is that, of course, all found bugs are zero-day bugs.

How many people find out about about a particular bug depends on who finds it – a “responsible disclosure”-type researcher informs only the software manufacturer, while a black hat evil hacker type might create an exploit and not tell anyone about it, ever, using the exploit only sparingly, on high-value targets. A really responsible researcher would tell everyone, so that mitigating actions can be considered and the software company is pressured into releasing a fix quickly.

Which of these strikes you as a desirable situation? How about if you were a software company?

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.