A security vulnerability advisory service recently launched by eEye Digital Security Inc, which alerts users to the existence of bugs without releasing specifics, raised concerns yesterday from one of the first vendors to have a bug exposed by it.
eEye issued two Upcoming Advisory messages on Friday, one concerning Zone’s ZoneAlarm personal firewall software, the other concerning Internet Security Systems Inc’s BlackICE personal firewall software.
While both these vendors expressed some surprise at the fact that the existence of vulnerabilities was being disclosed before a patch was available, Zone expressed displeasure at how the advisories were handled.
Zone said eEye’s characterization of the bug as High risk exaggerates the vulnerability, which Zone says requires an SMTP server to be running behind ZoneAlarm, which is uncommon among its users and not a recommended option.
Only a very, very small number of users are affected, said Zone’s director of service offerings, Chad Harrington. eEye’s chief hacking officer Marc Maiffret later said that eEye will likely reduce its rating to Medium in its formal advisory.
This advisory service was introduced two weeks ago after eEye grew tired of waiting as long as six months between notifying Microsoft about Windows vulnerabilities it had found, and patches being released.
Nine vulnerabilities are currently listed, most of them in Windows or other widely deployed Microsoft products. At 161 days since vendor notification, eEye lists two Windows patches as 101 days overdue.
By publishing rough details of vulnerabilities eEye knows about, the company hopes to encourage software makers to speed up the delivery of their patches. eEye does not make enough data available for malicious hackers to exploit the bugs.
Harrington said Zone developed a patch over the weekend, but that attempts to have eEye test the patch to validate that it fixes the vulnerability went unanswered, even while the clock on eEye’s Upcoming Advisories page was ticking.
We attempted to contact eEye many times, but they didn’t return our calls and didn’t return our e-mails, said Zone’s Harrington. They don’t seem very responsive.
eEye’s Maiffret disagreed on this characterization. He said eEye did get a chance to test Zone’s patch and found that it worked.
By informal agreement, security researchers give vendors adequate time to fix security-related bugs that are found, and vendors in turn respond in a timely manner. eEye blurs the line more than just a little bit, Fred Feldman, Zone’s vice president of marketing said.
Chris Rouland, vice president of ISS’s X-Force vulnerability research team, said he was surprised, but not concerned by the eEye pre-advisory advisory. This doesn’t compromise the public’s safety, it doesn’t really hurt the user, he said.
ISS’s standard disclosure policy is to give the vendor 30 days to patch its software before going public.
Zone issued a patch for its vulnerability last night. ISS is working on a patch for BlackICE’s apparently more complex vulnerability, and expects to deliver it to customers some time next week.
This article is based on material originally published by ComputerWire