GreyMagic Software released the news of the flaws at the same time it gave the information to Microsoft, saying that in the past "notifying Microsoft ahead of time and waiting for them to patch the reported issues proved... nonproductive". Because Microsoft only received news of the holes on Tuesday, the software giant couldn't confirm the existence of the vulnerabilities. Testing the demo code provided by GreyMagic Software, however, showed that the flaws apparently were real. The Israeli Web company's refusal to notify Microsoft first, however, earned it the software giant's ire. "We are concerned by the way this report has been handled," a Microsoft representative said in a statement. "Publishing this report may put computer users at risk -- or at the very least could cause needless confusion and apprehension." For more than a year, Microsoft has been fighting to rein in the public disclosure of flaws, issuing criticism of what it deems to be irresponsible reporting and sponsoring the formation of a group to set standards for disclosing vulnerabilities. In the past, software makers haven't been very responsive to security issues, but that's changing. Most researchers still believe that releasing information about flaws is the best way to warn the public. However, the same researchers increasingly believe that giving the software's creator a fair amount of time to create a patch is the most responsible way to handle such incidents. Interpretations of what's fair, however, can vary -- from a few days to a few months. According to Dagon, previous advisories that the company brought to the software titan's attention took anywhere from 3 months to more than 6 months to fix. Since then, he said, GreyMagic has lost patience. "Microsoft takes quite a while to plug even the simplest security issue, leaving users exposed to risks for months at a time instead of letting them know about temporary workarounds," Dagon said. But Microsoft isn't the only one to voice concern about reports such as GreyMagic's. The open-source community was not happy when security company Internet Security Systems dropped a bomb by posting an advisory about a major flaw in the Apache Web server just hours after it had notified the development group.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
