I read an interesting piece by Roger Grimes @ InfoWorld wherein he described the situation of a vendor who was not willing to patch an unsupported version of software even though it was vulnerable and shown to be (remotely) exploitable.
Rather, the vendor suggested that using some other means (such as blocking the offending access port) was the most appropriate course of action to mitigate the threat.
What's interesting about the article is not that the vendor is refusing to patch older unsupported code, but that ultimately Roger suggests that irrespective of severity, vendors should immediately patch ANY exploitable vulnerability -- with or without public disclosure.
A reader who obviously works for a software vendor commented back with a reply that got Roger thinking and it did for me, also. The reader suggests that they don't patch lower severity vulnerabilities immediately (they actually "sit on them" until a customer raises a concern) but instead focus on the higher-severity discoveries:
The reader wrote to say that his company often sits on security bugs until they are publicly announced or until at least one customer complaint is made. Before you start disagreeing with this policy, hear out the rest of his argument.
“Our company spends significantly to root out security issues," says the reader. "We train all our programmers in secure coding, and we follow the basic tenets of secure programming design and management. When bugs are reported, we fix them. Any significant security bug that is likely to be high risk or widely used is also immediately fixed. But if we internally find a low- or medium-risk security bug, we often sit on the bug until it is reported publicly. We still research the bug and come up with tentative solutions, but we don’t patch the problem.”
In the best of worlds, I'd agree with Roger -- vendors should patch all vulnerabilities as quickly as possible once discovered, irrespective of whether or not the vulnerability or exploit is made public. The world would be much better -- assuming of course that the end-user could actually mitigate the vulnerability by applying the patch in the first place.
Let's play devil's advocate for a minute...
Back here on planet Earth, the prioritization of mitigating vulnerabilities and the resource allocation to mitigate the vulnerability is approached by vendors not unlike the way in which the consumers choose to apply patches of the same; most look at the severity of a vulnerability and start from the highest severity and make their way down. That's just the reality of my observation.
So, for the bulk of these consumers, is the vendor's response out of line? It seems in total alignment.
As a counterpoint to my own discussion here, I'd suggest that using prudent risk management best practice, one would protect those assets that matter most. Sometimes this means that one would mitigate a Sev3 (medium) vulnerability over a Sev5 (highest) based upon risk exposure...this is where solutions like Skybox come in to play. Vendors can't attach a weight to an asset, all they can do is assess the impact that an exploitable vulnerability might have on their product...
The reader's last comment caps it off neatly with a challenge:
“Industry pundits such as yourself often say that it benefits customers more when a company closes all known security holes, but in my 25 years in the industry, I haven’t seen that to be true. In fact I’ve seen the exact opposite. And before you reply, I haven’t seen an official study that says otherwise. Until you can provide me with a research paper, everything you say in reply is just your opinion. With all this said, once the hole is publicly announced, or becomes high-risk, we close it. And we close it fast because we already knew about it, coded a solution, and tested it.”
I'm not sure I need an official study to respond to this point, but I'd be interested in if there were such a thing. Gerhard Eschelbeck has been studying vulnerabilities and their half-lives for some time. I'd be interested to see how this plays.
So, read the gentleman's posts; in some cases his comments are understandable and in others they're hard to swallow...this definitely depends upon which (if not both) side of the fence you stand. All vendors are ultimately consumers in one form or another...
Thoughts?
/Hoff