Finjan has been maligned of late for announcing 10 (or 17 or 19 or not) new vulnerabilities in Win XP SP2. Honestly, I don’t understand why everyone is so annoyed by their approach. As far as I can tell, it has something to do with validating the veracity of their claim. So who cares? Sure, it is a marketing ploy, but that is what we do in the security world – hype the risk in order to sell products. Ultimately, every vendor is guilty of this, and I would actually consider this a minor one.
To be fair, the risk exists, and solutions that don’t require knowledge of specific exploits and/or vulnerabilities are conceptually superior than those that do (intuitively, the order is 1) no knowledge; 2) vulnerability knowledge; and 3) exploit knowledge). Of course, there are a lot of reasons why this doesn’t necessarily play out in the space, performance and management being two big ones.
So why, then, is this a big deal? Microsoft seems to be annoyed by the process Finjan followed. Something to do with the number of vulnerabilities found and the time allowed. Since they are not releasing any details except the broadest ones, I don’t understand the significance of this argument. Of course, it could just be that finding the first SP2 vulnerabilities has a bit of pressworthiness to it (as we’ve seen) and Microsoft is actually hoping that there are none. Another argument may be about timing – releasing details prior to the patch being released. But eEye has been publishing elapsed time information for quite some time, and now Microsoft itself is releasing information sooner than the patch, so that point seems to be moot.
On another side, all of the bughunters of the world want to be able to see for themselves whether this is true or not. As far as I can tell, the issue here is either ego or marketing – the only two reasons that would warrant the concern. The third big reason for bughunting – spite toward purveyors of buggy code – is properly addressed here with "yet another example of poor programming" so that cannot be a factor, I don’t think. Regardless, all of this is a smokescreen anyway that highlights the ambiguous nature of some sort of worldwide acceptance of "responsible disclosure" or making the world otherwise safe for computing.