Who Knew What, When Did They Know It, and Why Didn’t They Tell Us?

The battle against cyber-crooks is a grind and the bad guys never seem to rest in their efforts to compromise systems and steal valuable information. Yet the minds that apply themselves to stopping crime are just as astute as those who seek to perpetrate it—so why do we seem to be losing the battle?

One reason is that the good guys, while obviously trying to do good, are—first and foremost—out for themselves. The latest example of this is an Internet report that

Microsoft has known since at least February that dozens of Windows applications, including many of its own, contain bugs that hackers can exploit to seize control of computers, according to an academic researcher.

Taeho Kwon, a Ph.D. candidate at the University of California Davis, said in a paper published in February, and presented last month at an international conference, that at least 19 of the Windows bugs can be exploited remotely. The report goes on to claim that many have warned that a large number of Windows programs are vulnerable to attack because of the way they load components.  

Meanwhile, a U.S. researcher, H.D. Moore, said he had found at least 40 vulnerable applications, including the Windows shell. The next day, Slovenian security firm Acros announced it had uncovered more than 200 flawed Windows programs in an investigation that began four months ago, the report notes.

But here’s where the fun begins … depending on your definition of fun. On Saturday, the report says, Kwon claimed his work preceded Moore's and Acros'. In the paper he presented last month at the International Symposium on Software Testing and Analysis (ISSTA), Kwon said that he had submitted a bug report to the Microsoft Security Response Center (MSRC).

So while the various malware sniffers tussle over who said what first and who knew what when, enterprises worldwide are vulnerable to a host of problems that are too numerous to detail here. Microsoft, meanwhile, seems only to have acknowledged that it is looking into the problems mentioned by the various researchers.

That gives the bad guys plenty of rope with which to hang enterprises out to dry—and with financial services enterprises increasingly being targeted by cyber criminals, that could mean major problems. Now I’m not suggesting that we should “all just get along,” but I am wondering what happened to common decency and common sense. If vulnerabilities are publicly posted by reliable sources, why are we still “investigating?”

In the end, this happens because each of the parties concerned is looking out for No. 1, and Nos. 2 and up be damned. We probably will never know who really knew what, when they knew it, and what they did about it, but we do know one thing—for those who become victims, we knew too late.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

For reprint and licensing requests for this article, click here.
Security risk Analytics Data and information management Data security Policy adminstration
MORE FROM DIGITAL INSURANCE