Patch slip-up raises security questions

The questionable handling of a fix for a recent widespread software vulnerability has some administrators worried that developers can't be trusted to make security a top priority.

Last week, the Internet Software Consortium withheld the patch for a critical flaw in the domain name system (DNS) software from a large number of researchers, asking instead that each person send the organisation an email request in order to get the fix.

The software, known as the Berkeley Internet Name Domain (BIND) program, performs a critical function as the address book for the net.

The delay, coupled with messages sent to several administrators urging them to pay to become part of an early-warning group run by the ISC, has some security experts in the US worried that security is taking a back seat to secrecy and money.

"It's a concern, especially with the Digital Millennium Copyright Act being used by some companies to threaten researchers," said Greg Shipley, chief technology officer of security consultancy Neohapsis. "The bottom line is the industry cannot agree on a responsible disclosure process, and the community and the internet at large suffer."

For the past two years, Richard Clarke, special presidential adviser for cybersecurity, has expounded the need for software companies and developers to understand that America's national security could rely on how responsibly software vulnerabilities, and their fixes, are handled.

The ISC's decision to withhold the patch is the latest incident to call into question whether software companies, security researchers, and open-source development groups can be relied on to responsibly handle the vulnerabilities found in the software that forms the foundation of the internet.

Earlier this year, Hewlett-Packard threatened a researcher with a lawsuit under the DMCA. The pro-copyright law that has been used against security analysts who claim they're performing a public service when they discover ways to circumvent security measures and then make the risks known. And last month, unknown attackers unleashed a flood of data at a key group of DNS servers, known as root servers, raising the spectre of an all-out internet collapse. Those incidents make it plain that key components rely on the judgment of computer experts and code slingers with widely varying agendas. The delays in delivering a patch for the bug in BIND spotlight the problem.

Robert Lemos writes for News.com