# Finjan: Warning users or scaring up business?



## mimo2005 (Oct 2, 2004)

*Finjan: Warning users or scaring up business?*

November 12, 2004, 2:10 PM PST
By Robert Lemos 



Windows XP users could be excused for feeling a little less safe this week. 

Security tools maker Finjan Software warned on Wednesday that it found as many as 10 security flaws in the last update to Microsoft's flagship operating system, Windows XP Service Pack 2. 

In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user. 

Windows XP SP2 "suffers because it is still basically the same operating system and has some major flaws which compromise end-user security," Shlomo Touboul, CEO of the firm, said in statement. "By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities." 

The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats. 

While security researchers have sometimes outed flaws in Microsoft products before the software giant has published a patch, security companies have generally waited to announce vulnerabilities until Microsoft had a way to protect its customers. Finjan's press release has reopened the debate over what should be considered the responsible disclosure of software flaws. 

In the latest case, Microsoft believes that Finjan's flaw reports are, in many cases, overstated or altogether mistaken, said Debby Fry Wilson, director of marketing for Microsoft's security business and technology unit. 

"We do feel strongly that what they are doing is premature, will cause market confusion and is an overstatement of the breadth and severity," she said. "We are very disappointed that they are engaged in a PR ploy rather than thinking about what is best for customers and the security of customers." 

However, Finjan's CEO maintained that the company is merely warning people that Windows XP Service Pack 2 is not a digital fortress fully protected from Internet attacks. He labeled the press release education, not confabulation. 

"People need to know that they have to be careful--and without education, people won't be careful," Touboul said during an interview . "I wouldn't say we are scaring people. I don't believe in panic but in very calculated behavior." 

While Touboul did not say whether the company gave Microsoft 30 days to fix the issue, as has become the industry norm, he maintained that Finjan gave the software company enough time, and more than enough information to take care of the issues. 

"We don't want to argue with Microsoft about these things," he said. "We found the 19 vulnerabilities, and we showed that you could take remote control of a computer." 

However, Microsoft's Wilson took issue with Finjan's move, contending that the software giant does not agree on how many of the flaws are real. Moreover, because the security company released the issues piecemeal, the software giant argues that it is not certain that Finjan has even named 10 vulnerabilities. 

"They have been contacting us over time regarding various issues," Wilson said. "But there is no definitive communications between Microsoft and Finjan about 10 specific issues." 

How and when security vulnerabilities should be disclosed has long been debated in the security community. Many researchers believe that companies and individuals should publicly announce vulnerabilities after giving the software maker enough time to fix them. Usually, programmers get a month to fix the problems. 

The line between marketing products and disclosing security vulnerabilities should be well-defined for security companies, said Geoff Shively, chief scientist at security company PivX Solutions. 

"Being a security company, you have to consider the impact on global Internet security before doing anything," he said. PivX has released software flaw advisories and plugged its products, but the company always gives Microsoft adequate time to fix the issues, he said. "Vulnerabilities are too dangerous and too powerful to be used as a marketing tool." 

Software creators are frequently angered by researchers who do not allow them much time to fix problems. A year ago, game information site GameSpy sent a legal warning to an Italian security researcher who had found holes in that company's products. In June 2002, Linux software makers became peeved at security company Internet Security Systems for not giving them enough time to fix a problem before releasing an advisory about the issue.


----------



## jgvernonco (Sep 13, 2003)

Just a quick note on this, if I may.

There will never be a perfect operating system, noy XP, Linux, or Longhorn. Anything built by humans will be vulnerable to humans.

It really appears, to me, that the major problem with XP2 is an inadequate, built-in firewall. One might argue that any firewall is better than no firewall. However, now, when we advise folks to get a firewall, they reply, "I already have one, becuase I have SP2".

Over in the Security Forum, we see very few people posting infections who also have an active firewall. What we do see is folks with everything but a firewall, asking us "how could this have happened to me"? 

All of this talk of "vulnerabilities" whould mean much less to you if you had a solid firewall up. That is not to say that you shouldn't patch and run other security programs, especially those that help protect against "drive-by downloads", but when you machine is visible to the world, it is under attack by the world, and one is asking an awful lot of technolgy to protect you from that.

It does not appear that the company in question, here, has released to the public the specifics of the vulnerabilities that they have discovered. I laughed as I read, because people are complaining that Finjan Software released information that there *are* vulnerabilites in SP2. Yes, and if you let go of a ball that you are holding, it will fall to the ground.

Here's the magic of a good firewall; if the specifics of some vulnerabilities were released before the venders could address them, and if a whole crew of people found a way to use those vulnerabilities against you, somewhere between none and very few of them would ever know that you were there to infect.

Read the info at the link below. Button up your system. Practice some "defensive computing", and don't worry so much. If the worse happens, we'll help you out.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.


----------

