Microsoft hacked off with bug hunter

Microsoft has criticised a well-known bug hunter after he publicised details of a security weakness in one of the software giant's products before a patch was available.

The spat between Microsoft and bug spotter Georgi Guninski centres around a message Guninski issued to the Bugtraq security mailing list last Sunday notifying readers of a vulnerability in Microsoft Internet Information Server 5.0. Guninski said he had told the software vendor about the flaw five days earlier, but no patch had been issued.

An unidentified member of Microsoft's security team issued a message to the Bugtraq mailing list, attacking Guninski for the timing of his announcement. "We asked that he give us time to finish the patch so we could do a joint release, thus protecting our mutual customers and reporting the issue in a responsible manner," the message said.

Guninski described the vulnerability as a medium-category weakness. Independent experts have played down risks that the vulnerability could be exploited, saying that it is more theoretical than practical.

The Microsoft representative also posted details of emails sent to Guninski last week. In one of them, a Microsoft official wrote: "I put forth the same pitch that I do to all folks who submit vulnerabilities to us: report it to us, let us develop a patch, and we can jointly release the bulletin and advisory.

"So, you've got to ask yourself: are you willing to follow your peers and play by the latest in acceptable reporting standards, or do you want to do your own thing and tell the world in a few days - regardless of patch availability? It's up to you. Either way, we'll get this investigated and patched as appropriate."

Guninski reacted angrily and posted allegations that Microsoft had taken months to acknowledge bugs he previously reported to the company.

"I would suggest Microsoft learn to write secure code and fix bugs... instead of blaming people who do free research for them," he said in a posting.

Security experts said that while it is considered good practice to give vendors time to fix major flaws, to protect business and consumers, it is not a requirement of Bugtraq members.

Chris McNab, network security analyst at MIS Corporate Defence Solutions, said: "This is really unusual. It's the first time I've seen Microsoft openly criticise someone for a post to Bugtraq.

"Technically, Guninski doesn't have to give Microsoft any notice - Bugtraq is a full disclosure moderated list. Its purpose is to compel vendors to patch weaknesses, to get things done."