What should you know, and when?
Novell Inc. last month issued a patch for what it called a 'security issue' in its GroupWise 5.5 Enhancement Pack and GroupWise 6 e-mail and collaboration software. The company advised all users to install Padlock Fix immediately but did not say what it fixed.
Trust us, the company in effect said.
But system administrators are not a particularly trusting lot. To protect their systems, they must understand everything software does, once installed. If there is a problem with existing software, they want to know what it is. Sysadmins are pressed for time and have to evaluate the risk before spending scarce hours updating hundreds or thousands of machines.
According to Novell, until those users have had a chance to install the patch, the less said about the issue, the better.
'Given that it had not yet been discovered, we felt it would be better to get the fix out to our customers, hoping that nobody would find it in the meantime,' Novell spokesman Bruce Lowry said. 'We wanted to make sure we got our customers protected.'
He said GroupWise's strong security record gives the company the benefit of the doubt with its users. 'They do trust us to do the right thing,' he said.
But Lowry acknowledged that Novell finds itself in a perfect example of the dilemma facing the information industry: Should there be full disclosure about vulnerabilities so that managers can make informed decisions? Or is it better to play the cards close to one's vest to keep hackers from peeking?
'They both have good arguments for their positions,' said James Mobley, executive vice president of the Cambridge, Mass., security consulting firm @Stake Inc. 'Trust is not good enough for administrators.' On the other hand, he said, 'Exposing the vulnerability would start a race that many administrators would lose.'
The right balance between disclosure and security is a matter of common sense, Mobley said. Vendors should be given a chance to fix a vulnerability before it is widely publicized, and users need reasonable access to such information. But defining the balance point more specifically will remain contentious.
Novell's decision to weigh in on the side of discretion probably will not convince many people that getting the patch out is more critical than understanding the flaw that made it necessary. Novell does not seem to be swayed by arguments that its customers should be better informed about the old software they already bought, as well as the new software they're being asked to install.
Users of GroupWise 5.5 Enhancement Pack or GroupWise 6 who have not already installed Padlock Fix can download it free at support.novell.com/padlock