Vendors battle over airing software flaws
- By William Jackson
- Dec 11, 2002
Two software companies are going to court over security flaws one company found in a desktop administration tool produced by the other. The case could set limits on third-party revelations of security holes in copyrighted software.
AutoProf.Com Inc. of Portsmouth, N.H., announced in a July white paper that vulnerabilities in the ScriptLogic tool from ScriptLogic Corp. of Pompano Beach, Fla., could open up unauthorized administrative access to networked systems. Administrators use ScriptLogic to centrally configure clients running Microsoft Windows.
'We vigorously dispute the accuracy of what was set out in the white paper,' ScriptLogic attorney John Pierce said. The company filed a federal lawsuit in August accusing AutoProf of violating copyright laws and license agreements by reverse-engineering the software and then undertaking a malicious advertising campaign.
'We didn't have to do anything like that,' AutoProf chief technology officer Eric Voskuil said. 'AutoProf is a competitor of ScriptLogic. We both implemented similar features in our products. We didn't see the kind of security features they needed in their product.'
The suit, in the U.S. District Court for the Southern District of Florida, asks for $75,000 in damages from AutoProf and recall of the white paper.Find flaws
Presidential cybersecurity adviser Richard Clarke has repeatedly told security audiences, 'We want you to find vulnerabilities.' But he has urged that vendors be given a chance to correct holes before they are publicized.
'AutoProf is not a disinterested third party' such as Clarke meant, said Pierce. AutoProf not only notified ScriptLogic customers of the possible flaws, it also offered them discounts to switch, he said.
The Digital Millennium Copyright Act, according to some critics, has had a chilling effect on legitimate research such as reverse-engineering that could reveal flaws in copyrighted commercial products.
ScriptLogic officials called descriptions of the product's vulnerabilities 'false and misleading' and said they probably could not be exploited without violating the user's licensing agreement and likely the 1986 Computer Fraud and Abuse Act.
ScriptLogic alleged that AutoProf illegally downloaded an evaluation copy of the tool intended only for potential customers, although the restriction does not appear in the written licensing agreement.
The legal battle illustrates the need for guidelines to deal with security flaws in commercial software, said Alan Paller, director of research at the SANS Institute of Bethesda, Md.
'It requires an official government registration site to make it work,' Paller said. Third parties that discover flaws could register them on the site at the same time they notify the vendor, building pressure to correct the problem.
Federal officials are considering such a scheme, he said.
William Jackson is freelance writer and the author of the CyberEye blog.