Fix your PC bugs or else…
Computer users are always at risk from malicious sources. The fact that most of these malicious sources are intelligent and therefore find innovative ways to exploit hardware and software is secondary. It is the laziness of software vendors in releasing patches to identified security holes that is the most frustrating.
Consider the case of H.D. Moore, a security researcher. Moore reported a serious issue he had discovered in relation to the way that rich text content was displayed by applications on the Windows OS. Although he reported the issue in October 2006, Microsoft has done nothing about it to date. It is these sort of failings that the Zero Day Initiative is attempting to combat.
The Zero Day Initiative functions as the middleman between software vendors and security researchers who find bugs in software. According their list, there are 122 vulnerabilities that are outstanding so far that vendors have done nothing about. The oldest unfixed flaw relates to IBM and was filed in May 2007 and over 30 of the complaints are at least a year old.
However, all that is set to change. The controlling body of Zero Day Initiative, TippingPoint, wants vendors to act fast. In accordance with the new policy, vendors will be given only six months to fix the bug. If they fail to do so, details of the vulnerability will be released to the public along with measures that users can take to protect themselves until a fix is available.
Although this policy has its pros and cons, security researchers have hailed the idea and have welcomed it with open arms.