Forgot your password?
typodupeerror

Microsoft Admits to Hiding Flaw Details 147

Posted by samzenpus
from the on-a-need-to-know-basis dept.
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
This discussion has been archived. No new comments can be posted.

Microsoft Admits to Hiding Flaw Details

Comments Filter:
  • Anyone remember the (deeply flawed) Cert statistics [tectonic.co.za] where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?

    Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
    Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 [microsoft.com] bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed.
    Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
    "I don't buy the argument that they are aiding attackers. The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
    • "Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:"

      I'm not really sure how the statement you posted really refutes it. He's right under the assumption that the attackers are aware of that particular flaw existing. But if Microsoft (or a good samartian) finds it first, then why wouldn't staying mum mean less risk of attack? We can metaphor joust about it, but I wouldn't say
      • "Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:"
        I'm not really sure how the statement you posted really refutes it.

        Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.

        All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"

        System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"

        So what Microsoft is actively hampering administrators and not hindering attackers.
        • All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"

          System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah e
          • We apply every avail. patch using that same mentality.
            A quick testbed and then patch. We have to worry more about the patches breaking things than otherwise, since not patching isn't even a possibility.
          • by OwlWhacker (758974) on Thursday April 20, 2006 @09:21AM (#15164133) Homepage Journal
            If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years.

            If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!

            Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.
            • Perhaps, but do you really think microsoft tests every possible patch configuration? I'd bet they only test the last service pack plus the patch and maybe current with all updates. You're taking a risk running a "non standard" environment too. Besides, you should always patch a few systems that seem common to your environment before rolling out patches in a large corporate environment anyway.
              • do you really think microsoft tests every possible patch configuration?

                No.

                You're taking a risk running a "non standard" environment too.

                I am?

                Besides, you should always patch a few systems that seem common to your environment before rolling out patches in a large corporate environment anyway.

                Indeed. You should test the patches first; however, if there is a vulnerability that you really must patch, and it's going to knock out something you're dependent on, either way you lose.
            • Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.

              I should mention that in my experience I've only ever got screwed by a patch from Microsoft once. The patch was for a login delay on metaframe, and it screwed up Acrobat 5 dialogues (you could no longer type into them). I honestly believe with most well behaved applications this sort of thing is pretty rare - especially with the sort of testing that microsoft does b
              • in my experience I've only ever got screwed by a patch from Microsoft once.

                I've never been screwed by any Microsoft patches on my Windows network either. I guess we should be thankful.

                Linux however - I've had patches break applications all the time - especially binary only programs.

                All the time?

                Any particular apps? Was anything important broken? When did these problems occur? This sounds terrible!

                I've heard from people in charge of Windows networks who have told me that a patch from Microsoft caused pro
            • If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!

              There's very few updates that are pushed as "must install" downloads via Windows Update that aren't likely to pose a threat to the system. IE is so tied into the system and other software that keeping it patched is important even if you don't do web browsing on the system. Many of the other vulnerabilities may not seem like they're important behind a firewall, but firewalls fa
    • Anyone remember the (deeply flawed) Cert statistics [tectonic.co.za] where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?

      Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
      Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 [microsoft.com] bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fa
      • A) Who in the tech world didn't aleady know this?

        The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.

        B) Do you realize even *nix vendors do this, including Linux distributions?

        Could you please provide an example of this (for linux vendors)?

        Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.

        C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?

        I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).

        You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.
        • Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.


          Ok, so you think flaws in Linux have never been corrected without a full published disclosure? Really... I have this bridge I would like to sell...

          As for distributions, I have seen everyone from Redhat to SuSE push through patches that were 'previously' undiscl
      • Those previous statistics also failed to take into account that most of the vulnerabilities in apps for linux, can also exist if those same apps are installed on windows...
        Apps such as Apache for instance, can easily be installed on windows and most of the issues found will affect any platform running the software.
    • FUD! (Score:5, Insightful)

      by OwlWhacker (758974) on Thursday April 20, 2006 @09:41AM (#15164290) Homepage Journal
      Anyone remember the (deeply flawed) Cert statistics where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?

      Indeed.

      What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.

      Even if Microsoft persuades people that it has a good reason for not disclosing vulnerabilities, Microsoft has no good reason to use false statistics, created by its hiding of information, in order to help persuade people that its software is more secure.

      • What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.

        Well... maybe. It's quite possible that the two sub-organizations aren't communicating very well. If that's the case, then they need to do something about it.

        I don't really care for Microsoft, neither the company nor their software. But let's not get all paranoid and just jump to the conclusion that they're deliberately trying to mislead us.

        Oh, crap, what the hel
        • What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.

          Well... maybe. It's quite possible that the two sub-organizations aren't communicating very well. If that's the case, then they need to do something about it.

          Perhaps they are not communicating too well. Don't you think the PR department ought to call the security team to validate the numbers before going on the attack?

          My point here is that the lack of communi

          • Oh, I guess you didn't get the rest of my post :-)

            The PR folks probably knew EXACTLY what was going on. I think they probably DID release those false/misleading statistics purposefully.
            • Oh, I guess you didn't get the rest of my post :-)
              I did read all of your post. Your final line ("We now return you to your regular broadcast.") made me think you were being sarcastic when you wrote: "Of COURSE they're lying to us!".
          • by rtb61 (674572)
            More specifically, where are the class action law suits for false and damaging advertising and another one for failing to inform their customers of potentially damaging security flaws ;).
      • I MS actually used those claims in any advertisements... that's false advertising.

        http://en.wikipedia.org/wiki/False_advertising [wikipedia.org]

        I'm not sure how the FTC would deal with MS Sales Reps using that survey in their promotional/sales materials, but I imagine that someone could probably make a Lanham Act case out of it. To get damages under the Lanham Act, "Actual loss is not required to show an injury. All that is needed is a reasonable basis for the belief that the plaintiff is likely to be damaged as a result o
  • Obfuscandalous! (Score:5, Insightful)

    by eldavojohn (898314) * <eldavojohn.gmail@com> on Thursday April 20, 2006 @07:59AM (#15163734) Journal
    I seem to remember being told in my software engineering class of a type of protection that provides a false sense of security [newsforge.com]. I think that Microsoft may be becoming more and more guilty of it [wikipedia.org].

    Perhaps it's time they should change their "Who would ever think to put those bytes there anyways?" mantra.
    • Re:Obfuscandalous! (Score:4, Insightful)

      by antifoidulus (807088) on Thursday April 20, 2006 @08:09AM (#15163768) Homepage Journal
      It is insecure and it isn't....Security through obscurity if you want to put it like that does do one thing: it buys time for them to create a fix. If they came out right away and told people about the holes then they would be in an even more intense race against attackers.
      I'm not defending their practice(this is /. after all :P) but saying "it is totally worthless" is a bit well..disengenious.
      • Re:Obfuscandalous! (Score:3, Interesting)

        by schon (31600)
        it like that does do one thing: it buys time for them to create a fix.

        Only if ou are working on the flawed assumtion that only MS will find the flaws.

        I've got news for you:

        There are real black hats, and they spend their free time looking for ways to exploit software. It's hubris to think that only MS can find security flaws in their own product.

        Besides, this isn't about early disclosure, it's about any disclosure.
      • Re:Obfuscandalous! (Score:3, Insightful)

        by Zeinfeld (263942)
        It is insecure and it isn't....Security through obscurity if you want to put it like that does do one thing: it buys time for them to create a fix. If they came out right away and told people about the holes then they would be in an even more intense race against attackers.

        The point is that relying on security through obscurity alone is a bad strategy. The ideal is to be able to publish the entire architecture and the system would still be safe. No system in existence meets the ideal.

        Full disclosure is

        • Full disclosure is bunk, there are large numbers of evil hackers on BUGTRAQ. Exploit code is often published there for the sole purpose of covering the tracks of an attacker.

          In other words, 'evil hackers' don't need full disclosure by the vendor to attack your system, but you need it to best defend your system. I hardly see how that's an argument against full disclosure.

    • From what I've noticed, many companies/software developers hide security exploits from the public. I don't nessissarily think it is a bad thing as spelling out every such exploit to everyone is essentially releasing a roadmap to replicate the bug (well if you are clever enough..which isnt too hard). Firefox, aka Pheonix/Firebird tends to hide there security bugs a lot. as whitehats tend to find bugs and send them in ..eg a bug found out in pheonix 0.5 later became public only in rc1 of the 1.0 (ohh and I
      • Thats slightly different in the case of firefox...
        If something is a 0.x, beta prerelease version of something, then vulnerabilities shouldn't really be counted. You use a beta product at your own risk.
        There are also plenty of security issues in microsoft's beta versions, but they too are not counted unless the issue remains in the final release. Anything which is marked as development/beta code is bound to have bugs, some of which may be security related.
  • Reavey said businesses should use Microsoft's severity rating system to help with patch deployment timetables. "It's important to remember that the best way to be safe and secure is to apply all the updates. We are providing patches for everything."

    'Everything' you say? Um, well...apparently NOT.

    Can there truly be a flawless operating system?
    Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
    I think not, but if you could, you may become r
  • by Anonymous Coward
    Relying on software developed and maintained by someone else always leaves you vulnerable to changes they make.

    This isn't exactly limited to Microsoft.
  • However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes.

    Default decision to update automatically whenever MS update (including the one silently fixing bugs) is ready seems to be taking care of that.

    There is an inevitable time gap between announcement of update and zillions of updates on customer computers. In principles, hackers could use the time gap to attack computers that are not updated.

    Eh... Mustdie?
  • I'm not outta order! You're outta order! The whole freakin' system's outta order! You want the truth? You want the truth? You can't handle the truth! 'Cause when you reach over and stick your hand into a pile of goo that used to be your best friend's face! You'll know what to do forget it Marge it's Chinatown!
  • Scandalous! (Score:2, Funny)

    by jesser (77961)
    However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes.

    Users who refuse to install Microsoft security patches are left vulnerable to security holes in Microsoft products they use!? Scandalous!
    • Users who refuse to install Microsoft security patches are left vulnerable to security holes in Microsoft products they use!? Scandalous!

      They also fix security flaws in regular bugfixes ("Hotfixes"). Microsoft's official policy is to install Hotfixes only if you really need a fix for a particular problem you are experiencing. Most people will not install Hotfixes so they are at risk for a vulnerability that Microsoft is aware of.

      I know about this from first hand because some years ago I found such a flaw in
  • Customers? (Score:4, Insightful)

    by farker haiku (883529) on Thursday April 20, 2006 @08:11AM (#15163774) Journal
    FTA: "We want to make sure we don't give attackers any [additional] information that could be used against our customers.

    But, if they are your customers, they can get the patches no problem right? So really this policy only helps out the pirates. Right?
  • Billy: Acording to my calculations every hacker will eventualy run amok with the killing and the scripting and the botnetting...
    Ballmer: My God Bill, when will this happen?
    Billy: In exactly 24 hours! (hackers immediatly start posting 0day exploits) Oh dear, I forgot to carry the one.
  • From Microsoft's side, they heaping pile of exploitable code that is the Windows code base. Of course they don't want to expose any more than they have to because they can see, or know, what they are in for.

    On the other hand, like the article brings out, the customers who really deploy on test systems first or have to be super careful about breaking their system due to very custom sofware are at a disadvantage.

    There must be a channel, especially for larger customers, where MS could/would divuldge this in

  • by sbaker (47485) * on Thursday April 20, 2006 @08:31AM (#15163860) Homepage
    But didn't I read someplace that Microsoft were coming out with their own anti-virus/anti-whatever suite with a monthly service charge?

    With that in mind - why would they tell other, competing, anti-virus companies what flaws to protect against?

    Come to think of it - why bother fixing flaws at all - just defend against them in the MS Anti-virus gadget instead and encourage people to pay the anti-virus tax. It might even be tempting to add the occasional flaw just to make that work better.

    I don't know whether any of these things will actually happen - but you simply can't trust the motives of a company that behaves the way MS consistently does.
    • by drsmithy (35869) <drsmithy&gmail,com> on Thursday April 20, 2006 @08:53AM (#15163970)
      But didn't I read someplace that Microsoft were coming out with their own anti-virus/anti-whatever suite with a monthly service charge?

      The purpose of "anti-malware" tools is *not* to protect against software flaws, it's to protect against user mistakes. A rather large proportion of people on Slashdot seem to have a great deal of difficult understanding this.

      No amount of OS "security" can stop the end user from shooting themselves in the foot. The purpose of "anti-malware" software is to give them a chance to dodge the bullet.

    • But didn't I read someplace that Microsoft were coming out with their own anti-virus/anti-whatever suite with a monthly service charge?

      With that in mind - why would they tell other, competing, anti-virus companies what flaws to protect against?


      Can you say Sherman Antitrust Act?
  • There is only one possible reaction [orlyowl.com] to this.

  • by Anonymous Coward
    This approach might help Microsoft avoid some embarrassment, under the plausible excuse of not helping hackers, but what about businesses that don't automatically apply every update that comes out? I worked for a manufacturing plant that carefully evaluated each vulnerability and weighed the security risk it posed against the risk that an update might break something.

    This is VERY important for the customer, which Microsoft has shown repeatedly not to give a rat's ass about. So, no surprise here. The best
  • by bbuchs (551229) <bbuchs AT mac DOT com> on Thursday April 20, 2006 @08:50AM (#15163956) Homepage
    What you have to understand, what the American people have to understand, is that we're at war. The fact that we're talking about these vulnerabilities simply emboldens the enemy.
  • After all, if they put up the code that has the bug in it for every bug found, people could piece together the entire Windows source code!
  • by Opportunist (166417) on Thursday April 20, 2006 @09:15AM (#15164090)
    That's the crucial problem in this policy. People, especially people who're wary when it comes to MS "patches" or those who have to watch their bandwidth (unless they want to pay extra for more traffic) will read patchnotes carefully, then ponder what the patch does according to the info given and more often than not (especially when the patch is supposedly for a feature they don't use) they'll simply say "Don't need it. Doesn't apply to me."

    This patch might have fixed a key security hole. But if you don't know it, how should you decide whether you should apply it? I don't buy the story that MS knows what's good for me. If anyone knows, I do. And I certainly won't hand this decision over to someone else.
  • My subject is to prove a point. Slashdot is notoriously, and regulary with good reason, quite anti-Microsoft. Would the comments and content be different if, say, we swapped Microsoft with Apache in the original article / summary? The comments would probably change just because there are more Apache apologists than Microsoft apologists here. Oh well, big deal. Plus, the subject 'Microsoft == BAD' is going to get good readership here. Know your audience. :-)

    Second, I think something most people haven

A large number of installed systems work by fiat. That is, they work by being declared to work. -- Anatol Holt

Working...