Microsoft Admits to Hiding Flaw Details 147
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
Every MS Patch is Utmost Severe? (Score:1, Interesting)
'Everything' you say? Um, well...apparently NOT.
Can there truly be a flawless operating system?
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become richer than Gates himself.
Re:Obfuscandalous! (Score:3, Interesting)
Only if ou are working on the flawed assumtion that only MS will find the flaws.
I've got news for you:
There are real black hats, and they spend their free time looking for ways to exploit software. It's hubris to think that only MS can find security flaws in their own product.
Besides, this isn't about early disclosure, it's about any disclosure.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Interesting)
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
And that's the crux of the problem. Of course, given Microsoft's checkered security history, why should this come as a shock? If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years. You can't worry about what Micrososft thinks is severe; while not every vulnerability is immediately exploitable, we've seen how easily unpatched vulnerabilties have allowed the black hats to create botnets overnight. If there's a way, the bad guys will find it, and it's stupid to leave any part of your system vulnerable for too long.
Re:So that's why Microsoft has such a low vulnerab (Score:2, Interesting)
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 [microsoft.com] bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed.
A) Who in the tech world didn't aleady know this?
B) Do you realize even *nix vendors do this, including Linux distributions?
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
If you search back through my posts, I responded and talked about this several months ago in a request that we need better exploit and bug tracking that what is currently available for industry standards.
For example, if my third party program creates a vulnerability in Windows, do you REALIZE that Windows gets the mark for the exploit, not my company or software, when Windows HAD NOTHING TO DO WITH IT?
This is the same with Apps on Linux, OSX, etc. You can't brand exploits to an OS based on third party applications, there needs to be higher levels of granularity.
For example, an Apache flaw get marked for almost every OS it runs on that exposes the exploit.
However I do believe that the granularity should list the difference between OS and Applcation level exploits but ALSO track the applications that are installed by the OS by default or in a standard configuration.
For example a Windows Media Player flaw should show up a mark for Microsoft for Windows Media Player, but also be a mark against Windows since it is part of the standard installation.
However a Microsoft Word Flaw should show a Mark for Microsoft, but not show up as an OS flaw or exploit.
This should also hold true for all *nix distributions. If the distribution in the standard install throws Application XXXX on the system, then the OS gets a mark. However if Application XXXX is only RAN on the OS, the Company's name should get the flaw, and not the OS itself.
And even with that said, the exploits list should also maintain a collection of 3rd party application exploits that could 'possibly' affect the OS.
This is just the like the JAVA exploits over the past year. They are Sun's responsibility. However I read several recent articles about it being an exploit in OSX because Apple includes the fix in their patch.
This needs to be clear so that we know it who the flaw belongs to, who is to fix it, who fixed it, and when they fixed it. We can't have stuff lumped into just an OS level.
So the articles I have seen on the latest JAVA flaw stating it is a flaw in OSX are just wrong and misleading.
As for the original article, I don't think anything was stated anybody didn't already know, except that it is somehow making 'press'. All OS vendors do not release every found exploit before they patch them, especially when the OS vendor has the SOLE responsibility to fix the exploit. Apple does this, Sun does this, even Linux distributions do this with exploits specific to their builds.
Now it can be debated if this is safer for the consumer or not. I tend to lean towards 'less press' on an exploit, as being safer for the consumer.
Simply here is why I lean this direction. Hackers and nerds and people that are 'capable' of using the exploit are 10-100 times more likely to read the 'tech industry' news and these advisories than the average person that is not into the technology news nor could care about it.
The second aspect to this, is the question, "Who can do more with this information?"
A typical user, depending on the exploit, can do nothing until one is issued, even in the *nix world, as Linux and others move to the desktop
Re:This article is flamebait [or are you a troll?] (Score:2, Interesting)
all the information about what is patched is directly available in patch, exposed via a relatively simple decompiling operation. A compare of the newly provided DLL and the original show you clearly what the original lacks. And as such, how you can attack anyone unpatched, or figure out what other DLLs may have such a problem.
I remember helpctr.exe was the first executable I ever did this to. Simple buffer overflow, before SP1.
Re:So that's why Microsoft has such a low vulnerab (Score:4, Interesting)
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Interesting)
Apps such as Apache for instance, can easily be installed on windows and most of the issues found will affect any platform running the software.