Microsoft Admits to Hiding Flaw Details 147
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
So that's why Microsoft has such a low vulnerabili (Score:5, Insightful)
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article: Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
Re:So that's why Microsoft has such a low vulnerab (Score:2, Insightful)
I'm not really sure how the statement you posted really refutes it. He's right under the assumption that the attackers are aware of that particular flaw existing. But if Microsoft (or a good samartian) finds it first, then why wouldn't staying mum mean less risk of attack? We can metaphor joust about it, but I wouldn't say
Re:So that's why Microsoft has such a low vulnerab (Score:5, Insightful)
Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.
All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
So what Microsoft is actively hampering administrators and not hindering attackers.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Interesting)
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah e
Re:So that's why Microsoft has such a low vulnerab (Score:1)
A quick testbed and then patch. We have to worry more about the patches breaking things than otherwise, since not patching isn't even a possibility.
Re:So that's why Microsoft has such a low vulnerab (Score:5, Insightful)
If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!
Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Insightful)
Re:So that's why Microsoft has such a low vulnerab (Score:3, Insightful)
No.
You're taking a risk running a "non standard" environment too.
I am?
Besides, you should always patch a few systems that seem common to your environment before rolling out patches in a large corporate environment anyway.
Indeed. You should test the patches first; however, if there is a vulnerability that you really must patch, and it's going to knock out something you're dependent on, either way you lose.
Re:So that's why Microsoft has such a low vulnerab (Score:2)
I should mention that in my experience I've only ever got screwed by a patch from Microsoft once. The patch was for a login delay on metaframe, and it screwed up Acrobat 5 dialogues (you could no longer type into them). I honestly believe with most well behaved applications this sort of thing is pretty rare - especially with the sort of testing that microsoft does b
Re:So that's why Microsoft has such a low vulnerab (Score:2)
I've never been screwed by any Microsoft patches on my Windows network either. I guess we should be thankful.
Linux however - I've had patches break applications all the time - especially binary only programs.
All the time?
Any particular apps? Was anything important broken? When did these problems occur? This sounds terrible!
I've heard from people in charge of Windows networks who have told me that a patch from Microsoft caused pro
Re:So that's why Microsoft has such a low vulnerab (Score:2)
There's very few updates that are pushed as "must install" downloads via Windows Update that aren't likely to pose a threat to the system. IE is so tied into the system and other software that keeping it patched is important even if you don't do web browsing on the system. Many of the other vulnerabilities may not seem like they're important behind a firewall, but firewalls fa
Re:So that's why Microsoft has such a low vulnerab (Score:2, Interesting)
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 [microsoft.com] bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fa
Re:So that's why Microsoft has such a low vulnerab (Score:5, Insightful)
The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.
B) Do you realize even *nix vendors do this, including Linux distributions?
Could you please provide an example of this (for linux vendors)?
Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).
You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.
Re:So that's why Microsoft has such a low vulnerab (Score:2)
Ok, so you think flaws in Linux have never been corrected without a full published disclosure? Really... I have this bridge I would like to sell...
As for distributions, I have seen everyone from Redhat to SuSE push through patches that were 'previously' undiscl
Re:So that's why Microsoft has such a low vulnerab (Score:2)
*sighs*
If you read the discussion rather then have a knee-jerk-pro-MS reaction, you would realize that this is about disclosure after the patch has been released.
Please, please, even if you can't be assed reading TFA, read the discussion before posting.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Interesting)
Apps such as Apache for instance, can easily be installed on windows and most of the issues found will affect any platform running the software.
Re:So that's why Microsoft has such a low vulnerab (Score:2)
FUD! (Score:5, Insightful)
Indeed.
What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.
Even if Microsoft persuades people that it has a good reason for not disclosing vulnerabilities, Microsoft has no good reason to use false statistics, created by its hiding of information, in order to help persuade people that its software is more secure.
Re:FUD! (Score:2)
Well... maybe. It's quite possible that the two sub-organizations aren't communicating very well. If that's the case, then they need to do something about it.
I don't really care for Microsoft, neither the company nor their software. But let's not get all paranoid and just jump to the conclusion that they're deliberately trying to mislead us.
Oh, crap, what the hel
Re:FUD! (Score:2)
Perhaps they are not communicating too well. Don't you think the PR department ought to call the security team to validate the numbers before going on the attack?
My point here is that the lack of communi
Re:FUD! (Score:2)
The PR folks probably knew EXACTLY what was going on. I think they probably DID release those false/misleading statistics purposefully.
Re:FUD! (Score:2)
Re:FUD! (Score:2)
False Advertising (Score:2)
http://en.wikipedia.org/wiki/False_advertising [wikipedia.org]
I'm not sure how the FTC would deal with MS Sales Reps using that survey in their promotional/sales materials, but I imagine that someone could probably make a Lanham Act case out of it. To get damages under the Lanham Act, "Actual loss is not required to show an injury. All that is needed is a reasonable basis for the belief that the plaintiff is likely to be damaged as a result o
Re:So that's why Microsoft has such a low vulnerab (Score:2)
NO??
*snort*
netBSD [netbsd.org] refutes you troll.
Re:So that's why Microsoft has such a low vulnerab (Score:2)
Re:So that's why Microsoft has such a low vulnerab (Score:2)
I'll view it precisely as the OP posted it. Here it is again for you, with relevant bit bolded: They talk about hardware drivers & equipment. Nowhere do they mention confining to x86.
Re:So that's why Microsoft has such a low vulnerab (Score:4, Interesting)
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
Re:So that's why Microsoft has such a low vulnerab (Score:3, Insightful)
That would be an insightful comment... in fantasy land. Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Exactly - so how are they meant to know what it does? On the other hand, at least some of the bad guys can and will reverse-engineer to the patches. (Some security researchers are able to too, hence why this came out, but they probably don't have the time to do i
Re:So that's why Microsoft has such a low vulnerab (Score:4, Insightful)
Now, I *am* an experienced developer. When I do initial probes on "black box" binaries, I actually prefer to NOT have source available (as I am interested in what it is doing, not the comments or source that the original programmer put down indicating what it was intended to do).
Administrators? Generally can't do it. If I WERE a "black-hat", I would be all over the actual patches. I don't care about the paper reports.
The paper reports are critical to the administrators. They are not looking for a crack -- they have to trust that the changes have been checked and the work done carefully to avoid additional problems. But the only way the administrator has to determine if a patch should be applied, and what the risk is, is by full vendor disclosure. The "black-hats" don't really care that much. Of course, full disclosure can be a public relations nightmare.
The advantage that "open source" has here is that the laundry is already out in the open. Reputation can be (perhaps) slightly reduced by exploits, but it (again generally) doesn't destroy the product.
As an example, many people (including me) use sendmail and bind.
However, a closed source provider typically stakes a marketing created reputation. Exploits can really hurt. Take Windows 9x as an example. About the only thing Microsoft can do is state that future Windows are more secure. (even though Windows 98 as a core is reasonably hardened, as long as trojans are not executed, which it is VERY vulnerable to).
Oh, and "good guys" don't "counterattack". Just because someone attacks sshd on my box doesn't mean I turn around and attack. Generally, I ignore it. A "counterattack" stops at reporting the attempts to an upstream provider if they are very persistent (or successful).
Re:So that's why Microsoft has such a low vulnerab (Score:2)
Obfuscandalous! (Score:5, Insightful)
Perhaps it's time they should change their "Who would ever think to put those bytes there anyways?" mantra.
Re:Obfuscandalous! (Score:4, Insightful)
I'm not defending their practice(this is
Re:Obfuscandalous! (Score:3, Interesting)
Only if ou are working on the flawed assumtion that only MS will find the flaws.
I've got news for you:
There are real black hats, and they spend their free time looking for ways to exploit software. It's hubris to think that only MS can find security flaws in their own product.
Besides, this isn't about early disclosure, it's about any disclosure.
Re:Obfuscandalous! (Score:3, Insightful)
The point is that relying on security through obscurity alone is a bad strategy. The ideal is to be able to publish the entire architecture and the system would still be safe. No system in existence meets the ideal.
Full disclosure is
Re:Obfuscandalous! (Score:2)
In other words, 'evil hackers' don't need full disclosure by the vendor to attack your system, but you need it to best defend your system. I hardly see how that's an argument against full disclosure.
Re:Obfuscandalous! (Score:1)
Re:Obfuscandalous! (Score:2)
If something is a 0.x, beta prerelease version of something, then vulnerabilities shouldn't really be counted. You use a beta product at your own risk.
There are also plenty of security issues in microsoft's beta versions, but they too are not counted unless the issue remains in the final release. Anything which is marked as development/beta code is bound to have bugs, some of which may be security related.
Every MS Patch is Utmost Severe? (Score:1, Interesting)
'Everything' you say? Um, well...apparently NOT.
Can there truly be a flawless operating system?
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become r
Re:Every MS Patch is Utmost Severe? (Score:3, Insightful)
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become richer than Gates himself.
The reason you wouldn't become richer than Gates if you did this is that it would be incredibly expensive to develop such a system. You would also have a long time-to-market. The result would be a very reliable operating system that is late to market and incredibly expensive. Your would-
Re:Every MS Patch is Utmost Severe? (Score:2)
Re:Every MS Patch is Utmost Severe? (Score:1)
This is most definitely a "easy to use, accessible, and reliable application that has no security holes".
Where is my money?
Jeremy
Re:Every MS Patch is Utmost Severe? (Score:1)
KFG
Re:Every MS Patch is Utmost Severe? (Score:2)
You're missing the "return 0;" statement, which means that the return value will be random junk. This in turn means you can't count on it to determine whether the program ran correctly, so it's not reliable.
Re:Every MS Patch is Utmost Severe? (Score:2)
Re:Every MS Patch is Utmost Severe? (Score:2)
Re:Every MS Patch is Utmost Severe? (Score:2)
Re:Every MS Patch is Utmost Severe? (Score:1)
Yes.
Re:Every MS Patch is Utmost Severe? (Score:2)
"Flawlessness" is unattainable. No intelligent design team would aim for it. But reasonable security via a reasonable effort is certainly attainable. UNIX is proof.
These are not even the worst years of M-Windows; the worst years of M-Windows were when there was not even ~reasonable~ security in the design of the OS. Then the poor simpleton was encouraged to
Re:Every MS Patch is Utmost Severe? (Score:2, Funny)
please, let's not start THAT old discussion here, as if the evolution team makes such flawless products
Re:Every MS Patch is Utmost Severe? (Score:2)
Excuse me? There are currently no possible exploits in my genetic-algorithm kernel. Give it a few more decades, and it might even become bootable...
Re:Every MS Patch is Utmost Severe? (Score:2)
Re:Every MS Patch is Utmost Severe? (Score:2)
Or you could be poorer than you are now because no one will use your application.
The answers are Yes and yes (Score:2)
Is it possible to design and easy to use, accessible, and reliable application that has no security holes?Again, the answer is "Yes." Minesweeper is such an application in Windows.
However, I believe you were meaning an operating system. To which, again, I would answer "Yes." What you cannot do, however, is to keep adding layers to an existing operating system that was never designed to be accessible,
Spare a few $$$ for OpenBSD? (Score:2)
The risks of using "someone else's" software (Score:2, Insightful)
This isn't exactly limited to Microsoft.
update is update (Score:1)
Default decision to update automatically whenever MS update (including the one silently fixing bugs) is ready seems to be taking care of that.
There is an inevitable time gap between announcement of update and zillions of updates on customer computers. In principles, hackers could use the time gap to attack computers that are not updated.
Eh... Mustdie?
The Truth (Score:1, Funny)
Scandalous! (Score:2, Funny)
Users who refuse to install Microsoft security patches are left vulnerable to security holes in Microsoft products they use!? Scandalous!
Re:Scandalous! (Score:2)
They also fix security flaws in regular bugfixes ("Hotfixes"). Microsoft's official policy is to install Hotfixes only if you really need a fix for a particular problem you are experiencing. Most people will not install Hotfixes so they are at risk for a vulnerability that Microsoft is aware of.
I know about this from first hand because some years ago I found such a flaw in
Customers? (Score:4, Insightful)
But, if they are your customers, they can get the patches no problem right? So really this policy only helps out the pirates. Right?
Ballmer and Bill convo (Score:1, Funny)
Ballmer: My God Bill, when will this happen?
Billy: In exactly 24 hours! (hackers immediatly start posting 0day exploits) Oh dear, I forgot to carry the one.
Talk about a double-edged sword (Score:2)
From Microsoft's side, they heaping pile of exploitable code that is the Windows code base. Of course they don't want to expose any more than they have to because they can see, or know, what they are in for.
On the other hand, like the article brings out, the customers who really deploy on test systems first or have to be super careful about breaking their system due to very custom sofware are at a disadvantage.
There must be a channel, especially for larger customers, where MS could/would divuldge this in
Those who do know aren't going to tell you (Score:2)
Microsoft charging money for security tools? (Score:3, Insightful)
With that in mind - why would they tell other, competing, anti-virus companies what flaws to protect against?
Come to think of it - why bother fixing flaws at all - just defend against them in the MS Anti-virus gadget instead and encourage people to pay the anti-virus tax. It might even be tempting to add the occasional flaw just to make that work better.
I don't know whether any of these things will actually happen - but you simply can't trust the motives of a company that behaves the way MS consistently does.
Re:Microsoft charging money for security tools? (Score:5, Insightful)
The purpose of "anti-malware" tools is *not* to protect against software flaws, it's to protect against user mistakes. A rather large proportion of people on Slashdot seem to have a great deal of difficult understanding this.
No amount of OS "security" can stop the end user from shooting themselves in the foot. The purpose of "anti-malware" software is to give them a chance to dodge the bullet.
Re:Microsoft charging money for security tools? (Score:2)
It is too bad about the 125 char limit on sigs -- that would have been a great one
if Software can fix user error with Software??? (Score:2)
Re:if Software can fix user error with Software??? (Score:2)
Because they are two separate piece of functionality, and including the "antimalware" part would probably have Microsoft embroiled in another antitrust lawsuit.
Re:Microsoft charging money for security tools? (Score:2)
User mistake #1: Using Windows
User mistake #2: Using IE
User mistake #3: Using Outlook
Protect against those three, and malware ceases to be a heavy worry. Funny that...
Re:Microsoft charging money for security tools? (Score:2)
With that in mind - why would they tell other, competing, anti-virus companies what flaws to protect against?
Can you say Sherman Antitrust Act?
Re: Microsoft admits? (Score:1)
There is only one possible reaction [orlyowl.com] to this.
Truly not the right approach (Score:1, Insightful)
This is VERY important for the customer, which Microsoft has shown repeatedly not to give a rat's ass about. So, no surprise here. The best
Microsoft is at war. (Score:3, Funny)
Re:Microsoft is at war. (Score:2)
J.
Of course they're not going to report all bugs! (Score:2, Funny)
The inherent problem: "Doesn't apply to me" (Score:3, Insightful)
This patch might have fixed a key security hole. But if you don't know it, how should you decide whether you should apply it? I don't buy the story that MS knows what's good for me. If anyone knows, I do. And I certainly won't hand this decision over to someone else.
Re:The inherent problem: "Doesn't apply to me" (Score:2)
Yeah, yeah, usual arguments about MS. It takes pain to switch. But the question is which pain is less... known pain that you can plan for, or pain that blindsides you at 2am when you learn that someone has just downloaded your entire HR database?
Re:The inherent problem: "Doesn't apply to me" (Score:2)
Something's gotta happen before people get smart.
Re:The inherent problem: "Doesn't apply to me" (Score:2)
Microsoft == BAD (Score:2)
Second, I think something most people haven
Re:This article is flamebait [or are you a troll?] (Score:5, Insightful)
If you had read the article rather than rushing to get first post, you would know that they're talking about releasing information about flaws after the patch is released.
If you still don't understand why they should release information, consider the following from the article:
Re:This article is flamebait [or are you a troll?] (Score:3)
I recall reading an article [sans.org] on the ISC website asking folks if they knew the inner working of Oracle's (many, many) patches. It seems as if t
Re:This article is flamebait [or are you a troll?] (Score:2)
I completely agree - I'm sure Oracle, Apple, Sun (and other closed source vendors) all do this.
But since Microsoft is perceived as the big bully on the block this makes better fodder.
Microsoft is the big bully on the block, but that's not what makes this better fodder - what makes this better fodder is the sheer weight of Microsoft users. The number of people affected by a patch to the most widely distributed oracle product is miniscule compared to a the
Re:This article is flamebait [or are you a troll?] (Score:2)
I guess it depends on your definition of affected. Directly you are certainly correct. The desktop computer home and business users spend most of their time working with would be directly affected. But Oracle databases likely power the back-end of a lot of people's world. Banking, retail, transportation, government records, etc.
Another vend
Re:This article is flamebait [or are you a troll?] (Score:2, Interesting)
all the information about what is patched is directly available in patch, exposed via a relatively simple decompiling operation. A compare of the newly provided DLL and the original show you clearly what the original lacks. And as such, how you can attack anyone unpatched, or figure out what other DLLs may have such a proble
Re:This article is flamebait [or are you a troll?] (Score:2)
Re:This article is flamebait [or are you a troll?] (Score:2, Insightful)
that's a business decision... (Score:2)
MS has internal business. Some of this includes security. It is their choice whether to release the info or not.
Other companies are making similar decisions. Does Apple ever tell you what is fixed in iPod 1.1.1 software or iTunes 6.0.4?
MS is taking a risk people might not patch. But if they want to take that risk, it's up to them. Why do people just love explaining how they'd do things better than MS all the time?
Re:that's a business decision... (Score:2)
Re:This article is flamebait (Score:2)
http://lwn.net/Articles/179828 [lwn.net]
Or you can wait a week.
The gist is that there are indeed vulnerabilities:
Re:This article is flamebait (Score:2)
Re:scandal! (Score:3, Insightful)
If you had read the article rather than rushing to point out slashdot's supposed hypocrisy, you would know that they're talking about releasing information about flaws after the patch is released.
Nothing to with responsible disclosure at all.
More fun if vulnerabilities are revealed (Score:1)
Personally, I think it's more interesting and exciting if people disclose vulnerabilities immediately. You could, if you want, see it as a way of punishing people for making mistakes or running programs with mistakes. Of course, it's impossible to avoid mistakes, but I think this "punishment" is fun anyway. It makes more of a game of it.
Do you even know what RFPolicy means? (Score:4, Insightful)
If, at any point, the vendor suddenly decides to play not-nice, the RFPolicy is quite clear -- go ahead and post it to bugtraq or whatever you like. It also states that the vendor should acknowledge the original disclosure. That is, if I found a vulnerability in slashcode, but delayed publication because I was trying to get it fixed in good faith, the Slashcode developers would acknowledge my efforts in their advisory -- even if someone else comes along and posts an advisory after I report it to the team, but before the team has posted an announcement.
Nowhere in the RFPolicy v2.0 [wiretrip.net] does it say anything along the lines of, "Hey, you should silently slip-stream fixes without ever notifying anyone ever " -- which is what this article is about Microsoft doing.
The shit that gets modded up. I swear, we need a "-1 WRONG" tag we can apply to posts. Some kind of clue stick for the mods that don't bother to look up RFPolicy would also be good.
Re:scandal! (Score:3, Informative)
Au contraire. The RFPolicy [wikipedia.org] gives the vendor five working days to respond to a communication from the discoverer of a vulnerability, after which the discoverer can go public at any time. The discoverer and vendor are encouraged to work together to make a joint statement of the vulnerability once there is a fix.
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
That's the reason for open-source's (mostly) superior quality: it's about doing The Right Thing (TM), not about quarterly earnings, covering ass or FUDding-to-prevent-adoption. When you run around like a chicken with its head cut off like that (the MS way), then what time or resources do you really have left to get things right? Not much apparently...
I declare it here; Microsoft is naked! There is no suit.
Re:I'm shocked! (Score:2)
The headline doesn't read "Microsoft hides flaw details", but "Microsoft admits to hiding flaw details".
Re:I'm shocked! (Score:2)
I suppose that when you are caught red-handed, you have no choice...
Either way, it isn't news because it isn't new: Microsoft have consistently included and slipped-by 'extra' things in their patches for ages and have been caught doing it regularly.
Maybe you are right, it might be the first time they publicly admit to it, but since everyone is already expecting that type of behaviour from them, why not?