Microsoft's Security Disclosures Come Under Fire

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

Is this really a bad thing?

[Locke2005]

If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you? The sad truth is that most systems remain unpatched. Granted, Microsofts assumption that it's customers are idiots that couldn't handle the truth is annoying to those of us that do understand the problems, but in the majority of cases there assumption is pretty close to the truth - they are protecting the naive by not giving hints out to the malicious.

Does it really matter?

[Ramble]

As long as Microsoft are fixing them I'm not too bothered about this, but it would be nice to know what exactly they are fixing.

For "users" it is fine... For biz - no.

[NotQuiteReal]

For most folks, hey, it's all mumbo jumbo anyhow. Closed source, closed patches. "It's an update, Trust us, you want it." - OK, Click.

For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

Microsoft being vague...

[ThePopeLayton]

I would speculate that more people download Windows updates then almost any other piece of software (mostly because they are unaware mostly because this feature comes standard and enabled in Win XP). So why would microsoft want to divulge the security holes it is patching so openly? If I was looking to break into someone elses system the first place I would go is to microsoft.com check to see what security holes it has just patched and then see if my neighboor has patched yet.

It would be way to easy for people to learn about the problems that microsoft has riddled the world with.

Re:Microsoft being vague...

[Gregg+Alan]

It would be way to easy for people to learn about the problems that microsoft has riddled the world with.

Fine, but then wouldn't security/bug comparisons with open operating systems be skewed heavily in Microsoft's favor? I suspect that if they truly are hiding something, it is more about marketing than security.

Real truth of the article

[dretay]

I think the real point of the article was a few paragraphs in when Murphy said that "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk."

One of my favorite things about open-source systems like Redhat's RHN up2date is that you know exactly what a patch will effect and what code it will be changing. An update to the kernel, or to an individual program, will have a description of what it does, and in may cases a list of files that it will modify/replace.

I can see how microsoft could be more open about what specifically a patch does, but without making the patches open-sourced I don't see how they will ever be able to match Linux's level.

Re:Real truth of the article

[TubeSteak]

Murphy has not yet tested the patch to determine whether the drag-and-drop issue was actually fixed, but, even without testing, he argues that the way the information was released leaves everyone guessing.

WTF?

The guy making all the noise is just shooting his mouth off until he's actually tested the patch.

Yes, he has a valid gripe that the wording is unclear, but the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.

It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.

Re:Real truth of the article

[russ1337]

I like what you've said and agree. , I work in the aviation industry and aircraft manufacturers release similar 'patches'. One operator of a certain aircraft (say B747) discovers a crack in a certain part of the wing, or a control cable that is jamming. They report this to Boeing, who then release a service buletin to all the users with all the details, inluding the approprite timeframe with which the inspection / modification must take place and steps required for the repair.
It may be to inspect a part, it may be to ground the fleet and inspect for a major crack or replace a rudder control cable before next flight. ALL the details are provided which allows operators to have enough knowledge to make an educated decision on how many resources to put into fulfilling the service buletin, and if they cant fulfill it in the timeframe, what the risks are.

Without the vendor providing all the information, the end user does not know the risks they are opening themselves up to, and thus the ability to assess if its worth committing (valuable) resources to immeadiatly. An airplane may well require full testing of systems after the repair, perhaps even a test flight to ensure full functionality from before the repair.

In an ideal world, MS would provide all the information required, and IT departments would have unlimited resources to test the patch the second its released before deploying on their 'fleet'. Its not an ideal world, and IT departments dont have those kind of resources. The least MS can do is provide GOOD information to allow IT management to make an assessment of the risk they are exposing themselves and their company to. If MS dont want to give out that infomation, the least the can do is re-grade their criticality of updates. If the can gain the trust of the IT world that a critical patch is critical, and not over use it, that would go someway to providing the IT world with the ability to manage the resources to deploy these updates.

While the analagy to aircraft is not everybodys way of thinking. Know that more and more safety critical systems are using MS products. Would you fly on an 'unpatched' 747? Would you ride on an 'unpatched' subway? Would you like it if the computer that monitors your credit and banking information at the local financial institution is unpatched? What if each case, the patch was not fully explained, deployed in a hurry and the system not fully tested, or not deployed at all? Crash, Crash, Crash. Game over.

Code changes fixed some other bugs?

[original_nickname]

To me this looks like MS have patched the flaw they say they have, and maybe seen some other bugs that were in there whilst they were there.

This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly. Microsoft should post exactly what it fixes, so people know what they are putting on their system. For instance, what if the patch breaks third party software? As the third party won't know what was changed, they can't fix it.

Whiner

[numbsafari]

If I'm getting the gist of the article correct, it sounds like this guy is just whining because he found a variation of a vulnerability that was being fixed and he didn't get his name posted in the headline as finding the main vulnerability.

So, really, this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.

Yes

[WebHostingGuy]

This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.

Security by obscurity at its best

[hweimer]

If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.

Truth in Adveritizing

[MyLongNickName]

New patch advisory: "This patch solves yet another attack vector that can be exploited by a malicious hacker. The fact is, this is like sticking your finger in a dike. Actually, it is more like sticking your finger in a non-existant dike against a tsunami. Tomorrow, five other security holes will be discovered. Odds are, this patch will introduce yet more attack vectors. You are screwed"

Microsoft: You may use the above for a small fee. TIA. HTH.

Re:Patches

[caffeinemessiah]

Aside from the terrible, terrible, sad analogy, do you enjoy Windows vulnerabilities as much as a cigarette after sex? Patching flaws without disclosure (as long as that is indeed what they are doing) is like taking a pill for a cold and having it cure your syphillis while it's at it.

Re:Corporate responsibility?

[walt-sjc]

I would think that corporate "Software Assurance" customers who are paying for continual updates and support, and have to support MANY legacy applications that may be affected by such flaws or patches would be (and ARE) demanding such notifications. Joe Bob Home User does't really care, but Fortune 100 Fred in IT sure does, especially when his job (which is to keep the companies infrastructure up and running) is on the line.

Of course it is...

[TheNoxx]

Microsoft's just trying to save face, they could quite obviously still tell you that your applications and/or operating system had flaws that you needed to be aware of without going into specifics. Regardless of how much they want to disclose, one would imagine that they should have a legal responsibility to their customers to release any knowledge they have about a fault in their product that could compromise the security of their customers financial and private information, particularly in today's age of putting warnings out for every little possible fuck-up imaginable for other products (you know, like pepsi bottles that tell you to open with the cap pointing away from your face, etc...).

Microsoft patching without consent? Maybe

[NullProg]

How to find out? MD5 sum your /windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).

Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

Enjoy,

Remember, boys and girls.

[khasim]

The bad guys don't need to spend time with compatibility or regression testing for their software.

They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.

Attempting to hide information doesn't help anyone except the vendor and the bad guys.

At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.

There's No Middle Ground

[Master+of+Transhuman]

You tell people what you're doing to their systems.

It's that simple.

Security reasons, or no security reasons, you tell people. Anything else is misleading, which equates to lying.

They own the systems, not you, regardless of your fucking EULA.

Then if anybody doesn't care or doesn't want to know, it's on them.

Re:Here is the problem

[kaiwai]

The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.

Companies actually testing their software against the latest releases of Windows? thats definately a change from what I normally see; lazy software companies sitting around, rolling naked in money, then running an anti-Microsoft campaign when compatibility is broken with a bug fix. Rather than providing a fix to the end users, they run that campaign hoping that Microsoft will cave in and make some sort of elabortate work around.

I'll say it once, and say it again; it isn't Microsofts responsibility to provide backwards compatibility to people who would rather spend time whining about Microsoft than sifting through Microsofts knowledge base and product errata's and update their software to be compatible with the latest service pack/quickfix.

If you're a customer, a particularly large customer, and a software breaks when you update your Windows machine, your first port of call should be to the software vendors phone line and demand that they provide a patch; if they don't provide a patch, and you're a particular large customer, threaten to drop their product - send them a clear message, that you paid for a product, and you expect support, both telephone and prompt updates to address an compatibility issues that may arise when Windows is updated.

Re:Patches

[RollingThunder]

That's all well and good, right up until the point that the syphilis cure also causes a fatal allergic reaction in a small but significant percentage of the population.

Patches can break things. This is why disclosure of what it's touching is important, so you can properly test that everything it touched still works after the patch.

Re:Here is the problem

[UncleFluffy]

I'll say it once, and say it again; it isn't Microsofts responsibility to provide backwards compatibility to people

I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.