Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Admits to Hiding Flaw Details

Posted by ryuzaki0 on from the on-a-need-to-know-basis dept.

Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."

8 of 147 comments (clear)

  1. So that's why Microsoft has such a low vulnerabili by Whiney+Mac+Fanboy · · Score: 5, Insightful
    Anyone remember the (deeply flawed) Cert statistics where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?

    Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
    Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed.
    Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
    "I don't buy the argument that they are aiding attackers. The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
    --
    There are shills on slashdot. Apparently, I'm one of them.
  2. Obfuscandalous! by eldavojohn · · Score: 5, Insightful

    I seem to remember being told in my software engineering class of a type of protection that provides a false sense of security. I think that Microsoft may be becoming more and more guilty of it.

    Perhaps it's time they should change their "Who would ever think to put those bytes there anyways?" mantra.

    --
    My work here is dung.
  3. Re:This article is flamebait [or are you a troll?] by Whiney+Mac+Fanboy · · Score: 5, Insightful
    Why should Microsoft tell people about security flaws which are not known about in the public domain? It makes sense to fix them, issue a patch, and then make a statement.

    If you had read the article rather than rushing to get first post, you would know that they're talking about releasing information about flaws after the patch is released.

    If you still don't understand why they should release information, consider the following from the article:
    "Microsoft's customers depend on that information to figure out how to respond to Patch Tuesday. The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren't included, he won't install that patch"
    --
    There are shills on slashdot. Apparently, I'm one of them.
  4. Re:So that's why Microsoft has such a low vulnerab by Whiney+Mac+Fanboy · · Score: 4, Insightful
    "Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:"
    I'm not really sure how the statement you posted really refutes it.

    Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.

    All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"

    System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"

    So what Microsoft is actively hampering administrators and not hindering attackers.
    --
    There are shills on slashdot. Apparently, I'm one of them.
  5. Re:Microsoft charging money for security tools? by drsmithy · · Score: 4, Insightful
    But didn't I read someplace that Microsoft were coming out with their own anti-virus/anti-whatever suite with a monthly service charge?

    The purpose of "anti-malware" tools is *not* to protect against software flaws, it's to protect against user mistakes. A rather large proportion of people on Slashdot seem to have a great deal of difficult understanding this.

    No amount of OS "security" can stop the end user from shooting themselves in the foot. The purpose of "anti-malware" software is to give them a chance to dodge the bullet.

  6. Re:So that's why Microsoft has such a low vulnerab by OwlWhacker · · Score: 4, Insightful

    If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years.

    If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!

    Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.

    --
    Linux/Open Source/Anti Microsoft News
  7. Re:So that's why Microsoft has such a low vulnerab by Whiney+Mac+Fanboy · · Score: 4, Insightful

    A) Who in the tech world didn't aleady know this?

    The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.

    B) Do you realize even *nix vendors do this, including Linux distributions?

    Could you please provide an example of this (for linux vendors)?

    Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.

    C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?

    I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).

    You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.

    --
    There are shills on slashdot. Apparently, I'm one of them.
  8. FUD! by OwlWhacker · · Score: 4, Insightful

    Anyone remember the (deeply flawed) Cert statistics where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?

    Indeed.

    What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.

    Even if Microsoft persuades people that it has a good reason for not disclosing vulnerabilities, Microsoft has no good reason to use false statistics, created by its hiding of information, in order to help persuade people that its software is more secure.

    --
    Linux/Open Source/Anti Microsoft News