MS Security Guy Wants Vista Bugs Rated Down

jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."

A rough translation to human speech...

[dyfet]

"Your making us look bad, cant you lie a little, we do all the time..."

This was a public service translation, for those who have trouble understanding Microspeak...

Its about the bug, not the environment

This guy is IMO a narrow minded fool. Sure, Vista may have extra security features which can limit the extend of damage which a certain bug can do. But does this mean that these features have any impact on the severity of those bugs? Lets "translate" this to Linux:

Say a new local SSH exploit has been found allowing attackers to gain root privileges. Does the fact that you'd need user accounts which are actually useable by people make any difference on the severity of the exploit? "Gee, cut the homeuser some slack since they won't have any real user accounts to begin with. So stop scaring them and rate the bug as it really is?" ? But... The bug really is what it says to be. In my example its a critical issue, in the case of a Vista bug its Important.

Just because you may benefit from the extra security enhancements doesn't imply everyone else does. So please; cut out the idiocy and the desperate attempts to push Vista forward by focussing on all good points and ignoring the bad points, and simply keep calling things what they are. I for one now question the professionality of this guy.

Re:Its about the bug, not the environment

[hxnwix]

Right, and that's why OpenBSD pretends that remote exploits are warm & fuzzy happy ponies. Because of their "baked in defenses." ...
Errr, NO , this guy promulgating deceptive doublespeek. But perhaps he knows better - perhaps he's just a dishonest jackass and not a retarded jackass. What was your point again?

Re:Its about the bug, not the environment

[driftwolf]

If Vista is so much more "secure", then any flaw should be much MORE serious, not less. After all, aren't they supposed to have worked so long and hard to reduce the flaws in this one? If one advertises a secure system, then any breach is, by definition, important. MS Vista is being pushed as a highly secure system to many businesses. Hence, security issues are that much more important, as they were used to sell the system in the first place.

As we've heard that much (some?) of their vaunted security is actually just optional smoke and mirrors (several of the user security features for instance), I don't think MS Vista should be given any easier ride than any other operating system. Let it be judged independently, on its own merits, and not through re-definition of what is critical or not for political (and of course publicity and monetary) purposes.

Any system that defines itself as "secure", but isn't, deserves to be ranked accordingly. Microsoft (and it isn't alone by a long shot) has a very long history of selling one thing and delivering another. Changing the criteria based on what they are selling isn't warranted until what they deliver matches that in every respect. So far, they aren't doing that with MS Vista either.

You keep using that word

[Gothmolly]

I do not think that the word "security" means what you think it means.

Or, you're a FUD-peddler whose job it is to convince Gartner that you don't suck... I'm not sure.

New rating for new system?

[Jimbitz]

I can't believe someone known as microsoft security guru would make a statement like that.
An exploit is still an exploit. It doesn't matter if it's found in a brand new OS or the predecessor.

Thank god there are people who doesn't agree with him.

Re:New rating for new system?

[GIL_Dude]

Well, I think the point would be something more like this:

A buffer overflow is found in lsasrv.exe. It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable). It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).

He's talking about the rating - a rating should be in relation to something. Otherwise - what does "5 star movie" mean? Is 5 stars the best? Is it 10 stars for the best? So, you need a rating that puts them in relative perspective. In this case, the same overflow should get an "extremely critical" for XP and Win2k3 server. It MAY not deserve as high a rating on Vista though depending on its ability to be exploited and spread. Possibly on Vista it could get just critical or maybe even just important.
I think it is key when rating the vulnerability to take into account how it can be utilized and what is required to exploit it.

This is not wise

[EXMSFT]

Don't challenge the hackers. It's great that Windows Vista has some built in low-level security protections. It's also great to see that Michael is discounting the significance of UAC. And he should - most people will wind up turning it off. But I think that attempting to say that Vista is fire retardant is most likely going to serve as a method to encourage hackers and script kiddies to try and set fire to it. Saying "because it's Vista means the exploit isn't as bad" is a horrible argument. It's an OS, and an exploit is an exploit.

In short I don't think Michael should assume. When you assume, well, you know.

stop whinning and just....

[3seas]

...fix the bugs.

Re:stop whinning and just....

[rucs_hack]

They can't

Not because of anything so simple as crap coders or Microsoft being shit (lame reasons when there are so many others that can be justified with examples) . They can't because it's too complex, subject to too many attack vectors, and closed from peer review of code.

Time was this refusal to allow external entities to search for and fix bugs in their code was acceptable as normal business practice. Since Linux got more popular, people have started to see that peer review of code is superior when it comes to finding and fixing errors.

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches.

Re:stop whinning and just....

[tuzzer]

I'd be willing to bet that if Linux was closed source it would be as defective as Windows is. That it isn't testifies to the usefulness of open source/bsd style approaches. Something being closed source doesn't mean it can't be peer reviewed. We use peer reviews at my job all the time. The rule is you don't check your own code, others do. It helps. A lot.

Missing the point

[UnknowingFool]

Why is it that MS always misses this point: Secure is relative. Advocating that MS can be more lax in its procedures because Vista is more secure is like saying you don't need to train anymore because you didn't finish last in a race. Microsoft may have better security than its predecessors; however, that remains yet to be seen whether or not it is adedquately secure. Given the companies history of boasting about security and then failing to deliver, it would be best if they were conservative when it comes to security. Wasn't there a recent slashdot article on how OpenBSD had an its second security issue in a decade? Compared to that, Microsoft security is a joke.

Tired article on a stupid statement.

[lancejjj]

Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses, according to [Michael Howard, a senior security program manager in Microsoft's security engineering group] who is often the public persona of the company's Security Development Lifecycle (SDL) process. Microsoft shouldn't have this guy as the "public persona" of security if he isn't 100% within both the security & public communications loops at Microsoft. "Vista" is supposed to be all about security. Why are they having this guy "chat" about it when he isn't a communications expert and when he isn't representing Microsoft's corporate opinion?

I'm sure we've all said a few things that were externalized "thought experiment" instead of "well thought out conclusions". And I think I can see how his line of thinking was going, although I disagree with his statement. And I wouldn't be surprised that in hindsight he disagrees with his own statement.

Microsoft has inadvertently set this guy up as a fall guy by anointing him as a semi-official spokesperson. Hopefully he won't find himself on the street due to what is a failure of his management.

A little late for that...

[Jasin+Natael]

By this logic, then, shouldn't most of the bugs for Linux and OSX have been rated as "relatively unsafe", while the Windows bugs were almost universally labeled "Über-pWnz0r3d"?

It seems like he wants this just so he can compare turds to turds, boosting the sales of Vista by saying the Windows 98 and 2000/XP bugs of yesteryear were worse because the same bug is arguably less severe under Vista. It may be true, but he should hope that if anyone takes him seriously, they don't start rating severity relative to similar bugs in competing products.

Be careful what you wish for...

Re:Isn't that .....

[numbski]

You'd have to be smoking some pretty good weed to go along with this. :P

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Just because your system is overall more secure doesn't mean that you don't blow the whistle on the flaws just as hard. It's called VIGILANCE.

Awww

[Centurix]

They're hurting your feelings, come here and rest on my man boobs. There there, that's better isn't it mr security person. What, they're not as soft and comfortable as your moms boobs? Excuse me, I'd like you to rate my boobs better than that, after all, I am a MAN!

I think MS needs to talk to a lawyer

[SmallFurryCreature]

Simple send each and every person who works for the company in anyway to a lawyer and tell the obey the first rule.

SHUT THE FUCK UP

Just stop talking, do NOT say anything, remain silent.

MS just can't do that and keeps blurting out things that make it seem extremely silly indeed.

This latest claim is like saying that a grease fire in your kitchen isn't dangerous if you live near a firestation. That getting shot through the chest isn't as much a of a hassle and shouldn't count as an attempt on your life because you happen to be in a emergency room.

A bug, is a bug, a security hole is a security hole. That they are even rated is already bad enough. They should have just one variable "fixed" wich is a boolean.

Claiming that a so called critical bug isn't as severe because the unproven untested OS it runs on has some safety measures, which by the way have been programmed by the same people who programmed the bug, is not exactly raising my opinion of MS.

Had they simply listened to the lawyer they would have kept their mouth shut and not dropped another notch in my estimation.

Perhaps it is all part of a cunning plan with them hoping that humans like computers suffer from wrap around and if they lower my opinion far enough it would wrap around to positive again.

or they are stupid.

But I liked the end, unless Vista picks up it will receive the same non-attention as OS-X, now that gotta smart.

Re:Isn't that .....

[Hierarch]

Let's say on *nix there's a vulnerability that allows for remote ssh access. You can only get in as an unprivileged user, heck, you may even get /dev/null as your shell, but it lets you in. Do you rate down the remote access flaw because of *nix's "baked in " defenses? No! You fix the bug and update.

Well, actually, you do rate it down. This is basic risk assessment, and if it comes to a prioritization of resources — which bug should we fix next? — I want that priority set according to the impact of the problem. Cold, hard, rational assessment, not “ZOMGRemoteAccessExploitWTFBBQOver”

You seem to assume that reducing the rating of a flaw means you don't fix it.

Now, more importantly, from TFA, we have

[The] rating system is clear-cut. If an Internet worm can spread without user action -- the MSRC's definition of "critical" -- on Vista, the vulnerability will be so tagged, Vista-specific security technologies notwithstanding.

This is different from the case you're outlining, and if the bloke in this article is really trying to change these criteria, I've got a real problem with that. If it's the difference between a buffer overrun that allows remote access versus a buffer overrun that allows an outsider to crash that process, I think it's the MSRC that needs to correct their own criteria. Either way, it shouldn't be driven by an outsider, although he can and should make the suggestion to them that certain criteria should be revisited.

Conservative?

[julesh]

"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity"

Err, right. So if they're so conservative, how come they'll rate a remote code execution bug as "moderate" if the code is run in a restricted context (see, e.g. http://www.microsoft.com/technet/security/Bulletin /MS06-013.mspx - particularly the DHTML bug)?

Re:Isn't that .....

[UncleTogie]

whereas Windows users tend to gain at least a basic appreciation for proper security practices.
Don't take this personally, but:

What frickin' planet are YOU on? Most Windows users expect Windows to take care of all that FOR them....and boy, are they surprised to find that clicking that "You're infected! Click here to pretend to fix your computer whilst actually infecting it!" actually DOESN'T fix a darn thing. I'm not talking ALL Windows users, but it's a frighteningly large group.

What MOST Windows users want is a system that doesn't make them THINK.

Re:Isn't that .....

[tdelaney]

There's a difference between severity and priority.

A bug may be high severity (e.g. remote access) but low priority (e.g. because it's believed that other factors mitigate the remote access).

Another bug may be low severity (e.g. a user interface quirk) but high priority (e.g. because reviewers have seen it and are talking down your product because of it).

Severities should be based on how much damage may be caused to the *users* of the program. Priorities are usually determined by how much damage the bug causes to the *developers* of the program ...