MS To Share Vulnerability Details Ahead of Patches

Bridge to Nowhere writes "ZDNet is reporting that Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities."

So the first might start like this...

[strimpster]

Now don't take this as us saying that our software isn't secure... just think of it as us saying that we found some undocumented features (don't think of them as bugs) and wanted to share them with you so that you can use them... lol

Re:So the first might start like this...

They already do (and have for a long time), they just have a ton of NDAs and have publicly denied the program, even though I can assure you the major vendors have been in it for years.

I sure hope...

[Zygfryd]

the Metasploit project gets into this deal!

Re:I sure hope...

[sapran]

sure they do =)

Leaks guaranteed

[SanderDJ]

According to TFA MS has some strict requirements for its intended partners. However, history has shown that the more people know a "secret", the sooner it will be revealed. Not a good thing when fighting zero-day exploits.

I foresee disasters.

Wait a minute...

[sleekware]

This actually makes sense! This could actualy be beneficial to cyber security! Who would have ever thought?

Think game theory

[smittyoneeach]

So you publish an occasional 'theoretical' exploit to flush out the amateurs and the unreliable in the circle of trust.
The truly evil ones who wouldn't fall for a red herring are likely diabolical enough to have infiltrated the information source in the first place.
Or you could just boot something else.

This doesn't make sense

[jhfry]

Why would MS, if they know about the problem and are planning a patch for it, let the security vendors know. Essentially that would make the vendors a stopgap until the patch is released a few days later.

Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday. All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.

I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it! With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.

I am not a big fan of regulation, however I believe that any company that creates an unsafe product needs to be penalized, even if that product is software. Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.

Re:This doesn't make sense

[Last_Available_Usern]

Because there's less money to be made doing it that way? Face it...until forced, any for-profit company will always take the path the provides the most cash for the least investment.

Re:This doesn't make sense

[wanderingknight]

Then you could simply cash in for having a buggy product? Who would've thought!

Re:This doesn't make sense

[magamiako1]

jhfry:

Do you understand why they are doing this? Many malware creations out there, time and time again, the biggest ones have been a result of unpatched systems and vulnerabilities released by the vendor. *EVERYONE* watches these vulnerability reports, including malware writers.

And when I say "malware writers", I don't mean the geeky kid sitting at his computer finding holes in software. I mean the guys that are out there to do it for a profit and are farther down the food chain.

The way this chain works in these cases (and what they're trying to stop):

OS Vendor releases patch/exploit info.
Many users don't patch.
Spammer/Malware writer exploits flaw that was found.
Worm/Trojan is created that uses the exploit to drop a payload.
AV Vendor watches the new worms/trojans out there to create signatures to get rid of them.

If you notice the chain here, you realize that the "hackers" and "malware writers" have "products" out before the AV Vendors do. By giving the vendors access to the exploit data, proper tools can be created to watch for attempts at the exploit. Perhaps something that watches for the buffer overflow?

You know, if it's a remote IIS vulnerability and it goes something like http://site.com/request.aspx?request=AAABBBCCCDDDEEEFFFJ2394829384820808payload_here

The AV vendors could look for and validate the input and no trojan, unpatched system or not, can get through.

Re:This doesn't make sense

[magamiako1]

And a 2nd post on your other points:

Medical software usually does one thing, and one thing only. The software powering those huge, big tin medical components will only ever need to do that one thing. You're not going to use an X-Ray scanner machine to monitor someone's heart rate and pulse.

On the contrary, the average desktop computer is used for everything from gaming, to video editing, photo editing, film production, office applications, etc. And rather than a focus being on "closed-source, hyper security"--the big focus on the "average pc" is everything being able to connect and talk. We see this with "Standards" such as XML, OOXML, ODF--where the idea is that you could write a document in one application and that document can be used for an entirely different purpose elsewhere, such as being displayed on a webpage in web format, dumped into a SQL database, and being stored and indexed.

Oh, and by the way, you know the desktops that hospitals use to look up your medical records, make changes to your files and data? Yeah, that's MS Windows.

And with regards to "regulation for unsafe products". Who gets to define what is or isn't unsafe? Every single OS vendor, every single software developer--whether it's Cisco IOS, Oracle's DB solutions, Debian, Redhat, or Microsoft--everyone has products that are insecure and vulnerable.

It would stifle innovation as nobody would want to write software for the fear that it could be exploited.

Re:This doesn't make sense

Just gonna throw this out there, based on my undergrad and grad OS -> Yes, MS could make Windows have very high uptime. However, they would have to exert enormous control over ALL ASPECTS of any software used on the systems to avoid deadlocks and null pointers. This would also require huge resources to check before executing the code. Then multiply the cost of the OS by a factor anywhere from 10 to 1000.

  General purpose operating systems are not easy to make, especially because they must deal with substandard code written by 3rd parties. So next time you think they are milking the public for cash think about this: If your windows box crashes every time you run a certain program, or started crashing after you installed one, perhaps it is not the OS, but that program or its modifications to the runtime environment.

This plays into my big problem with /. because people complain about something they have almost no understanding of. Knowing how to compile and install linux does NOT make you an OS expert or even give you one iota of an idea about OS design.

Re:This doesn't make sense

[mrboyd]

Maybe they don't due to the fact that medical equipment and lunar probes have a much more limited feature set than say Microsoft Word and they cost orders of magnitude more money to put together.

If you are ready to have a fairly limited in scope operating system running on "state of the art" hardware(read: created somewhere in the 1970) there are some option for you if you have the cash.

But of course you probably don't and you expect your operating system to run your crappy non fault-tolerant hardware, 20 bucks usb printer, subsidized phone with and half compliant bluetooth stack, play "stolen" music and video in 200 different codec, all the while browsing the web and playing flash games and maybe another 50 or so other applications Microsoft and Linus Thorvald have limited control over.

To put it in perspective again, your highly sensitive medical device, has been designed with custom hardware, most probably redundant , run on dedicated chipset with under 10k LOC, when it's not purely mechanical. It is rarely networked if ever and you will NOT be AUTHORIZED to use or service them without a Biomedical Equipment Technology Training.
Imagine how much you'd spend just to get one over to clean your keyboard from breadcrumb...
And.. it does fail from time to time as you can see here: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTopic/medicaldevicesafety/mds.cfm?page=2&sort=2

When your average defibrillator or PET scan can browse youtube and play britney spear latest album I'll consider your "medical" arguments.

Trillions of dollars? I believe that low cost computers and softwares, including Microsoft's, have helped generate trillions of trillions of dollars through increased productivity. Just think about trying to design a modern airbus or a car without a computer. I am pretty sure that overall the profit/loss ratio due to microsoft/linux crashes is still in the five nine range.

Cheers.

Re:This doesn't make sense

[Martin+Blank]

You're almost right. It's not that there's less money to be made, but more money to be lost. Many people will install the early version of the patches, but compatibility problems may not have been found by Microsoft's labs, and they'll be faced with increased calls and further bad press about how a "bad" patch was released, when in fact it was still a QA-level patch and not really ready for release.

Re:This doesn't make sense

Because not everybody patches on Tuesday...
Maybe I REALLY don't have the time (eg: I'm the only IT and I'm in the hospital).
Maybe it's because of all those pirated copies of Windows that sometimes break when patched. Yeah, it would be cool for MS if some new remote exploit was found and all those machines got compromised but the effects could spell disaster for half of the Internet, not just the users - see DDoS.
There are many reasons for which MS still fights a bit (unfortunately just a bit) to patch pirated Windows that buy or crack an antivirus but can't download the updates from MS.

Re:This doesn't make sense

[jhfry]

Then multiply the cost of the OS by a factor anywhere from 10 to 1000.

The cost of development... not the cost to the consumer.

It would take a chunk out of their immediate profits but make them far more secure in their market. Right now MS is slowly losing it advantage in the market place... more and more alternatives are getting attention that don't suffer the same issues as MS products do, and eventually MS's unwillingness to make their core products the best they can be will be their downfall.

Re:This doesn't make sense

[jhfry]

I do understand the why... but your explaining the why in the current situation that was created by MS's... failures?

Had MS spent more time developing good software with sane security there would be a far lower amount of risk.

Besides that, what makes you think that a machine that is unpatched will have current virus definitions. If MS hadn't convinced people that viruses are not the fault of the software vendor and convinced them that they needed special virus protection, people would be much more in the habit of keeping systems patched. If MS didn't force unnecessary and unwanted patches along with the highly important security patches, people would be much more in the habit of keeping systems patched.

Essentially what MS is doing is suggesting that their patch system is inadequate and instead of fixing it they are going to leave it up to AV vendors to ensure that windows user's operating systems are secure. If you ask me it's absolute bull shit!

A good system for distributing security patches is not that difficult. A method of ranking patches by risk to operational stability vs risk of attack is not that difficult. A way for an administrator to choose how much risk they are willing to accept is not that difficult.

So why not have a system where my server can check for new patches every few hours, and those patches include risk scores dependant upon the function of the system... if I want to get all patches and keep myself secure but risk instability I can... if I would rather wait until the patch has been widely deployed and is considered low risk, I can configure that too. Why involve a third party? Why should the security of my operating system be the responsibility of someone who has no control of the internal working of my OS.

It's easy to justify what MS does, after all Windows is one hell of a complex peice of software. But we are talking about a company that has more resources than many small countries and has their software deployed on Billions of computers world wide. They can do better, and they should!

Re:This doesn't make sense

[jhfry]

Medical equipment software, space shuttle navigation software, and other robust software though very narrow in scope is no different than Windows. It's all the same stuff at it's core... it's just the quantity that differs. I realize that to create something on the scale of Windows following the development practices used in the medical, aviation, and similar industries, would be very time consuming and expensive. But like anything else these days, Windows is modular, and as such this type of work could be broken into many smaller peices similar in scope to that of the x-ray scanner you mentioned. With MS's resources, they could approach the reliablity of that x-ray scanner if they chose to do so.

When I use the terms unsafe, I mean that during standard use it puts it's user at risk and the manufacturer expects the user to purchase additional products to achive any sort of safety. It would be like Ford saying that they put cheap Firestone tires on their trucks and it's the dead drivers' faults for not replacing them with tires that would prevent roll over. Or how about a toy manufacturer that sprays their toys with lead paint then saying it's the parents responsibility to strip the paint off and repaint with something non toxic before they let thier children play with it.

I realize that you cannot expect MS, or any company, to create a perfectly safe product. However they can prevent 99% of the unsafe conditions that result by use of that product. And they definately should be held responsible when their NEGLIGENCE causes undo harm to a user. There is a clear legal definition of negligence and trust me MS is one of the most negligent companies around.

Anyway, it all comes down to one point. MS has the abilty and the responsibility to ensure that the users of their software are as safe from harm as can be resonably expected; how they do it is none of my concern.

Re:This doesn't make sense

[jhfry]

Your simply justifing Microsoft's incompetence.

I realize that I'm being a bit of an idealist... but seriously, when did it become OK for anyone to just do the bare minimum necessary to make a buck. Microsoft has repeatedly failed to go beyond what was required to keep them ahead of the competition, and they didn't do it by creating a better product than the competition in most cases.

I am sure you have heard "WITH GREAT POWER THERE MUST ALSO COME - - GREAT RESPONSIBILITY" (Stan Lee). It's a bit cliche, but it is true. MS is one of the most powerful companies in the world... if not THE most powerful were they to exert their influence. With that power they need to assume some responsibility. They could start by ensuring that the users of their products are not placed at risk by simply connecting it to the internet.

Call me an unrealistic, or nieve, or whatever. But it doesn't change the fact that Microsoft is not even coming close to doing all that they could do to make the best OS on the market and to ensure that those buying it are safe. In fact, I would guess that they spend more money hiding or distracting users from the problems with Windows than they do actually fixing them.

Microsoft has the power and the resources to develop an OS that is so stable and so secure that it could be compared to medical equipment. Sure it would be overkill, I realize that, I just want them doing more than dumping the responsibility for their shortcomings to third parties and requiring thier customers to purchase a third party product just to be protected from the problems within their software.

MS is not evil... just negligent.

Re:This doesn't make sense

[Allador]

I dont think you have a realistic view of the software world.

Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday.

Because in most cases, this causes more problems than it solves. Huge huge numbers of people blindly apply (or fast-track minimal testing) of critical security patches. If they make 'stop-gap' patches, they will have a high failure rate (since they're rushed).

So as the software vendor, you're faced with a cost-benefit judgement call. How serious is the exploit? How active is active exploits occurring in the wild? Compare that against the cost and bad press if something goes wrong with a stop-gap (ie, rushed) patch.

Most of the time, the perceived cost-benefit goes towards waiting, and releasing a well-tested patch.

With some exceptions, most critical security patches arent being widely used before they're publicly known. But the second you release a patch, it only takes a couple days (at most) to reverse engineer the patch and produce a new exploit tool.

But this is why, every once in a while, MS DOES release a patch out of cycle. It basically is when the active exploits occurring in the wild look bad enough that its worth the risk to release a rushed patch (which has its own risk of problems).

You're trying to make something appear simple, while in reality it is a horribly complex guessing game of cost/benefit and risk/reward. And its made worse because no one ever has all the information as to actual use of a zero-day exploit.

All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.

Not really. What it does (at least if done intelligently) is to give the security vendors enough information to create signatures. It wont be perfect, but it'll be far, far better than nothing.

I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it!

Cash != software quality. Thats not how it works. You get good software quality by hiring top notch people and having good leadership. MS DOES hire some of the brightest people in the world, but not too many of them work on Windows. The problem is really good people can command great salaries AND interesting work. And not too many people are interested in userland windows dev.

With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.

Medical Equipment software is GROSSLY badly developed quite often. But its not equivalent. A large percentage of it runs on equipment with no network connections, or semi-private network connections.

Medical Equipment also gets the perceived perception because it has such a horrendous beaureacratic process to make ANY change, so it tends to not change (which creates its own security problems).

Lastly, Medical Equipment software has a massively narrowed range of devices it has to run on, and things it has to do (ie, support). An operating system like Windows, on the other hand, has to be able to run on nearly anything, support nearly any amount of add-on hardware, and be hugely friendly to 3rd party app developers.

You're not comparing apples to apples. You're comparing apples to cardboard.

Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.

Compared to what? You cant compare total dollar impact, but have to use dollar impact per unit deployed. You're acting like any other software in wide use hasnt had massive security problems before. They all have. The impact is much

Re:This doesn't make sense

[jhfry]

I have posted a ton of replies, so I'm not gonna respond to everything you said... but there is one area that I can see things improved.

As far as patching risk analysis is concerned... why couldn't MS do this for us.

For example, they score each and every patch based upon several factors successful installations, Exploit Risk, stability risk, etc. Additionally, they assess the risk based upon the function of the target system so that patches to IIS score higher for machines that are primarily a web server and IE patches score higher for workstations. Finally, the administrator configures Windows Update so that it is aware of the primary and secondary functions of the machine, that machine's environment (corporate firewall, remote connectivity, etc.) and they sets thresholds for the ratio of risk that is acceptable.

With this system in place, I could blindly apply any patch that has been widely deployed and has a low risk of instability, or fixes an extremely high risk exploit on my servers... while being a little more accepting of risk on my workstations. My test stations could automatically apply all patches early on and I could provide feedback to MS on those machines.

Because MS should know the potential ramifications of a fixed typo vs a complete rewrite, they can properly assess the risk of many patches simply on the scope of the change. Additionally I wouldn't apply risky but unnecessary patches to machines that don't really need them because they are behind a corporate firewall for example.

I agree that blind patching isn't necessarily the solution... but something like this would make automated security patching far less scary.

Re:This doesn't make sense

[QuestionsNotAnswers]

I am mostly happy that MS has traditionally been focused on short term gains rather than security.

It has helped a bunch of people to develop open source OSes and communities, which I think are fantastic.

Aside: I would love to see MS eat Yahoo - I think it would be poison pill.

Lose-lose situation!

[HCLogo]

Okay, so this seems like a good idea on the surface but after a little thought this seems more and more like a no-win situation. We'll likely see two major scenarios play out: 1) MS will only release this information to those companies it deems "trustworthy"... But considering the way MS has behaved in the past, how much you're trusted will largely depend on how much money you spend on MS products/services. 2) In the unlikely event that MS does decide to "play nice" with security vendors, what's to stop a particularly resourceful group of black-hats from creating a nonexistent company in order to gain inside info into 0-day vulnerabilities? Either way, we're all SOL.

So where do I sign up?

[AmiMoJo]

I'm an admin, I have lots of boxes to look after as well as my own and I need to know about potential vulnerabilities before they hit my machines. Where do I sign up?

Re:So where do I sign up?

[perlchild]

As an end user, Microsoft does not recognize you as an audience, unless you're also a reseller.

Everyone is missing the point

Apparently everyone is missing the entire point of what MS is doing...

If MS doesn't release the info: sure, 50% of windows PCs get patched before there are any exploits which take advantage of the vulnerabilities, but once the cat is out of the bag the race is on between virus writers and anti-virus companies to cover as many of the remaining PCs as possible.

In short, it would give anti-virus companies an advantage over the virus writers for 0-day exploits.

This is NOT so that anti-virus companies can solve the issue until MS releases a fix, this is so that they can have one ready by the time the virus writers are informed of the details of an exploit.