MS To Share Vulnerability Details Ahead of Patches

Bridge to Nowhere writes "ZDNet is reporting that Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities."

Think game theory

[smittyoneeach]

So you publish an occasional 'theoretical' exploit to flush out the amateurs and the unreliable in the circle of trust.
The truly evil ones who wouldn't fall for a red herring are likely diabolical enough to have infiltrated the information source in the first place.
Or you could just boot something else.

Re:This doesn't make sense

[magamiako1]

jhfry:

Do you understand why they are doing this? Many malware creations out there, time and time again, the biggest ones have been a result of unpatched systems and vulnerabilities released by the vendor. *EVERYONE* watches these vulnerability reports, including malware writers.

And when I say "malware writers", I don't mean the geeky kid sitting at his computer finding holes in software. I mean the guys that are out there to do it for a profit and are farther down the food chain.

The way this chain works in these cases (and what they're trying to stop):

OS Vendor releases patch/exploit info.
Many users don't patch.
Spammer/Malware writer exploits flaw that was found.
Worm/Trojan is created that uses the exploit to drop a payload.
AV Vendor watches the new worms/trojans out there to create signatures to get rid of them.

If you notice the chain here, you realize that the "hackers" and "malware writers" have "products" out before the AV Vendors do. By giving the vendors access to the exploit data, proper tools can be created to watch for attempts at the exploit. Perhaps something that watches for the buffer overflow?

You know, if it's a remote IIS vulnerability and it goes something like http://site.com/request.aspx?request=AAABBBCCCDDDEEEFFFJ2394829384820808payload_here

The AV vendors could look for and validate the input and no trojan, unpatched system or not, can get through.

Re:This doesn't make sense

[magamiako1]

And a 2nd post on your other points:

Medical software usually does one thing, and one thing only. The software powering those huge, big tin medical components will only ever need to do that one thing. You're not going to use an X-Ray scanner machine to monitor someone's heart rate and pulse.

On the contrary, the average desktop computer is used for everything from gaming, to video editing, photo editing, film production, office applications, etc. And rather than a focus being on "closed-source, hyper security"--the big focus on the "average pc" is everything being able to connect and talk. We see this with "Standards" such as XML, OOXML, ODF--where the idea is that you could write a document in one application and that document can be used for an entirely different purpose elsewhere, such as being displayed on a webpage in web format, dumped into a SQL database, and being stored and indexed.

Oh, and by the way, you know the desktops that hospitals use to look up your medical records, make changes to your files and data? Yeah, that's MS Windows.

And with regards to "regulation for unsafe products". Who gets to define what is or isn't unsafe? Every single OS vendor, every single software developer--whether it's Cisco IOS, Oracle's DB solutions, Debian, Redhat, or Microsoft--everyone has products that are insecure and vulnerable.

It would stifle innovation as nobody would want to write software for the fear that it could be exploited.

Re:This doesn't make sense

[jhfry]

I do understand the why... but your explaining the why in the current situation that was created by MS's... failures?

Had MS spent more time developing good software with sane security there would be a far lower amount of risk.

Besides that, what makes you think that a machine that is unpatched will have current virus definitions. If MS hadn't convinced people that viruses are not the fault of the software vendor and convinced them that they needed special virus protection, people would be much more in the habit of keeping systems patched. If MS didn't force unnecessary and unwanted patches along with the highly important security patches, people would be much more in the habit of keeping systems patched.

Essentially what MS is doing is suggesting that their patch system is inadequate and instead of fixing it they are going to leave it up to AV vendors to ensure that windows user's operating systems are secure. If you ask me it's absolute bull shit!

A good system for distributing security patches is not that difficult. A method of ranking patches by risk to operational stability vs risk of attack is not that difficult. A way for an administrator to choose how much risk they are willing to accept is not that difficult.

So why not have a system where my server can check for new patches every few hours, and those patches include risk scores dependant upon the function of the system... if I want to get all patches and keep myself secure but risk instability I can... if I would rather wait until the patch has been widely deployed and is considered low risk, I can configure that too. Why involve a third party? Why should the security of my operating system be the responsibility of someone who has no control of the internal working of my OS.

It's easy to justify what MS does, after all Windows is one hell of a complex peice of software. But we are talking about a company that has more resources than many small countries and has their software deployed on Billions of computers world wide. They can do better, and they should!

Re:This doesn't make sense

[jhfry]

Your simply justifing Microsoft's incompetence.

I realize that I'm being a bit of an idealist... but seriously, when did it become OK for anyone to just do the bare minimum necessary to make a buck. Microsoft has repeatedly failed to go beyond what was required to keep them ahead of the competition, and they didn't do it by creating a better product than the competition in most cases.

I am sure you have heard "WITH GREAT POWER THERE MUST ALSO COME - - GREAT RESPONSIBILITY" (Stan Lee). It's a bit cliche, but it is true. MS is one of the most powerful companies in the world... if not THE most powerful were they to exert their influence. With that power they need to assume some responsibility. They could start by ensuring that the users of their products are not placed at risk by simply connecting it to the internet.

Call me an unrealistic, or nieve, or whatever. But it doesn't change the fact that Microsoft is not even coming close to doing all that they could do to make the best OS on the market and to ensure that those buying it are safe. In fact, I would guess that they spend more money hiding or distracting users from the problems with Windows than they do actually fixing them.

Microsoft has the power and the resources to develop an OS that is so stable and so secure that it could be compared to medical equipment. Sure it would be overkill, I realize that, I just want them doing more than dumping the responsibility for their shortcomings to third parties and requiring thier customers to purchase a third party product just to be protected from the problems within their software.

MS is not evil... just negligent.

Re:This doesn't make sense

[Allador]

I dont think you have a realistic view of the software world.

Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday.

Because in most cases, this causes more problems than it solves. Huge huge numbers of people blindly apply (or fast-track minimal testing) of critical security patches. If they make 'stop-gap' patches, they will have a high failure rate (since they're rushed).

So as the software vendor, you're faced with a cost-benefit judgement call. How serious is the exploit? How active is active exploits occurring in the wild? Compare that against the cost and bad press if something goes wrong with a stop-gap (ie, rushed) patch.

Most of the time, the perceived cost-benefit goes towards waiting, and releasing a well-tested patch.

With some exceptions, most critical security patches arent being widely used before they're publicly known. But the second you release a patch, it only takes a couple days (at most) to reverse engineer the patch and produce a new exploit tool.

But this is why, every once in a while, MS DOES release a patch out of cycle. It basically is when the active exploits occurring in the wild look bad enough that its worth the risk to release a rushed patch (which has its own risk of problems).

You're trying to make something appear simple, while in reality it is a horribly complex guessing game of cost/benefit and risk/reward. And its made worse because no one ever has all the information as to actual use of a zero-day exploit.

All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.

Not really. What it does (at least if done intelligently) is to give the security vendors enough information to create signatures. It wont be perfect, but it'll be far, far better than nothing.

I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it!

Cash != software quality. Thats not how it works. You get good software quality by hiring top notch people and having good leadership. MS DOES hire some of the brightest people in the world, but not too many of them work on Windows. The problem is really good people can command great salaries AND interesting work. And not too many people are interested in userland windows dev.

With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.

Medical Equipment software is GROSSLY badly developed quite often. But its not equivalent. A large percentage of it runs on equipment with no network connections, or semi-private network connections.

Medical Equipment also gets the perceived perception because it has such a horrendous beaureacratic process to make ANY change, so it tends to not change (which creates its own security problems).

Lastly, Medical Equipment software has a massively narrowed range of devices it has to run on, and things it has to do (ie, support). An operating system like Windows, on the other hand, has to be able to run on nearly anything, support nearly any amount of add-on hardware, and be hugely friendly to 3rd party app developers.

You're not comparing apples to apples. You're comparing apples to cardboard.

Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.

Compared to what? You cant compare total dollar impact, but have to use dollar impact per unit deployed. You're acting like any other software in wide use hasnt had massive security problems before. They all have. The impact is much