Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Exploit Predictions Right 40% of Time

Posted by timothy on from the statistics-94pct-nonsense dept.

CWmike writes "Microsoft today called its first month of predicting whether hackers will create exploit code for its bugs a success — even though the company got its forecast right just 40% of the time for October. 'I think we did really well,' said Mike Reavey, group manager at the Microsoft Security Research Center (MSRC), when asked for a postmortem evaluation of the first cycle of the team's Exploitability Index. 'Four of the [nine] issues that we said where consistent exploit code was likely did have exploit code appear over the first two weeks. And another key was that in no case did we rate something too low.' Microsoft's Exploitability Index was introduced last month."

39 of 182 comments (clear)

  1. Congratulations? by Smidge204 · · Score: 3, Insightful

    That's great, guys, but don't you think being proud that you were right about your code being exploited is... backwards? That's like being proud you correctly predicted you would get stabbed while walking through a ghetto wearing gang colors.

    Then again, this is Microsoft. They probably throw an office party every time something compiles without errors.
    =Smidge=

    1. Re:Congratulations? by David+Gerard · · Score: 2, Interesting

      Indeed. I swear, I called it: it's easier to predict the holes when you release them yourself.

      After what was expected to be an unusually quiet Patch Tuesday, Microsoft has released eight patches for applications with an insufficient number of security holes. "Our market is the enterprise," said Microsoft security marketer Jonathan Ness. "Information technology professionals know that Windows is the greatest IT job creation scheme in history. Without Patch Tuesday, there's no reason for the experienced IT worker to spend his time hiding out in the server room watching progress bars and getting over his hangover. Also, you can't tell people a virus ate their mail, you actually have to get it back for them."

      --
      http://rocknerd.co.uk
    2. Re:Congratulations? by Roland+Piquepaille · · Score: 2, Interesting

      That's great, guys, but don't you think being proud that you were right about your code being exploited is... backwards?

      Well, they're not proud of making exploitable code (if they were, there would have been a giant endless party at Microsoft for the last 20 years), they're proud of predicting when/how fast their code will be exploited.

      That's like being proud you correctly predicted you would get stabbed while walking through a ghetto wearing gang colors.

      No, it's like correctly predicting that you'll get stabbed 17 minutes after entering the ghetto, by 6 gang members dressed in red.

    3. Re:Congratulations? by iammani · · Score: 5, Insightful

      Slashdot crowd *loves* MSFT bashing doesnt it.

      Ok lets see... Some company (say Canonical or MSFT) builds a huge software and releases it. And a third party finds a bug and reports it to them. Now would be good to predict the severity of the bug, so that the more exploitable ones can be fixed first? Thats exactly what they are doing, and they are able to get the severity 40% of the time right, with no false negatives (that not a single severe one has been classified as a low priority one).

      So, now, do you think this is bad or wrong or something?

    4. Re:Congratulations? by MrMr · · Score: 4, Insightful

      They build enough security holes in their applications to do meaningful statistics on the monthly number of exploits in the wild.
      So, now, do you think that that is not a reason for criticism on their internal software testing?

    5. Re:Congratulations? by TheCycoONE · · Score: 2, Insightful

      No, it's like correctly predicting that you'll get stabbed 17 minutes after entering the ghetto, by 6 gang members dressed in red.

      Not at all. It's much more like guessing that you will be stabbed 6.8 minutes after entering a ghetto by 8-9 gang members dressed in red, then actually being stabbed after 17 minutes by 6 gang members wearing pink.

    6. Re:Congratulations? by NoisySplatter · · Score: 4, Funny

      It's like running your own car into a pole, providing the mechanic with your estimate of the damages and claiming you were right when he only overcharges you by 60%.

      --
      In Soviet Russia meme tires of you!
    7. Re:Congratulations? by hairyfeet · · Score: 2, Funny

      Okay.....It is like predicting you will get hit by a VW Bug crossing the street,and instead a Mac Truck nails you before you even get off the curb and drags you twenty feet. With a four out of ten pretty much the only thing they got right was they were going to get hit and it would hurt.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    8. Re:Congratulations? by iammani · · Score: 2, Informative

      Wouldn't it make MORE sense to perhaps spend the human/technical resources FIXING the most exploitable bugs rather than standing around with a beer in hand saying 'yep, that's going to explode for sure'.

      Yes it indeed would, and thats exactly what they have done and the story is about the review of the practice that happened at the end of the month (read during a review of what became an exploit and what got fixed at the right time)

    9. Re:Congratulations? by LordKronos · · Score: 3, Insightful

      Sure, if you have unlimited resources and can devote an infinite number of people to fixing everything, that would be great. However, if you have finite resources available and have to devote them to fixing up certain areas, how do you know where to devote your attention? If you can come up with a methodology for predicting such a thing, put it to the test, and get decent accuracy in your predictions, then wouldn't that be useful for confirming for you how you should devote your limited resources?

      There is nothing unique in what they are doing. I mean, look at the auto industry, for example. They don't just randomly assign engineers to try and make random things safer. They do studies, try to figure out what are the most dangerous aspects of a vehicle, and then assign engineers to work on those specific things.

      Fortunately for the auto industry, it's a little easier to do your predictions pre-release, since the "attack vectors" are more limited and well known (there are typically only so many ways you can get into an accident, so it's easier to model a majority of those cases). This allows them to be proactive in fixing flaws. Unfortunately, the attacks vectors in software are a bit more numerous, and you often have to take a more reactive approach. What Microsoft is doing here is trying to model things to see how reasonable it would be to devote resources in certain ways to be proactive.

      So again, in what way is this bad?

    10. Re:Congratulations? by sjames · · Score: 3, Funny

      Based on their success rate, they should flip a coin instead, then they'll be at 50%. That's what everyone's laughing at.

    11. Re:Congratulations? by mobby_6kl · · Score: 2, Insightful

      No, the criticism of either their coding practices or QA has nothing to do with a new and fairly efficient way to prioritize bug fixes. They already have the software with all the holes built in. Now they should deal with what they have in the best way possible, don't you agree?

    12. Re:Congratulations? by gazbo · · Score: 2, Informative

      Statistics. You fail it hard.

    13. Re:Congratulations? by PJ1216 · · Score: 3, Informative

      If you actually want a correct coin analogy, its that every time they called heads (heads = bug will be exploited), it showed up heads 40% of the time. Every time they called tails (tails = bug won't be exploited), it showed up tails 100% of the time. Now, since there were 18 coin flips (bugs), they were right 13 times (4/9 were correctly called as heads, 9/9 were correctly called as tails). Thats 13/19. They had about a 68% success rate.

      I don't understand how the article got the math completely wrong or how people aren't seeing the extremely obvious flaw in the math.

    14. Re:Congratulations? by RussellSHarris · · Score: 3, Informative

      Actually, they'd have to flip a coin for every bug – and their current statistic, "40% of the bugs we identified as exploitable were exploited", would probably look great compared to the percentage they'd get by flipping a coin.

      Basically, you're looking at this wrong. Microsoft correctly predicted 40% of the exploitable bugs, but they also correctly predicted the non-exploitable ones which wouldn't be exploited.

      Suppose (and I don't have actual numbers, so I'll make up hypothetical ones) Microsoft finds 100 bugs, and 5 of them appear exploitable. 2 of those are actually exploited (40%). However, you should take into account all the non-exploitable bugs that weren't exploited: Microsoft correctly predicted 95 non-exploitable bugs and 2 exploitable ones, which is 97%. They were incorrect only on the 3 bugs that they thought would be exploited and weren't (using these hypothetical numbers).

    15. Re:Congratulations? by orclevegam · · Score: 2, Insightful

      Actually in this example it would be undercharging. They predicted more exploits would happen than actually did, which given the nature of the predictions I'm happy with. Had they predicted that only only 1 of the exploits was likely to be used and 6 of them were instead then I'd be more ticked at them. Of course what would make me fscking ecstatic is if MS actually managed to create a piece of software with less than 100 security flaws (and calc, notepad, and paint don't count).

      --
      Curiosity was framed, Ignorance killed the cat.
    16. Re:Congratulations? by Miseph · · Score: 2, Insightful

      Um, no, I know we're all desperate for this to be some terrible mistake on MSFT's part, it just isn't.

      This is more like the car company saying: We have found 10 ways that we think our cars can be sabotaged, and we have released free snap-on repair kits that are intended to counter those possibilities, and will distribute them to all customers who request them. As it turns out, only 4 of them have actually been used by saboteurs, but we nonetheless recommend installing all 10 kits just to be safe.

      Yes, how irresponsible of them, finding and eliminating ways for dedicated deliberate attackers to gain access faster than those attackers can actually accomplish it.

      --
      Try not to take me more seriously than I take myself.
  2. That's not too bad by 91degrees · · Score: 5, Insightful

    A little heavy on the false positives but no false negatives so it allowed more efficient targeting of the risk areas. Also good enough to provide useful feedback.

  3. This is why Microsoft software sucks by QuantumG · · Score: 2, Insightful

    Any engineer who says that "40% is pretty good predicting" is incapable of writing good software, or managing a project, or, even, applying the scientific method.

    Hint: 40% is worse than guessing.

    --
    How we know is more important than what we know.
    1. Re:This is why Microsoft software sucks by Mateo_LeFou · · Score: 4, Insightful

      >if it comes up heads, its exploitable. Tails its gonna be ok.

      In this case, wouldn't there be as many false negatives as false positives?

      --
      My turnips listen for the soft cry of your love
    2. Re:This is why Microsoft software sucks by Anonymous Coward · · Score: 5, Insightful

      No, it means that they were able to cut the field of their immediate focus nearly in half while not missing any issues. For such a complex system without any precise mathematical model, that's pretty good.

      In this case, flipping a coin is statistically likely to let an unaddressed issue through, and that's a big no-no for applications like this.

    3. Re:This is why Microsoft software sucks by rugatero · · Score: 4, Informative

      Hint: 40% is worse than guessing.

      No - from TFA:

      The index, launched last month, rates each vulnerability using a three-step system.

      Random guesses would be expected to yield 33% success.

      --
      This comment is for entertainment purposes only. Any similarity to real insight or information is purely coincidental.
    4. Re:This is why Microsoft software sucks by mdmkolbe · · Score: 2, Informative

      40% is worse than guessing only if you have only two choices (e.g. heads or tails). If you have more choices it is a bit better than guessing.

      MS was predicting not just whether exploits would appear but the kinds of exploits that will appear. Depending on how specific (e.g. there will be a buffer overrun in module XYZ) or general (e.g. there will be an exploit in Windows *somewhere*) they were about the kinds of exploits, 40% could be either pretty good (i.e. they were insightful) or pretty bad (i.e. they chose the obvious things). In either case they would still be better off than pure random chance.

    5. Re:This is why Microsoft software sucks by abigsmurf · · Score: 4, Interesting
      No it isn't. Unless of course you assume that for every bug hackers flip a coin and go "heads, I'll write an exploit for this".

      40% accuracy in predicting with no false negatives? There are plenty of distaster agencies around the world who would be incredibly pleased with that kind of accuracy

    6. Re:This is why Microsoft software sucks by Anonymous Coward · · Score: 4, Insightful

      If the steps are sequential, it's less than 33%. The correct figure is 12.5% (50 percent of 50 percent of 50 percent).

  4. Re:Attention U.S.citizens by 91degrees · · Score: 3, Informative

    Actually that was John Cleese, even posting anon you should give credit where its due.

    Actually it originated with One Alan Baxter of Rochester and expanded by other people on Usenet. So if you do give credit where it's due give it where it's actually due.

  5. Exploitability Threat Level Announcement. by 140Mandak262Jamuna · · Score: 3, Funny
    Nov 14, Redmond, Washington. Today Head of Vistaland Security of Microsoft, Mr Ima F Anboi announced that Microsoft has raised the Exploitability Threat Level from Light Purple to Sunset Yellow. He urged the users to continue their normal activities and not take precipitous actions.

    Microsoft Exploitability Threat Level Indicator is a series of color codes starting from Dazzling Arctic White to Heart of Dick Cheney. Though exact number of these colors is considered a secret, from the past announcements we deduce there are at least 22 million of them.

    For PRNewswire, copy edited by Anurag Chakraborty in Bangalore and supervised by Robert Zimmermann in Pittsburgh.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Re:Still not getting it. by c_forq · · Score: 2, Insightful

    Wow, have some anger issues there? This isn't about not fixing bugs, this is about prioritizing bug fixes. Anything this large is going to have massive amounts of bugs (I can't count the times I've updated packages in Ubuntu, and the OS-X bug fixes come by the hundreds per .x release). Microsoft, just like Apple and Canonical, has limited resources to fix said bugs (and actually Apple and Canonical get some free work done for them, due to use of open source packages).

    --
    Computers allow humans to make mistakes at the fastest speeds known, with the possible exception of tequila and handguns
  7. Re:Still not getting it. by Roland+Piquepaille · · Score: 3, Insightful

    or hell ANY GOD DAMN FUCKING BUG YOU FIND, needs fixing, right Microsoft?

    Any goddamn bug doesn't need fixing asap the same way. Software always has bugs, even really good software, so it's a matter of prioritizing which bugs are show-stoppers, which are less problematic and which are minor.

    The problem with Microsoft is their habit of releasing bananaware: they ship green software that matures at the customers, at the expense of the customer of course who essentially pays to become a beta-tester for Microsoft. In other terms, when other reputable software shops iron out most bugs in-house before releasing their products, Microsoft just removes show-stoppers and let its customers report all the other bugs.

  8. Re:Being right 40% of the time... by dubl-u · · Score: 2, Insightful

    Doesn't look so impressive when you look at it this way.

    Depends on the payoff.

    It's not good if you're betting even money on coin tosses. But if you're a venture capitalist, it's great. The general rule for tech VCs is that 7 bets out of 10 will fail, 2 will do ok, and 1 will be a big success. If that 1 success is buying 10% of Google in the very early days, your 70% failure rate is still pretty awesome, because you're still up billions of dollars.

  9. Re:Attention U.S.citizens by Barny · · Score: 2, Informative

    Ahh, here we go.

    http://www.snopes.com/politics/satire/revocation.asp

    More exciting than reading about how badly microsoft can classify security bugs eh? :)

    ps. NO FIREFOX, I WILL NOT CAPITALISE THE "M" IN mICROSOFT!

    --
    ...
    /me sighs
  10. Re:Still not getting it. by Khuffie · · Score: 2, Interesting

    In other terms, when other reputable software shops iron out most bugs in-house before releasing their products, Microsoft just removes show-stoppers and let its customers report all the other bugs.

    You mean, like Apple's Leopard release? Or Apple's iPhone 3G release? Or Apple's mobileme release?

    I fail to see how Microsoft has a reputation of releasing 'bananaware' whereas Apple doesn't. I don't recall hearing about major, crippling bugs when Office 2007 came out (one of their biggest apps), and regardless of what you hear on Slashdot, Vista was actually a solid enough release and most of the issues were due to bad drivers that manufacturers didn't bother updating a year beforehand when they had betas and release candidates. (Not saying that neither had bugs, they did, but they were in no way 'beta' software.)

  11. Re:Attention U.S.citizens by Exitar · · Score: 3, Funny

    With the exception of points 7. and 9. it all seems quite reasonable.
    Maybe one day you'll learn to drive on the right side.
    And vinegar is acceptable on salad only, not potatoes.

    By the way, I live in Continental Europe and my ancestors, at the time you were wearing animal furs and piling rocks in bizarre patterns, were building aqueducts.

    So, in the end, Her Majesty, please
    1. learn to drive
    2. learn to cook
    3. understand that fox hunting isn't a sport
    4. stop using that absurd currency that is the pound sterling

  12. Re:It is TERRIBLE by 91degrees · · Score: 3, Informative

    What REALLY happened is this: Every security hole that MS discovered on its own, was exploited BUT we are supposed to be happy because in 40% of the cases MS correctly predicted that it would be exploited.

    No. What happened was this - MS spotted 18 potential security holes. 9 of them were regarded as more serious. A company that focussed on protecting against those 9 would not have been affected at all and would have had less disruption than a company that protected against all 18.

    They are offering this as a means to tell their bug fixing department and other companies which areas to prioritize.

  13. Re:It is TERRIBLE by Nick+Ives · · Score: 3, Informative

    What REALLY happened is this: Every security hole that MS discovered on its own, was exploited BUT we are supposed to be happy because in 40% of the cases MS correctly predicted that it would be exploited.

    I know we don't RTFA but please at least RTFS.

    'Four of the [nine] issues that we said where consistent exploit code was likely did have exploit code appear over the first two weeks. And another key was that in no case did we rate something too low.'

    So no, at least according to the summary not every security hole was exploited. If you're going to claim otherwise at least provide some links to an article; hopefully one supporting your claims although that's not always necessary for the +5 informative.

    In fact I just actually bothered to RTFA, just to make sure, and it said that no exploit code appeared for the low ranked vulnerabilities.

    --
    Nick
  14. More fail from MS by foldingstock · · Score: 2, Insightful

    They can predict exploits in their own software. Well paint me yellow and call me a phone directory!

    How can a PR team for one of the largest corporations in the US seriously release a statement like this? What kind of company fails so badly that they can only predict 40% of exploits in their own [proprietary] software?

    If a major car (or car part) manufacturer "accurately" predicted that 40% of their automobiles would explode and burn their owners alive due to a fuel system defect....would people still buy their cars? Oh right...firestone.

  15. the new bar by mevets · · Score: 2, Interesting

    Microsoft Security Research Centre is a success as a disaster agency? A bit harsh, but I suppose so...

  16. Re:Attention U.S.citizens by Psiren · · Score: 2, Funny

    Alas, "yeild" doesn't seem to be in the American psyche anymore.

    It's also not in any dictionary that I'm aware of either. Yield is though. Sorry, couldn't resist :)

  17. Thanks, Microsoft! by scribblej · · Score: 2, Interesting

    No one seems to be looking at this from the opposite angle.

    If I'm writing malware that's going to need to exploit Windows, this gives me an easy chart of which exploit I should pick -- the ones with the lowest patch priority, of course.