Slashdot Mirror
Microsoft Makes Major Shift In Disclosure Policy
Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.
In response to the second step in the Coordinated Vulnerability Disclosure ("Step 2: Hurry Up and Wait"), I've printed several copies of the CVD on quadruple ply tissue paper and stocked all the restrooms with it. I've also prepared a special four course meal for Mr. Ormandy consisting of Taco Bell, a cup of coffee, a cigarette and a spoonful of castor oil.
Mr. Ormandy, I think you know what to do. I really found it amusing that they called the blog posting "Bringing Balance to the Force" when it looks to be completely defined by Microsoft with little or no input from the community.
My work here is dung.
A general sense of moral obligation not to aid and abet criminal activity?
I guess they achieved their ends and I wonder if Microsoft will be collaborating with the MSRC in the future. :rolleyes
Just disrupt the deflector shield with a tachyon burst.
Looks like Google's policy announcement from July 20 rattled some MS cages.
God is imaginary
What is the researcher's motivation to spend the extra time working with Microsoft? They certainly have no obligation to do anything Microsoft asks...
Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
So they are formalizing common sense into a policy.
It is a lot better than the previous formal policy of bat-shit crazy.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
I've never discovered a vulnerability in Windows or anything else, but if I did I'd be fine to sit it for as long as needed, as long as Microsoft got back to me and said "Yeah, we're working on it, here's when you can expect a fix." What's maddening (and actually Microsoft seems to be good about this, it's Apple and Oracle that are the worst offenders) is when someone sends a bug report into a black hole, never hearing anything from the company for months and months. At that point, I see no reason why the researcher shouldn't just publish to the world. The company clearly doesn't take security seriously, why should he?
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
On the internet? That'd be a first.
"Same old sh_t, different day."
ELOI, ELOI, LAMA SABACHTHANI!?
Posting anonymously for obvious reasons. What happens today if one emails Apple's product security team (product-security@apple.com)? A few things. First, you get a generic pre-generated email that acknowledges that Apple received your email. Next, if you're lucky, you get an email from an analyst who has reviewed your vulnerability. What happens next? 1) No updates are provided. Ever. 2) If you ask for an update as to when the vulnerability will be fixed, you will not get a detailed response. 3) Apple waits several months. 4) Apple waits several months. 5) Apple fixes the bug, possibly. 6) You get an email from Apple asking how you want to be credited. 7) If you're lucky, Apple will send you an email with notification on when they're planning to fix the issue, along with the exact wording of the specific advisory. 8) If you're lucky, Apple will fix the advisory in the week they say they will. 9) Normally, the date will slip a few weeks. Or maybe a month. I applaud Microsoft for doing this. Hopefully Apple will follow suit and move out from the stone ages.
Right... so that is motivation NOT to help M$...
what is the motivation to report to them?
Microsoft has an obligation to protect their customers from security vulnerabilities by responding to them, one they abdicate constantly.
Security researchers have the obligation that ANY academics have. Tell the truth, show your work.
Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.
There's a fundamental problem with your comparisons. When a security bug is released in Firefox you see the Mozilla Foundation marvel at the cleverness of the attack. Then a distributed net of individuals quickly work together in an agile way to get the hotfix out and then sometime is spent testing and hardening that fix. When a security bug is released targeting Chrome or any of Google's products, you see Google developers that are comfortable on their campuses swing long hours and work together to push out a fix as quickly as possible. These are all sensible approaches to security bugs.
...
...
With Microsoft, however, you see the heavy thudding of a big corporation. You see a complex inner working of management slow things down. Somebody might ask for an estimate on how much money this is going to cost and that estimate comes back a week later. Senior management starts shredding documents. Engineers start falling from helicopters in Redmond. A tornado of chairs leaves several injured. Microsoft's campus looks like the superdome following Katrina. People are chained to their desks. The reason they ask for 60 days is because that's how long it takes FEMA aid to reach Microsoft
You just can't compare the two
I'm not saying it's the public's job to troubleshoot their shoddy code and develop fixes.
I'm just saying I feel it IS the public's responsibility not to make potentially dangerous information available to people with malicious intent.
I have no love for MS. I just feel everyone is better off with "Hey you morons, look at the latest exploit" instead of "Hey, general public including innumerable black hats, look at the latest exploit"
About time...
A general sense of moral obligation not to aid and abet criminal activity?
Fuck that.
How about "Oh shit, this affects us. OH SHIT!"?
The quickest way to protect the public from malicious intent would be to get them to all stop using Microsoft products immediately. Everyone's sitting in a sinking lifeboat and you're quietly warning the captain about each leak you find so he can stick some chewing gum on it. What you really should be doing is screaming "Look at all the Fing holes in this boat!! Everyone get in that other, non-sinking boat called Linux over there!!!"
Yes, then the target would be the next biggest OS down the chain. The problem isn't "solved", it is just moved. Much like how surveillance cameras don't really cut down the crime rates, they just move them to a different area. If Linux had more of a presence it would be as big of a target as Microsoft. MS is just the current "low hanging fruit". Sorry, but the solution to security problems should never be "switch your operating system and every piece of software you currently use".
"But this one goes to 11!"
Switching the majority OS to GNU/Linux would have one immediate and obvious benefit: the source is widely available and widely modifiable. If we find a vulnerability, it can be diagnosed and patched immediately, without having to wait for a corporation's blessing. Hell, you don't even have to wait for the kernel team's blessing, or any other governing entity. Just post the patch and tell people about it!
It used to be clear that *nix systems were more secure, because they were actual multi-user systems. Nowadays, it's less clear. I'm certain a properly set up SELinux system is still miles more secure than Windows 7, but it's unlikely a common user will have that. However, even if there is no security advantage, I know this: Linux may not be more secure, but it is certainly easier to keep secure.
If I happened to run across a vulnerability tomorrow I might be inclined and would likely publish it that very day. Microsoft assumes I care for the well being of them and their customers when really I don't. I know this is aimed more at security researchers but then again they may very well feel the same way.
Got Code?
Here's a radical idea: How's about they don't release code tons of fresh code every cycle, and instead maybe check the code over first for buffer overflows, NULL pointer abuse, heap munging, and all the other obvious ways of executing code?
Just sayin'
I'm not saying it's the public's job to troubleshoot their shoddy code and develop fixes.
I'm just saying I feel it IS the public's responsibility not to make potentially dangerous information available to people with malicious intent.
I have no love for MS. I just feel everyone is better off with "Hey you morons, look at the latest exploit" instead of "Hey, general public including innumerable black hats, look at the latest exploit"
That does kind of depend quite heavily on the researcher being the first to find the vulnerability, and the vendor allocating enough people to adequately deal with fixing it in a timely manner.
Can you say with any real supportable evidence that either statement is a safe assumption? Because I know I can't. And to be honest, I doubt any researcher worth their title can either. Including the guy who I imagine kicked this new policy off by disclosing one he discovered when Microsoft were palming him off with vague answers for a week.
If the "people with malicious intent" already know about a vulnerability, which is a much safer assumption to make, and Microsoft are dragging their feet, because hiring enough good security people is expensive, is it not the researcher's duty to inform the general public? Who can then take steps to protect themselves while waiting for Microsoft to get around to making the patch available the next Patch Tuesday? After all.. We are vulnerable every second of every day to a host of unknown unreported vulnerabilities that any "black hat" could discover by themselves, and exploit for fun and profit. We can't be wary about exploits we are not aware of.
If a vulnerability is discovered, which do you think is faster to react? A company who knows the finder is not going to tell anybody, so they can take their time, or even ignore them completely.. Or a company who knows they better get right on it, or have a pretty nasty PR mess to clean up?
Who do you think has the bigger and more authoritative security team? One who has perhaps got the authority to say to marketing.. " No you bloody well will not do that. And I don't care how much easier it makes sharing your whole hard drive over the internet with aunty Gladys and her bridge team"!
As you sit there worrying about Microsoft possibly losing money, or having their reputation tarnished.. Or worst of all.. Having to increase the size of the security team.. Ask yourself this question..
"What would BP have done differently if the warnings they had earlier been given about the safety of the gulf rig were a matter of public record"?
http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10652032 (first one I came across on Google, not the first one I have read)
It is difficult to get a man to understand something when his job depends on not understanding it.
This is true only in the same sense that the surest way to world peace is to kill everyone that threatens world piece.
OSS: find a bug, fix it (because you can), submit code changes
CSS: find a bug, see a lawyer, contact a CERT, wait several weeks for a response, sign an NDA, share vulnerability informations, wait 2 months, ask for status, wait for an answer for 4 more months, realize that the vendor will do squat about the vulnerability as long as his customers don't know how threatened they are, release the infos to the public to put pressure on the vendor, be threatened by the vendors lawyers, be called a criminal by the vendors customers and the press and politics, have a house-search, wait 2 more months, get patch, realize that it doesn't fix the problem, rinse and repeat
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I fear that you are a troll. Nonetheless...
first off the majority of people wouldn't be able to immediately diagnose and patch because they have no idea how to do that.
Yes, but this does not negate the fact that there are many more eyes looking for flaws. A minority of a ton of people can still be a ton of people. The fact that anybody could diagnose and patch immediately is the important part.
second because linux is open source you would be less secure because it is easier to find flaws and backdoors in a system that you can view its source code.
Yes, and not all of those who find these flaws would exploit them. Many would fix them. Also, as pointed out many times on Slashdot, security through obscurity is not security at all.
and since linux uses a general public License if they request to see your source you have to give it to them because it requires that derivative works also fall under GNU's general public license.
This is a misinformed statement. The GPL requires that any publicly distributed derivative works be distributed under the GPL, but not privately-used derivative works. Moreover, the GPL only requires that you provide source code to those who have purchased the work. It's just a happy coincidence that most free (GPL) software also happens to be free (money).
the only way to truly secure yourself is to disconnect.
Truer words have never been spoken. Why is it, again, that we need a cybersecurity policy when we can just disconnect the freaking high-risk computers from the freaking internet?
I am very curious how Microsoft defines "ample time" especially considering some of their vulnerabilities (like the one recently "patched" in the DOS subsystem) have existed for years or decades.
This isn't a slam at Microsoft, it's a hope that someone has some clarification that can be used as a context to determine if this statement means anything. Even when the terms of their statements are less ambiguous, they seem to find ways of backpedalling - thus greater clarity on something so very ambiguous is warranted (even if it turns out to be pointless in the long run per whatever practices they actually employ).
Oh wait, the summary is not correct (of course) - but the reality of the statement is worse:
Microsoft:
CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible.
Inotherwords, this statement really says "You should never tell anyone but us, unless active attacks are taking place - but even then, you should coordinate such with us" (at which point, they will probably say "dont tell anyone" as has been the current and previous cases.
Also, who are they to dictate how (and to who) researchers disclose such information? Is there some legal basis for this, or is (will) it be under the threat of using their financial muscle and influence to try to get the person charged with some sort of online security or terrorist crime? Yes... for those who don't know, the Patriot Act does indeed cover such things.
Additionally, the spin group at Microsoft said this, which is misleading in the grand context of this problem:
Microsoft:
However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified.
The truth is, once a vulnerability is released to the public and exploited, Microsoft is somewhat forced to fix it in a more timely fashion - as opposed to ignoring it for years (the numerous .NET exploits that still aren't fully patched) or decades (the DOS exploit recently patched).
This is really a non-news item as this is business as usual, carefully worded to seem like Microsoft is changing their stance on things (while the reality is, they are not).
StarTrekPhase2 - The Five Year Mission Continues!
"[CVD] is the same thing as responsible disclosure, just renamed," repeated Reavey. "When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand, which is to make sure customers are protected, and that attacks are not amplified."
http://www.computerworld.com/s/article/9179546/Drop_responsible_from_bug_disclosures_Microsoft_urges
Except for that fact that Linux is simply more secure than windows by several orders of magnitude. The fact that you can setup a windows based machine without a login and still have full admin rights is proof enough of the serious and deep rooted conceptual problems with it's design. Windows is built, from the ground up, to sell windows. Nothing more.
If you are relying on your operating system for security, you are taking the wrong approach to security. All major OS have had exploitable flaws. Security is not software nor anything you can buy or install - it is a set of policies, procedures,and practices. The actual software involved is irrelevant.
"But this one goes to 11!"
I never claimed the two would be the same security-wise, I just said if Linux was the top market share OS, it would be the biggest target. How well it would fare compared to Windows is something I was not speculating on, or blindly assuming.
"But this one goes to 11!"
Linux machines are often the servers that have everyone's credit card numbers, trade/military/government secrets, massive processing power and commercial-grade Internet connections, VoIP servers, and all the other real goodies. Each Linux machine is a potential Fort Knox in a world of 7/11s.
And even though these are the minority these days with most Linux machines being home PCs and geek tinker toys, if any Linux machine is accessible from the Internet on port 22 it will be hit with ssh brute force attempts 24/7/365 - because that's typically the easiest way to break into one. To brute force a password.
There's no lack of interest or effort, just a lack of success. What does that tell you?
"When information is power, privacy is freedom" - Jah-Wren Ryel