AOH :: ISN-2347.HTM

Microsoft Patches: When Silence Isn't Golden

Microsoft Patches: When Silence Isn't Golden
Microsoft Patches: When Silence Isn't Golden,1895,1951186,00.asp 

By Ryan Naraine
April 19, 2006

Microsoft has 'fessed up to hiding details on software vulnerabilities
that are discovered internally, insisting that full disclosure of
every security-related product change only serves to aid attackers.

The company's admission follows criticisms from a security researcher
that its policy of silently fixing software flaws is "misleading" and
not in the spirit of Microsoft's push for transparency.

In an interview with eWEEK, Mike Reavey, operations manager of the
MSRC (Microsoft Security Response Center), said the company's policy
is to document the existence of internally discovered flaws as well as
the area of functionality where the change occurred, but that full
details on the fixes are withheld for a very good reason.

"We want to make sure we don't give attackers any [additional]
information that could be used against our customers. There is a
balance between providing information to assess risk and giving out
information that aids attackers," Reavey said.

When Microsoft receives a report of a security flaw from external
researchers, Reavey said, the MSRC conducts an extensive investigation
to look at all the surrounding code to make sure a comprehensive fix
is pushed out the door. If a related bug is found internally, it will
be fixed in the eventual patch, he said, but the details will be kept
under wraps.

However, critics argue that silent fixes have a way of backfiring and
hurting businesses that depend on information from the vendor to
determine deployment time frames and the actual severity of the
patched vulnerability.

According to eEye Digital Security, which sells host-based IPS
(intrusion prevention system) technology, silent fixes from Microsoft
are commonplace.

"It is the skeleton in Microsoft's closet. We routinely find them,"
said Steve Manzuik, product manager of eEye's security research team,
in Aliso Viejo, Calif.

In an interview with eWEEK, Manzuik said Microsoft has been silently
fixing bugs as far back as 2004. He referred to the company's MS04-007
bulletin as a classic example of Microsoft announcing a fix for a
single vulnerability when in fact a total of seven flaws were quietly

Manzuik's team presented a research paper on its findings at the Black
Hat Briefings in Europe earlier in 2006 to highlight the problems with
withholding details on fixes from customers.

"Microsoft's customers depend on that information to figure out how to
respond to Patch Tuesday. The reality is, system administrators will
delay deploying a patch based on the details of the bulletin. When
details aren't included, he won't install that patch. That is a big
problem," Manzuik said.

He said IT departments do not have the skill or resources to
reverse-engineer every patch.

"They are simply left in the dark and may ignore a patch that is
super-critical to their environment. Meanwhile, the bad guy has spent
the time to find out what was silently fixed," Manzuik said, arguing
that Microsoft has a responsibility to make sure businesses are fully
informed about software changes.

"I don't buy the argument that they are aiding attackers. The
attackers are already reverse-engineering the patches. They have the
time and resources to find out where the flaw lies. The guy that feels
the pain is the system administrator who is in the dark and who can't
do his own reverse-engineering," Manzuik said.

Matthew Murphy, the independent researcher who flagged the issue after
finding silent fixes in the April batch of patches, said third-party
vendors that incorporate code from Microsoft are also hurt by the lack
of full disclosure.

Murphy outlined a recent case where anti-virus vendor Trend Micro got
burned by a silent fix pushed out by Microsoft. That issue revolved
around a bug in Visual Studio that was reported to Microsoft in 2002
but remained unfixed for several years.

Microsoft eventually fixed the bug but information was withheld,
causing Trend Micro to unwittingly use the vulnerable code in its
products, putting its customers at risk of a heap overflow
vulnerability that could be used in code execution attacks.

Manzuik also pointed out that businesses rely heavily on host-based
IPS technology to secure valuable assets while patches are being
tested for deployment.

"Some of these IPS products need information from the software vendor
to create signatures. How can you create a signature for a flaw if you
don't know the location of the flaw? We have proven that
signature-based technology can be bypassed to exploit these silently
fixed flaws," he said.

Reavey said businesses should use Microsoft's severity rating system
to help with patch deployment timetables. "It's important to remember
that the best way to be safe and secure is to apply all the updates.
We are providing patches for everything. We still recommend a
defense-in-depth strategy that includes IPS and IDS [intrusion
detection system] technology, but customers should use our severity
ratings system and apply the patches," he said.

InfoSec News v2.0 - Coming Soon! 

Site design & layout copyright © 1986-2014 CodeGods