COMMENTARY--Microsoft has come a long way in its understanding of security over the last five years, but comments made last week by its chief executive Steve Ballmer go to show it needs to change not only its approach, but must recognize that it doesn't operate in a vacuum.
In particular, his comment that he wishes security researchers would just shut their mouths is a sure sign that Ballmer just doesn't get it. His ambit scenario would see researchers only telling Microsoft about bugs they find. He actually cited the good of the world for his reasoning. At least he didn't bring God into it.
"I can tell you I wish those people just would be quiet. It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers," Ballmer said at Microsoft's Worldwide Partner Conference in New Orleans.
So when they do find a security flaw in Windows, Internet Explorer, Microsoft SQL Server, Internet Information Services (IIS) etc, who should they tell? Just Microsoft? The practice of disclosing vulnerabilities solely to the vendor responsible for maintaining the product in question has never worked. Why? The vendor becomes unresponsive, and starts knocking out quick fixes that may or may not work. The more transparent the disclosure model is, the more the public can feel assured the vendor has appropriately addressed the issue. This is not rocket science, it's disclosure 101.
While there are some irresponsible researchers out there, most will happily give companies like Microsoft a reasonable lead time--not to mention unfettered access to some very comprehensive research material--so they can produce and distribute a fix before they go public with a vulnerability. The unofficial rules of responsible vulnerability disclosure have been established for a long time.
While it is a very positive move for Microsoft to acknowledge it must work with security researchers, it is quite unfortunate it feels it must needle them in front of its world-wide partners for essentially performing a public service.
Other remarks made during his speech show the company is indeed listening to its customers. It's listening to all of their gripes about how difficult it is to patch products, about how its vulnerability infested products are causing frustration among system administrators. This frustration is breeding apathy, which means people just aren't taking the sort of care with their systems they should be, so in that regard MS is doing the right thing by tuning to listen to its customers gripes.
The only problem with only listening to the customers is that the average Microsoft customer is no security expert. Wouldn't it be better if Microsoft listened more to the security researchers it loves to hate--the people that spend 60 hours a week debugging Windows code--as opposed to just quizzing its cola-chugging sysadmin customers about their "patching experience"?
To his credit, Ballmer made some well intentioned, yet slightly inaccurate, observations about the link between the timing of the release of a patch and the subsequent creation of an exploit. "The time between us issuing a patch and [when] we see a concrete exploit that takes advantage of the vulnerability that the patch highlighted is shortening," he told his audience. "I think most people in this room probably understand that we've had very few attacks, very few exploits that actually preceded the patch. The hacker community actually uses our patches, in some senses, as blueprints to diagnose and understand vulnerabilities."
I hate to tell you Steve, but the vulnerabilities that were patched by your security team--after being discovered mostly by independent security researchers that had the good grace to notify you first--were actually in the product before the researcher found them. Indeed it's a well established fact that a lot of vulnerabilities--both Unix/Linux based and Windows based--are exploited months before Microsoft has been notified they exist. Maybe they're not exploited by a large scale worm, but they are exploited.
Vulnerabilities are design defects. The term "new vulnerability", which I am sure I am guilty of using, should very clearly be translated to "newly discovered vulnerability".
While there are some people out there who will pull apart a patch or look at a description of a publicly disclosed vulnerability to create an exploit, the fact remains that it's a lot better to have a known vulnerability with a fix available, than a vulnerability that's known about by a handful of people who have no intention of telling anyone. The exploitation of the vulnerability by well intentioned researchers allows them to understand it. Intrusion detection companies can use the information to update signatures and everyone can understand how the problem got there in the first place. People know what the attack looks like and how it works.
A perfectly appropriate, extremely funny example of a vendor over-reacting to the public disclosure of a particularly dumb flaw in its product occurred this week.
The company, SunnComm, threatened to launch action against a student that published a report that was critical of its technology under DMCA laws, as well as claiming libel and defamation. What's the main problem with the report? Well the first year post-graduate student, John Halderman, discovered that it was possible to disable the company's flagship CD anti-copy technology by holding down shift when inserting the CD into the computer, which was, needless to say, a touch embarrassing for SunnComm.Thankfully SunnComm's management team decided to sit down and wrestle with that and I'm sure a few other idiotic ideas for long enough for common sense to eventually bubble through to the surface--they had a change of heart. SunnComm's chief executive, Peter Jacobs, told Josh Brodie of the Princetonian he didn't "want to be the guy that creates any kind of chilling effect on research". Jacobs claims the narrowly averted lawsuit had nothing to do with the shift key, but the rest of the report.
That's not to say the security community isn't prone to a particular brand of lunacy all of its own. My colleague Josh Mehlman is familiar with the particular psychological disorder that seems to plague certain pockets of the IT world. His gripe is with Linux fundamentalists--you know, the guys with penguin socks who write MS as "M$" because they think they're making a social commentary.
Their cousins in the security world are a similar brand of nutter. The ones who say "just change all your workstations and servers to [insert name of operating-system-that-isn't-Windows here]" like it's actually a feasible idea. These are the same type of people who will happily publish the exploit to a previously undisclosed vulnerability to a public mailing list with no advance warning to Microsoft--they just hate MS that much.
What would be really nice is if we saw people like that, and Microsoft themselves, soften up a bit and recognize that their way isn't the only way. Seeing as Microsoft is the metaphorical grown up in this case, it'd be nice to see it take the lead.
biography
Patrick Gray is a staff writer from ZDNet Australia.
