Beware of undisclosed Microsoft patches

Beware of undisclosed Microsoft patches

Summary: My blogging colleague Ryan Naraine offers up some interesting food for thought regarding Microsoft's philosophy behind disclosing (or not disclosing) all of the vulnerabilities it is fixing via its patches. What do you think of Redmond's practice of silently fixing certain security breaches?

SHARE:
TOPICS: Microsoft, Security
27

My blogging colleague Ryan Naraine offers up some interesting food for thought regarding Microsoft's philosophy behind disclosing (or not disclosing) all of the vulnerabilities it is fixing via its patches.

Microsoft is, admittedly, silently patching certain vulnerabilities. The practice isn't unique to Microsoft, as Naraine notes. But it is controversial. Microsoft says it is doing this to thwart "the bad guys." But the silent patching also makes IT administrators' jobs more complicated.

From Naraine's blog post:

“You’re not fooling exploit writers with silent fixes. You’re only fooling your customers,” says Marc Maiffret, co-founder of eEye Digital Security.

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond's silent patching practice?

Topics: Microsoft, Security

About

Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • What do I think of Redmond?s silent patching practice?

    Does this surprise anyone? Microsoft has repeatedly demonstrated that honesty isn't high on their list of corporate ideals.

    <p>Of course, it doesn't help that they have so <i>much</i> to be dishonest about...
    Henry Miller
  • What does one think...

    ...bunker mentality.
    swhiser
  • I think it lacks honesty.

    It's great they are patching it but I think they aren't including it to keep the
    vulnerability count low.

    Either way, atleast they are fixing them without people knowing, the problem is
    admitting to the vulnerabilities for those who aren't patched that is the problem. But
    to admit that would increase their vulnerability count.
    ju1ce
  • Not Necessarily Dishonest and All Bad

    There are definitely questions about how the marketing is negatively impacted by not publicizing the details of every patch and precisely where the hole is, but there does seem to be some validity to witholding some info. While administrators should know what binaries are being replaced (in the end, patches are probably just a bunch of replacement DLL's), there is little practical benefit to knowing the eaxactly what internal vulnerability is being patched. Unless, of course, the patch can be shown to affect the behavior of the product in question.

    --Doug Hettinger
    dhettinger
    • Not quite so simple I'm afraid.

      It's not always possible to know what will and will not be affected before a patch is applied and if you don't know which patches have been applied then it can be a bugger to track down what's gone wrong. The most famous example of this was the bug in XP SP2 that messed with 3DS Max file loading and saving, no-one pre-SP2 could load files saved by someone post SP2 and that was with a known application of a patch.

      As it is, all patches have the potential to affect the behaviour of some program or other and hiding what is being patched just makes it more difficult to deal with a bug that has crept in as you can't just cross reference DLLs the program uses with recently patched DLLs or whathaveyou.
      odubtaig
      • That is a Valid Point

        I am not versed in administration as I'm more of a software design type, but it seems that in alot of cases the issues of breakage are always possible givent all the possible combinations of binaries - making it really tough to know in advance. Of course, the ability to fully reverse the patch is important.

        I was speaking more to the security concerns. It seems valid that others who have yet to apply the patch in question should not have a whole society of disgruntled hackers made aware of an open door into unpatched systems. The argument that marketing becomes dishonest since it does not reflect the true situation seems weak since most people take marketing for what it is - marketing. This is one of those tough cases where both sides of the issue think they have the moral high ground.

        --Doug Hettinger
        dhettinger
        • Though that's a double edged sword.

          The problem of unspecified patches means that sysadmins have, for some time, left applying any patches until the last possible time because they prefer a stable system over a secure one as it gives time for bugfixes to appear for those patches and they figure the firewalls and such will protect any internal systems. It's a mite chancy as strategies go but when all you know is that updates can make your systems go funny and you need that uptime for the business to run it's a chance you may very well take.

          So really, I'm not convinced that non-declaration really does anything for security when known vulnerabilities are going unpatched anyway and businesses are relying on external tools to secure their internal systems. In the meantime, while you might think it would have an impact on home users, the FBI has declared war on the Zombies... that is, the many Zombie PCs hosting worms and the like that attack using known vulnerabilities. If someone is unpatched on the unknown vulnerabilities then they're going to be unpatched on the known ones as well so it really makes no difference if 1 or 15 vulnerabilities are known so long as they're all fixed in the same update.
          odubtaig
          • PCI compliance.

            For any business that interacts with credit card payments, delaying vendor patches will get you booted to cash only.

            Many businesses are going to automated solutions for patch management such as WSUS. Although a good IT department will vet it for a few weeks in a lab or other group of non-critical systems, many are going to fully automatic mode.
            rtk
          • You're confusing me.

            Delaying will get you booted off credit card payments but any good IT department will vet for a few weeks? Of course. the former assumes that this compliance is reasonably enforceable which, given the way most places I've worked have actually worked, is unlikely.

            OK, I'm more used to the way non-money handling systems work (and these can surely be firewalled off as securely as the internerd) but surely the requirement is only for critical patches and makes an allowance to ensure these patches don't introduce any problems?

            Of course, I may be a little behind the times, the wages for IT staff in this country are abominable (I got paid more as a data monkey than some people get) and I have a knack for graphics programming so I've kinda lost track a little.
            odubtaig
          • Fear not!

            You get a limited period of time to test and impliment *all* vendor provided patches. I believe it's a month.

            http://www.pcicomplianceguide.org/ourfaqs/pcicompliance_1.html#11133946

            What happens if I am not compliant?

            Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.
            rtk
  • Enough with the FUD!!

    Think of Microsoft as an all-knowing tenured professor. It knows what it is best for you, knows how much you can handle and knows what information you need to know. I meet with Windows developers regularly and they are pretty adamant that they know what is best for everyone. I fully agree and tell my rep "ignorance is bliss, especially when the Vista WOW is NOW!". My rep then thanks me with various shirts and pens that "make my day" all it can be. Why lose sleep over security holes or vulnerabilities? The easiest thing to do is deploy, and deploy without prejudice. Then, and only then, will you undersstand the true power of the WOW.
    Mike Cox
    • Undisclosed patches

      Basically, making modifications to my system without my knowledge is against the law. That would make such patches malware regardless of their intent. The fact is one of the biggest problems the computing community as a whole has is stealth install/patches on computer systems. How are undisclosed patches any different from your basic key logger? Both are put on your system with out your knowledge and both are doing something on or to your system without your knowing about it or agreeing to it.
      maldain
      • ACK!

        Sorry, Mike, that wasn't directed at you or your rep. but the story. Good post at least a 9.0.
        maldain
      • You sound as though

        You actually think your computer belongs
        to you, still, after Windows is
        installed.
        WRONG! You must not have read your EULA.
        Your computer clearly belongs to
        Microsoft now, and they may install or
        uninstall whatever they deem necessary,
        with or without your knowledge or
        consent.
        Ole Man
    • Give This Man A Blog Now !!

      NT
      TheBoyBailey
    • NIce one...

      Nice one Mikey!
      ogmanx@...
  • I have often wondered why I have problems......

    After a MS patch cycle, download and update.

    That would explain why, BUT what else could you expect from such a dishonest Corporate Raper and monolpy.

    PAR for the course with MS.
    carlsf@...
  • Another bonehead arrogant move my Microsoft. The only ones that are in the

    dark are the customers. The black hats will analyze the patches and figure it out right away. As a matter of fact, when they see one that MS is not reporting, they will work on it even harder, figuring there might be a big vulnerability.
    DonnieBoy
  • Starting to wonder...

    If M$ has learned from the US Gov...

    Govt: You want money for war, well, you'll also have to pay for ______, ________, & __________.

    M$: Oh, that "vulnerability"? We "fixed" it 3 months ago and bundled it into the DRM update. To cure your problem, I strongly advise you update your DRM to the current model...
    svpaladin@...
  • Standard MS behavior

    Try to conceal the true characteristics of the product and attempt to replace it with marketing driven and focused propaganda. Standard behavior for MS.
    dfolk