Skeletons in Microsoft's Patch Day closet

Skeletons in Microsoft's Patch Day closet

Summary: Last Tuesday, when Microsoft released the MS07-030 bulletin to fix a remote code execution hole in Visio, the first line in the executive summary caught my attention:This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation.

TOPICS: Microsoft, Security

Last Tuesday, when Microsoft released the MS07-030 bulletin to fix a remote code execution hole in Visio, the first line in the executive summary caught my attention:

This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. (emphasis mine)

This is the first time I've seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins -- a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

[ SEE: Windows vs Linux security report card ]

When a flaw is reported by an outside researcher, the MSRC (Microsoft Security Response Center) routinely conducts a comprehensive audit of the surrounding code base to find and eliminate any potential problem areas. The problem, according to security research professionals, is that Microsoft keeps a tight lid on the details of those internally discovered issues, a move that makes it difficult for an IT administrator to make an informed patch deployment decision.

Microsoft's stance is that publicly disclosing the details of flaws found during an internal investigation puts more ammunition into the hands of bad guys.

Mark Griesi, a program manager in the MSRC, explains the company's patching/disclosure policies:

If the attack scenario and recommended customer actions provided in our security bulletins is different for an issue found through our internal investigation, we’ll document the risk according to the most severe internally found issue within the vulnerabilities details for the externally reported issue.

For almost all cases, since the internal investigation is based off of the external report, the resulting attack scenarios are similar. So they don’t require a separate call-to-action or separate documentation for customers.

In an interview, Griesi notes that this isn't always the case, pointing to the MS06-023 bulletin as an example of vulnerability fixed -- and publicly documented -- even though it was discovered internally.

Still, Griesi admits that Microsoft will not open a new CVE entry to spell out exactly what is being fixed. This, Griesi argues, gives malware writers too much information about the location of weak spots in the code base and puts Microsoft customers at higher risk.

On the other hand, white hat hackers warn that silent fixes is a dangerous practice because exploit writers already have the tools to reverse-engineer a Microsoft patch to find all the silently fixed issues.

"You're not fooling exploit writers with silent fixes. You're only fooling your customers," says Marc Maiffret, co-founder of eEye Digital Security.

Maiffret explains the Patch Day routine. First, the bad guys:

  1. They download Microsoft patch.
  2. They expand the patch and find what files have been modified by the patch.
  3. They grab the same binaries from an unpatched OS.
  4. They run the two binaries, new/old, through a binary diffing utility.
  5. They analyze the few changes to identify which are security fixes or not.
  6. They write exploits for *all* vulnerabilities regardless of what is in Microsoft's bulletin.

Now, this is what happens in a typical enterprise, where IT guys are scrambling to get patches prioritized and deployed:

  1. They review Microsoft's security bulletin.
  2. They make a risk assessment based on the vulnerabilities publicly documented by Microsoft.
  3. They decide the patch is not as important, based on the public information released by Microsoft.
  4. Their system becomes compromised because they didn't prioritize correctly and one of the silently fixed vulnerabilities was easier to exploit for the bad guy. Unfortunately, IT guy never knew that.

HD Moore, a hacker who knows a thing or two about writing exploits, agrees with Maiffret.

"I have been arguing with the folks at MSRC for years about this. They take the approach that bringing attention to the flaw will make it more likely to be exploited. My view is that by not bringing attention to it, they are leaving their customers in the dark and making it easier for a repeat of the WMF or ANI attacks," Moore said in an interview.

"Without knowing what was fixed or how it can be exploited, administrators and security professionals alike are left in the dark," he added.

Another negative side effect of silent fixes comes when third-party vendors incorporate code from Microsoft but are not notified when that code is buggy. In these cases, the vulnerable code in the third party product is never fixed.

The absence of documentation also hurts IPS (Intrusion Prevention Systems) vendors that rely on vulnerability information to create signatures to block attacks.

eEye research engineer Andre Derek Protas sees the note in the MS07-030 bulletin as a sign that Microsoft has "taken a baby step" to admit that they're silently fixing vulnerabilities.

"[Now] they need to take the next step and start informing customers and security vendors if those silently fixed vulnerabilities were more dangerous than the ones they reported. Unfortunately they don't," Protas said.

Microsoft's Griesi said the software vendor is always reviewing feedback from customers to improve its security response process.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • D'oh!

    Kind of puts the kibosh on all those vulnerability comparisons you've been running lately, doesn't it?

    Linux had X number of patches, OSX had Y, Vista had Z plus a whole bunch of secret ones we weren't told about.
    tic swayback
    • Visio !=Vista

      Confused by religion
      • This is just the first time they were caught

        Most criminals commit plenty of crimes before finally getting caught. So this one instance (of which they have admitted to be guilty) brings all prior statistics into question.
        Michael Kelly
        • Exactly !

          Here are the other vendors being honest and Microsoft being dishonest . You're right it does bring prior statistics into the spotlight . So according to the old stats Microsoft had a great record when it came to security . I would like to see what it looks like by the end of this summer . I feel kind of bad/worried though , I hope these kind of actions don't continue .
          • How do we know the other vendors are being honest?

            I'd be willing to bet they aren't.
          • Because you can read their bug database and source code?

            How do we know Firefox and Linux and other open source competitors to Microsoft
            Internet Explorer and Windows are being honest? Well, how about "anyone can look at
            their source code repository, bug tracking database, and source releases".

            Even Apple exposes more of their internals than Microsoft.
          • Did I say open source?

            [i]Even Apple exposes more of their internals than Microsoft.[/i]

            Sorry, but I have to disagree with that one.
          • Re: Did I say open source?

            The truth is that we don't know about other proprietary companies. The difference is that Microsoft was caught in the act. However if you (or anybody else) suspect others then by all means investigate the situation. Personally I would not accuse somebody of something without more suspicion of their guilt other than the opportunity to commit the crime.

            I mean a teenage kid has the opportunity to take drugs every time he/she leaves the house, but you don't make the accusation without some sort of proof.
            Michael Kelly
          • When did patching undocumented bugs become a crime?

            [i]I would not accuse somebody of something without more suspicion of their guilt other than the opportunity to commit the crime. [/i]

            Who did I accuse? I insinuated other vendors are doing this, and I would not for a second be surprised if they are. But did I specifically accuse anybody of doing it?

            Using your teenage drug analogy, what I said was the equivalent of 'How do we know other kids aren't doing drugs.' No names or specific accusations were mentioned. Only my opinion regarding proprietary companies in general.
          • to: Michael Kelly, OOPS.

            just realized I had specifically mentioned Apple in a previous comment. For that, you're correct.

            But once again, it was my opinion, not an accusation. Apple has gotten better at listing the CVE a specific patch covers. They used to be rather vague. I still have to wonder what they may be including in their patches that isn't published. For the record. I don't have a problem with patching undocumented bugs. Why give the black hats more info than you need to?
          • Not Apples...

          • Have to agree - who cares...fix it.

            The more they fix the better. If my mechanic finds a leak of a critical item and there isn't a cost, I want him to fix it I don't care. The only ones who care are the ones who keep score. And they all walk over their own $#%@%@ on that one.
          • We don't....

      • Hey if you guys can include

        applications in the mix of Linux vulns then so can we include Microsoft applications as Windows vulns. Good for the goose, is good for the gander. ]:)
        Linux User 147560
        • We only include applications that ship with ...

          ... OS. That is different then applications you buy seperately. Visio does not ship with Windows.
          • Sorry, that's a specious argument.

            Many systems ship with Office installed as part of the initial sale including Visio. By your line of reasoning, those errors should be included because it "shipped" with the OS. Sorry, but when you compare one operating system to another how about comparing apples to apples instead of comparing apples to apples+oranges+grapefruit+peaches+grapes then saying there are more bugs in the second. Using the different marketing models as an excuse for deception keeping with Microsoft's business practices in general.
          • Uh...No.

            A system shipping with Office is not the OS being shipped with Office. The system builder ADDED Office. Office was not on the OS disk(s).

            Apples to apples is just about impossible between Windows and LInux. Windows has a lot of apps included with the shipped OS. Linux has more, and in most cases, more advanced ones. However, the ones installed during a standard installation vary from vendor to vendor - A Red Hat install is different than a SUSE install, which is different than an Ubuntu install, etc. And, while the same can be said for the various packages of any particular version of Windows, it is still nowhere near as varied a group of installations as we find in the Linux world.

            Then too, I find the whole concept of attempting to legitimately compare OS's in this manner to be idiocy at its very finest.
            Dr. John
          • Semantics

            It it is installed on the OS it is a vulnerability; PERIOD!

            Most of the Linux vulnerabilities are not installed by default on servers, yet they are still count it in comparisons.
      • Like it matters

        Disclosure policy (or lack thereof) is still policy and not likely to vary between products.
      • Learn the software out there.

        No Ryan had it right..... the flaw <b>was</b> in Visio. It wasn't a typo, Visio is in the line up of Microsoft Office apps.

        Quote from Microsoft's Technet "Microsoft Security Bulletin MS07-030 - Important Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)"

        Ryan gave you reference links, you could have checked it out to see if he was wrong or not before publicly saying he was wrong.