Microsoft fights with researcher over Full Disclosure
Ryan Naraine has taken Microsoft to task for refusing to officially credit security researcher Cesar Cerrudo for finding a privilege escalation exploit in Windows XP, which was disclosed on the MoKB project late last year. Microsoft isn't pretending that Cerrudo never discovered the bug or never shared the information; it's refusing to officially credit Cerrudo because it feels that Cerrudo broke Microsoft's responsible disclosure policy. But who was really being irresponsible here?
As Ryan Naraine pointed out, Cerrudo had been patiently waiting for two years for Microsoft to patch the issue, and Microsoft had decided to wait until Windows XP Service Pack 3 -- which means it would take more than three years to patch following Cerrudo's disclosure to Microsoft. I spoke with Microsoft MSRC a few months back regarding this issue and learned that Microsoft had declared this privilege escalation issue low-priority, which on the face of it makes sense. More than 80% of Windows XP customers run as full-fledged Administrators anyway, and a privilege escalation exploit was moot. But what does that mean to the diligent administrators who made the effort and took the time to properly lock down all the computers in their company? If privilege escalation was moot, does that mean those good administrators have egg on their face? With a readily available exploit publicly released on the Internet with no patch in sight, the answer would be yes, and those administrators have had all their hard work undermined.
Microsoft had a chance to patch this exploit after it was disclosed late last year on MoKB, but it opted to stay the course and wait another year until Windows XP SP3. But when news came of this bug being implemented in Immunity Inc.'s Canvas penetration testing software, the negative publicity mounted and Microsoft was forced to changed its tune and release a patch. Even though Windows XP is an old operating system, it will be the predominant OS for a few years to come in the enterprise world, and the inclusion of this exploit in a well-known penetration tool would have given Microsoft a black eye if this vulnerability wasn't patched.
On a side note, one thing that wasn't fixed in last week's emergency patch was the Windows CSRSS message box vulnerability, which has the potential to elevate privileges even in Windows Vista. This vulnerability was disclosed late last year, but it still hasn't been patched yet. I asked Microsoft about this vulnerability and the response was it was still investigating it. From what I've been hearing about this particular exploit, it isn't very reliable, in the sense that it can reliably elevate privileges. But that's like saying that Russian roulette isn't very reliable at killing its player. Microsoft really needs to start taking this seriously instead of waiting four months to patch it. Considering the fact that Vista implements a lot of privilege hardening and puts users in charge of their security with UAC (User Account Control), this exploit shouldn't be declared moot. [Update 4/10/2007 - April's Patch Tuesday included a patch for this CSRSS vulnerability]
Part of the problem is that security managers tend to justify threats if they haven't been disclosed to the public yet. The vulnerability can be classified as something that's "theoretical" or something that is so remote that the "annual rate of occurrence" can be declared a small coefficient of the actual risk to their assets. Patches are also something that that corporations hate because the patches (or any change in software in general) can often do more damage than the potential exploit itself. In this case, we have a vulnerability that is moot for the vast majority of Windows XP users, and Microsoft declared it not worthy of patching in the immediate timeframe.
That decision seems logical and justifiable from a risk management standpoint, until the researcher decides to fully disclose the exploit. That's where the conflict begins. Cerrudo discloses the vulnerability after two years of inaction as a matter of principle and for the sake of real security because we can't simply assume hackers won't figure out this exploit on their own. Microsoft and its enterprise customers felt that keeping the vulnerability private fits into their risk management equations and the researchers are making life difficult. This is the classic full disclosure debate between researchers and vendors. The vendors and business types feel that nothing should ever be disclosed to help the "bad guys," and the researchers want the vendors and business world to stop hiding under a rock hoping that no one else finds the hole. From where I stand, I'm with the researchers. I would rather have real security than obscurity because the risk management equations are only as reliable as the assumption that the bad guys are incompetent. Microsoft needs to reevaluate its stance on patching if it ever wants to fix its old reputation.