This is a repeat of one of my posts from January on the old TS2 blog, but I thought it was worthy of a re-post. And you know platform security is one of my favorite subjects.
Well, if you even entertained the initial thought that the answer could be no, I sentence you to go back and read every security-related blog post I’ve written <grin>. This post came about because of a Twitter whine by researcher Alex Sotirov who complained that vendors weren't paying those (presumably like himself) who found the bugs in their products, and that this was somehow unjust. I actually recommend you read this post by Larry Seltzer, although at the end he seems to reach the conclusion that he agrees with Sotirov. I disagree with his conclusion on several bases but let me cover the post in general, and then address what I feel are the flaws in his conclusion later.
Right up front Seltzer points out that “Most of the bug-finding for major products comes from researchers paid by someone for their work.” For sure, most vendors like Microsoft, leverage the findings of external researchers in this regard, but I would like to see some proof of the assertion that “most” of the bug-finding is done by these folks, but this is just another example of how easy it is make an unsubstantiated declarative comment that many folks accept at face value but with no real vetting or substantiation to back it up. I can’t say that I still know this for a fact (full disclosure on my part), but back when I was a security-focused Technology Specialist for Microsoft, in the early days of SDL (and the associated SWI, Secure Windows Initiative), I know that we not only did our own internal code sweeps (reviews), but also contracted with several external agencies to supplement that effort. Seltzer subsequently notes that some folks were “credited” for their bug-finds, but then notes that other vulnerabilities were not credited, acknowledging that some were “privately reported”. So this brought Seltzer to pose the title question to a “famous researcher”, Dino Dai Zovi, who basically said (or rather implied) no, citing that Apple was “the only vendor he knew of that patches internally found vulnerabilities” – I guess I’ll take his word for it that Dino is famous and credible and knows all the vendors methodologies well enough to make his statement. Of course, for Seltzer “this rang true” since he looked and found out that Microsoft had not credited any internal research sources in vulnerability disclosures in 2009 (which btw begs the question of whether or not crediting internal research is, or should be, the standard to go by, which I’ll be getting to in a moment). So he asked Microsoft about it directly – nice work Larry (finally a little journalism by someone). As you should know, Microsoft confirmed that YES, of course they look for and find vulnerabilities internally (after all that’s the whole point of SDL which is mentioned in Larry’s quote from an unnamed Microsoft person). But curiously, although he acknowledges the fact that MS does internal vulnerability research, he finishes the sentence with “but not so much”, which I can only infer he says because Microsoft doesn’t report (or credit) it in the same way as other vendors (e.g. Apple) who, if you read my last post, may not be the vendor(s) I would be looking at as an example in this area. One key piece of the vulnerability equation that seems to be ignored here is a discussion on whether or not all vulnerabilities need to be proactively patched, and then whether acknowledging internal vulnerability research is a “best practice” which seems to be at the heart of his “but not so much” comment as well as his ultimate conclusion. As you should know, a vulnerability, in and of itself, is not really a problem -- it only becomes a problem when someone develops an “exploit” against it presumably with malicious intent. So I would ask, if I know that my program has a certain vulnerability but you do not, is it really a best practice for me to proactively patch that vulnerability and thereby make a de facto announcement of it (when I release the patch) that could be used to develop an exploit against unpatched systems? Well, apparently Larry and Alex and Apple think so, and if you have the small market share, and thus largely untargeted platform (the security by obscurity situation that I’ve blogged about before), that Apple has, you can do this; but to foist that paradigm on everyone is not my idea of a best practice. Now Larry notes in his next to final paragraph that MS08-037 leveraged Microsoft’s “own work in finding the [bug]…”, but then states in his bottom line that “[they] don’t do proactive vulnerability research on their own shipping products”. Which conclusion, btw, he arrives at by mentioning that “Microsoft spends a lot of time and money and effort on the security of their products, but they're almost entirely forward-looking about it.", which he then characterizes in a negative light as “neglect” of current products. I don’t know about you, but this is pretty convoluted in my opinion to say the we “do” a lot of something, but then spin that as neglect because apparently we may not buy into the (proactive) patching paradigm he assumes as a standard. I would also suggest that his conclusion which infers that we need to be paying outside folks more to find and report stuff that, btw, wouldn’t be a problem if they didn’t find it (with the intent of publishing it) is also suspect in my opinion, but you can make the call on that – at least you’ll have a counterpoint to consider now.
In my final thoughts, I would urge you to read the quote in the article from the (unidentified) Microsoft person. The main reason, I would suggest, that most external vulnerability finds are “credited” is because those folks desire the recognition as it adds to their resume (or street cred). Also, most of them intend to “publish” the vulnerability which means that Microsoft must proactively patch it. On the other hand, internally found vulnerabilities are generally not going to be published (and become the basis for future exploits) and thus there’s no reason to spend cycles proactively patching them, at least that’s how I believe we look at it. And, as the anonymous quote points out, these are all part of the ongoing SDL process. Also, I’ll bet that most internal Microsoft security researchers are not “in it’ for the external recognition, so to spin that anonymity as evidence that supposedly only “other people are finding bugs in their products” and need to be paid more, well, I’m afraid I have a problem with that conclusion per above. As Larry says at the end “something’s not right with this”, but I would say that what’s not right is less about how Microsoft approaches vulnerability research and reporting but more about how Larry reports on it. As always, “you make the call”, but I hope this serves to point out how careful (and critical) you need to be when reading anything online these days (even me <grin again>).
Oh, btw, remember what I said in the past post about the usual uninformed comments – here’s the very first comment on Larry’s post: “Another reason why Windows XP is actually more secure than Windows 7 - outside security analyst have been scouring Windows XP for almost a decade, while Windows 7 has a lot of new code for-which Microsoft basically admits in this article that it's not researching. Now that's security you can trust...NOT![commented by TJ]” Wow, this would be funny if it wasn’t just so wrong on several levels. Unfortunately there’s probably more than one “TJ” out there who actually believes that XP is more secure than Win7, (and I won’t even comment on his flawed logic). I couldn’t have come up with a better example of uninformed commentary if I had tried. Moreover, I’m not sure which article he read to make the statement “Microsoft basically admits in this article that it's not researching…” but the incongruity doesn’t seem to phase TJ. On the other hand, do read the follow-on comment by CW (in response to TJ) – among other things he points out this article which I would rate as a must read, Behind the Scenes at Microsoft`s Secure Windows Initiative, especially if you still have any doubts or interest as to how we deal with reported vulnerabilities. OK, so now hopefully on with my holiday – see you next year.