The Ethical Hacker Network - Why Doesn't Microsoft Look for Its Own Bugs?

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4165

Editor-In-Chief

Why Doesn't Microsoft Look for Its Own Bugs?

« on: December 14, 2009, 04:44:32 AM »

Nice article by PCMag's Larry Seltzer:

Quote

In the Twitter gab as last Patch Tuesday was unfolding, researcher Alex Sotirov complained that vendors weren't paying for those who found the bugs in their products, and that this was unjust.

Most of the bug-finding for major products comes from researchers paid by someone for their work. They may work for security consulting firms like VeriSign iDefense Labs and many are independents paid through bug bounty programs such as Tippingpoint's Zero Day Initiative.

This past Tuesday there were credits to:

- Bing Liu of Fortinet's FortiGuard Labs
- Sean Larsson and Jun Mao of VeriSign iDefense Labs
- Ryan Smith of VeriSign IDefense Labs
- Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative,
team509, working with VeriSign IDefense Labs
- An anonymous researcher, working with TippingPoint and the Zero Day Initiative
- Another anonymous researcher, working with TippingPoint and the Zero Day Initiative

Several other vulnerabilities were not credited. Microsoft did describe them as "privately reported." VeriSign and TippingPoint are regulars in the "Acknowledgements" sections of Microsoft security advisories and lots of other folks show up. Here are some of my favorites:

- MS09-049: "Hiroshi Noguchi of Alice Carroll fan club"
- MS09-016: "New York State Chief Information Officer / Office for Technology"
- MS09-018: "Justin Wyatt from the Beaverton School District"

Sotirov noted that it's TippingPoint's and VeriSign's customers who were paying for this research and that Microsoft should be paying too. Surely, I asked, Microsoft does vulnerability research on their own product. At this point another famous researcher, Dino Dai Zovi, piped in to say no: "Apple is the only vendor that I know of that releases patches for vulns found internally."

This rang true; I know I've read Apple advisories that credited internal research and I couldn't recall a Microsoft advisory that credited their own. I looked and not a single vulnerability disclosure (so far) in 2009 was credited explicitly to Microsoft. I asked Microsoft about it.

Full story:
http://www.pcmag.com/article2/0,2817,2357051,00.asp

Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

unsupported

Sr. Member

Offline

Posts: 318

Unofficial Newbie Moderator

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #1 on: February 28, 2010, 01:37:39 PM »

Ok, I just happened to be poking around and found this thread. I feel I need to comment that the title seems a little misleading. The article itself says Microsoft looks for its own bugs. They are just fixed in service packs and other point releases. Microsoft stepped up by releasing the security bulletins and patches on Patch Tuesday for issues outside of the scope of their normal security bulletins.

My question is, what kind of business model do these other companies have which allow them to pay researchers to find bugs in Microsoft products? Maybe I'm missing the bigger picture, like they sell their services to other companies after showing "We've found x number of Microsoft bugs for free, look how many we can find for you!!!".

Just my two cents while I avoid doing homework.


	Logged

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

former33t

Full Member

Offline

Posts: 226

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #2 on: March 06, 2010, 09:00:18 PM »

If you get the chance, talk to Stephen Sims some time (lead author of SANS SEC-709). He works for a major company and tests both in house and third party software. Depending on the dollar amounts you are dealing with, sometimes you can't assume that a vendor has done their homework. Suppose for instance that you implement IIS as a portal for your financial management system. Even if your code is 100% solid, a single flaw in IIS can bring your company to its knees. Think MS has found them all? I seriously doubt it. The question is, how much effort would an attacker need to expend to locate a bug in your running configuration of IIS. Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That's how lots of these get found.


	Logged

Certifications: CREA, MCSE: Security, CCNA, Security+, other junk

hayabusa

Hero Member

Offline

Posts: 1630

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #3 on: March 06, 2010, 09:55:04 PM »

Quote from: former33t on March 06, 2010, 09:00:18 PM

Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That's how lots of these get found.

Agreed. I know of a few software companies, whom I'll allow to remain nameless, so I don't get hung by my contacts for bringing them into the spotlight, who leave a lot on the table, and don't heavily look over their own code, simply because of the time they figure someone would have to invest to crack their stuff.

I know of other companies, however (mine in particular, but due to their Code of Business Ethics, I'm not allowed to name mine here,) who are investing a lot of time and resources into making positive impact on security awareness, etc. My company, for instance, began a 'security summit' a couple of years ago, after a number of us expressed the desire to implement a proactive approach. We openly discuss security issues, have industry experts and others give presentations and talks, and even have online 'hacking games' setup for the employees who want to participate, to encourage and enlighten. I know we've had many folks from all our various divisions participate and present, as well, from our designers / consultants, to our full time developers, to our sales and support staff. Additionally, they've had some internal pentests against new products awaiting public release, to help to minimize the flaws, and these tests have gotten a lot of participation from various groups within the organization, so that we get MANY hands working on each aspect of the product. Overall, it's been very successful, and a great knowledge transfer opportunity.

This obviously still doesn't guarantee we'd catch EVERY issue, either, but it's a positive approach, and one that I think other vendors in the industry would be wise to follow / undertake.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

ElCapitan

Newbie

Offline

Posts: 28

Unanimous FTP: the #1 threat to copyrights!

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #4 on: March 06, 2010, 10:25:55 PM »

If companies were to look for their own bugs, wouldn't the products be slower to get on market? That translates to lost dollars.

Having external security researchers finding vulnerabilities doesn't cost much at all.


	Logged

CISSP, Security+, CEH, OPP, et alii

chrisj

Hero Member

Offline

Posts: 1163

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #5 on: March 07, 2010, 12:09:19 AM »

I do think that companies do look for their bugs. They might not be as thorough as people doing it on their own because of dead lines.

The bigger problem though, was brought up a a Perl Mongers meeting, and fits here. It's the test tools they use. They're tools are usually written by themselves, who have written the code being tested. It's tested on their systems, maybe a random sample. It moves out.

Other people have different test tools + the time to look more for the problems. Problems are found.


	Logged

OSWP, Sec+

unicityd

Full Member

Offline

Posts: 156

Bored IT Manager, Crypto Nerd

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #6 on: March 07, 2010, 02:24:56 AM »

Microsoft does look for security bugs in their own software before they put it on the market. I think the problem (if I understand what others have said) is that they don't release hotfixes or small patches after release for any bugs found internally although they may be quietly rolled into a service pack. Microsoft does have a large QA staff and they have a lot of very talented security people. You can always argue that they should do more, but don't be misled into thinking they don't do anything.


	Logged

BS in IT, CISSP, MS in IS Management (in progress)

UNIX

Hero Member

Offline

Posts: 1234

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #7 on: March 07, 2010, 02:25:15 AM »

The heading sounds quite splashy to me, especially as Microsoft is actually doing a lot of research on their own products and gives a lot into their quality assurance, even though it might often not seems like it. Of course this can't apply to all products, but I think this also applies to most other vendors as well. Meeting one's deadlines, operating schedules and lack of money often prevents intensely QA testing.
Another point which I think might apply here, is, that often third-party companies or researches might have different ambitions, e.g. fame, and would therefore invest more resources into something, than the vendor might do or could. Some other factors, as already brought up by chrisj, apply as well, such as different testing tools, testing environments and experience of the auditor.


	Logged

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #8 on: March 07, 2010, 02:50:26 AM »

Yes, I too think the article is little misleading.

Being a Microsoft MVP in Enterprise Security, I had the opportunity to interact closely with Microsoft Security groups. As pointed out earlier, the deadlines, schedules and budgeting aspects may create issues with the quality of any tool. They have various groups, process and programs in place to test the security posture of their products. Some of them include:

MSRC – Microsoft Security Response Centre,
MMPC – Microsoft Malware Protection Centre,
OSSC – Microsoft Online Services Security and Compliance,
The Microsoft Identify and Security Division,
Windows Sustained Engineering,
Security Update Validation Program,

These teams and process work very closely to ensure stability and security to their end products. And yes, as we always say, there is nothing known as 100% security and no security test can find out all the vulnerabilities in a system. So I think Microsoft is doing their part.


	Logged

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

hayabusa

Hero Member

Offline

Posts: 1630

Re: Why Doesn't Microsoft Look for Its Own Bugs?

« Reply #9 on: March 07, 2010, 10:30:21 AM »

Just a note... I know MS gained Crispin Cowan a couple of years ago, when he and Novell parted ways. Knowing Crispin and his work with AppArmour, as well as his experiences in the security realm, I can pretty well assure you MS is doing it's part to work out the bugs, themselves, before products and releases hit the public. Nobody's perfect, and with as many lines of code as MS has, you'd have to agree, there are ample opportunities to miss flaws. As noted above, 3rd parties, who desire recognition for finding these flaws, often spend a LOT of time, energy and resources to find the problems. They don't always have the same responsibiltiy to continue to innovate and release new products and services, either, so they would definitely have more time and energy invested.

The reason more bugs are found in MS code, that MS themselves have missed, is that they are the foremost, prime target, in most people's minds these days, and MANY folks are aiming at their code. It's only logical. If the same folks invested their time against others' products, I'm certain you'd see the same influx of holes, elsewhere.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

Pages: [1] Go Up

« previous next »