December 14, 2009 at 10:44 am #4484Don DonzalKeymaster
Nice article by PCMag’s Larry Seltzer:
In the Twitter gab as last Patch Tuesday was unfolding, researcher Alex Sotirov complained that vendors weren’t paying for those who found the bugs in their products, and that this was unjust.
Most of the bug-finding for major products comes from researchers paid by someone for their work. They may work for security consulting firms like VeriSign iDefense Labs and many are independents paid through bug bounty programs such as Tippingpoint’s Zero Day Initiative.
This past Tuesday there were credits to:
– Bing Liu of Fortinet’s FortiGuard Labs
– Sean Larsson and Jun Mao of VeriSign iDefense Labs
– Ryan Smith of VeriSign IDefense Labs
– Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative,
team509, working with VeriSign IDefense Labs
– An anonymous researcher, working with TippingPoint and the Zero Day Initiative
– Another anonymous researcher, working with TippingPoint and the Zero Day Initiative
Several other vulnerabilities were not credited. Microsoft did describe them as “privately reported.” VeriSign and TippingPoint are regulars in the “Acknowledgements” sections of Microsoft security advisories and lots of other folks show up. Here are some of my favorites:
– MS09-049: “Hiroshi Noguchi of Alice Carroll fan club”
– MS09-016: “New York State Chief Information Officer / Office for Technology”
– MS09-018: “Justin Wyatt from the Beaverton School District”
Sotirov noted that it’s TippingPoint’s and VeriSign’s customers who were paying for this research and that Microsoft should be paying too. Surely, I asked, Microsoft does vulnerability research on their own product. At this point another famous researcher, Dino Dai Zovi, piped in to say no: “Apple is the only vendor that I know of that releases patches for vulns found internally.”
This rang true; I know I’ve read Apple advisories that credited internal research and I couldn’t recall a Microsoft advisory that credited their own. I looked and not a single vulnerability disclosure (so far) in 2009 was credited explicitly to Microsoft. I asked Microsoft about it.
February 28, 2010 at 7:37 pm #28159unsupportedParticipant
Ok, I just happened to be poking around and found this thread. I feel I need to comment that the title seems a little misleading. The article itself says Microsoft looks for its own bugs. They are just fixed in service packs and other point releases. Microsoft stepped up by releasing the security bulletins and patches on Patch Tuesday for issues outside of the scope of their normal security bulletins.
My question is, what kind of business model do these other companies have which allow them to pay researchers to find bugs in Microsoft products? Maybe I’m missing the bigger picture, like they sell their services to other companies after showing “We’ve found x number of Microsoft bugs for free, look how many we can find for you!!!”.
Just my two cents while I avoid doing homework. 🙂
March 7, 2010 at 3:00 am #28160former33tParticipant
If you get the chance, talk to Stephen Sims some time (lead author of SANS SEC-709). He works for a major company and tests both in house and third party software. Depending on the dollar amounts you are dealing with, sometimes you can’t assume that a vendor has done their homework. Suppose for instance that you implement IIS as a portal for your financial management system. Even if your code is 100% solid, a single flaw in IIS can bring your company to its knees. Think MS has found them all? I seriously doubt it. The question is, how much effort would an attacker need to expend to locate a bug in your running configuration of IIS. Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That’s how lots of these get found.
March 7, 2010 at 3:55 am #28161hayabusaParticipant
Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That’s how lots of these get found.
Agreed. I know of a few software companies, whom I’ll allow to remain nameless, so I don’t get hung by my contacts for bringing them into the spotlight, who leave a lot on the table, and don’t heavily look over their own code, simply because of the time they figure someone would have to invest to crack their stuff.
I know of other companies, however (mine in particular, but due to their Code of Business Ethics, I’m not allowed to name mine here,) who are investing a lot of time and resources into making positive impact on security awareness, etc. My company, for instance, began a ‘security summit’ a couple of years ago, after a number of us expressed the desire to implement a proactive approach. We openly discuss security issues, have industry experts and others give presentations and talks, and even have online ‘hacking games’ setup for the employees who want to participate, to encourage and enlighten. I know we’ve had many folks from all our various divisions participate and present, as well, from our designers / consultants, to our full time developers, to our sales and support staff. Additionally, they’ve had some internal pentests against new products awaiting public release, to help to minimize the flaws, and these tests have gotten a lot of participation from various groups within the organization, so that we get MANY hands working on each aspect of the product. Overall, it’s been very successful, and a great knowledge transfer opportunity.
This obviously still doesn’t guarantee we’d catch EVERY issue, either, but it’s a positive approach, and one that I think other vendors in the industry would be wise to follow / undertake.
March 7, 2010 at 4:25 am #28162elcapitanParticipant
If companies were to look for their own bugs, wouldn’t the products be slower to get on market? That translates to lost dollars.
Having external security researchers finding vulnerabilities doesn’t cost much at all.
March 7, 2010 at 6:09 am #28163rattisParticipant
I do think that companies do look for their bugs. They might not be as thorough as people doing it on their own because of dead lines.
The bigger problem though, was brought up a a Perl Mongers meeting, and fits here. It’s the test tools they use. They’re tools are usually written by themselves, who have written the code being tested. It’s tested on their systems, maybe a random sample. It moves out.
Other people have different test tools + the time to look more for the problems. Problems are found.
March 7, 2010 at 8:24 am #28164unicitydParticipant
Microsoft does look for security bugs in their own software before they put it on the market. I think the problem (if I understand what others have said) is that they don’t release hotfixes or small patches after release for any bugs found internally although they may be quietly rolled into a service pack. Microsoft does have a large QA staff and they have a lot of very talented security people. You can always argue that they should do more, but don’t be misled into thinking they don’t do anything.
March 7, 2010 at 8:25 am #28165UNIXParticipant
The heading sounds quite splashy to me, especially as Microsoft is actually doing a lot of research on their own products and gives a lot into their quality assurance, even though it might often not seems like it. Of course this can’t apply to all products, but I think this also applies to most other vendors as well. Meeting one’s deadlines, operating schedules and lack of money often prevents intensely QA testing.
Another point which I think might apply here, is, that often third-party companies or researches might have different ambitions, e.g. fame, and would therefore invest more resources into something, than the vendor might do or could. Some other factors, as already brought up by chrisj, apply as well, such as different testing tools, testing environments and experience of the auditor.
March 7, 2010 at 8:50 am #28166morpheus063Participant
Yes, I too think the article is little misleading.
Being a Microsoft MVP in Enterprise Security, I had the opportunity to interact closely with Microsoft Security groups. As pointed out earlier, the deadlines, schedules and budgeting aspects may create issues with the quality of any tool. They have various groups, process and programs in place to test the security posture of their products. Some of them include:
- MSRC – Microsoft Security Response Centre,
- MMPC – Microsoft Malware Protection Centre,
- OSSC – Microsoft Online Services Security and Compliance,
- The Microsoft Identify and Security Division,
- Windows Sustained Engineering,
- Security Update Validation Program,
These teams and process work very closely to ensure stability and security to their end products. And yes, as we always say, there is nothing known as 100% security and no security test can find out all the vulnerabilities in a system. So I think Microsoft is doing their part. 🙂
March 7, 2010 at 4:30 pm #28167hayabusaParticipant
Just a note… I know MS gained Crispin Cowan a couple of years ago, when he and Novell parted ways. Knowing Crispin and his work with AppArmour, as well as his experiences in the security realm, I can pretty well assure you MS is doing it’s part to work out the bugs, themselves, before products and releases hit the public. Nobody’s perfect, and with as many lines of code as MS has, you’d have to agree, there are ample opportunities to miss flaws. As noted above, 3rd parties, who desire recognition for finding these flaws, often spend a LOT of time, energy and resources to find the problems. They don’t always have the same responsibiltiy to continue to innovate and release new products and services, either, so they would definitely have more time and energy invested.
The reason more bugs are found in MS code, that MS themselves have missed, is that they are the foremost, prime target, in most people’s minds these days, and MANY folks are aiming at their code. It’s only logical. If the same folks invested their time against others’ products, I’m certain you’d see the same influx of holes, elsewhere.
- You must be logged in to reply to this topic.