.

Why Doesn't Microsoft Look for Its Own Bugs?

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Dec 14, 2009 5:44 am

Why Doesn't Microsoft Look for Its Own Bugs?

Nice article by PCMag's Larry Seltzer:


In the Twitter gab as last Patch Tuesday was unfolding, researcher Alex Sotirov complained that vendors weren't paying for those who found the bugs in their products, and that this was unjust.

Most of the bug-finding for major products comes from researchers paid by someone for their work. They may work for security consulting firms like VeriSign iDefense Labs and many are independents paid through bug bounty programs such as Tippingpoint's Zero Day Initiative.

This past Tuesday there were credits to:

- Bing Liu of Fortinet's FortiGuard Labs
- Sean Larsson and Jun Mao of VeriSign iDefense Labs
- Ryan Smith of VeriSign IDefense Labs
- Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative,
team509, working with VeriSign IDefense Labs
- An anonymous researcher, working with TippingPoint and the Zero Day Initiative
- Another anonymous researcher, working with TippingPoint and the Zero Day Initiative

Several other vulnerabilities were not credited. Microsoft did describe them as "privately reported." VeriSign and TippingPoint are regulars in the "Acknowledgements" sections of Microsoft security advisories and lots of other folks show up. Here are some of my favorites:

- MS09-049: "Hiroshi Noguchi of Alice Carroll fan club"
- MS09-016: "New York State Chief Information Officer / Office for Technology"
- MS09-018: "Justin Wyatt from the Beaverton School District"

Sotirov noted that it's TippingPoint's and VeriSign's customers who were paying for this research and that Microsoft should be paying too. Surely, I asked, Microsoft does vulnerability research on their own product. At this point another famous researcher, Dino Dai Zovi, piped in to say no: "Apple is the only vendor that I know of that releases patches for vulns found internally."

This rang true; I know I've read Apple advisories that credited internal research and I couldn't recall a Microsoft advisory that credited their own. I looked and not a single vulnerability disclosure (so far) in 2009 was credited explicitly to Microsoft. I asked Microsoft about it.



Full story:
http://www.pcmag.com/article2/0,2817,2357051,00.asp

Don
CISSP, MCSE, CSTA, Security+ SME
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Sun Feb 28, 2010 2:37 pm

Re: Why Doesn't Microsoft Look for Its Own Bugs?

Ok, I just happened to be poking around and found this thread.  I feel I need to comment that the title seems a little misleading. The article itself says Microsoft looks for its own bugs.  They are just fixed in service packs and other point releases.  Microsoft stepped up by releasing the security bulletins and patches on Patch Tuesday for issues outside of the scope of their normal security bulletins.

My question is, what kind of business model do these other companies have which allow them to pay researchers to find bugs in Microsoft products?  Maybe I'm missing the bigger picture, like they sell their services to other companies after showing "We've found x number of Microsoft bugs for free, look how many we can find for you!!!".

Just my two cents while I avoid doing homework. :)
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sat Mar 06, 2010 10:00 pm

Re: Why Doesn't Microsoft Look for Its Own Bugs?

If you get the chance, talk to Stephen Sims some time (lead author of SANS SEC-709).  He works for a major company and tests both in house and third party software.  Depending on the dollar amounts you are dealing with, sometimes you can't assume that a vendor has done their homework.  Suppose for instance that you implement IIS as a portal for your financial management system.  Even if your code is 100% solid, a single flaw in IIS can bring your company to its knees.  Think MS has found them all?  I seriously doubt it.  The question is, how much effort would an attacker need to expend to locate a bug in your running configuration of IIS.  Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That's how lots of these get found. 
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Mar 06, 2010 10:55 pm

Re: Why Doesn't Microsoft Look for Its Own Bugs?

former33t wrote:Some companies are content knowing that a professional would have to expend > X man weeks to exploit the platform the code is running on. That's how lots of these get found. 


Agreed.  I know of a few software companies, whom I'll allow to remain nameless, so I don't get hung by my contacts for bringing them into the spotlight, who leave a lot on the table, and don't heavily look over their own code, simply because of the time they figure someone would have to invest to crack their stuff.

I know of other companies, however (mine in particular, but due to their Code of Business Ethics, I'm not allowed to name mine here,) who are investing a lot of time and resources into making positive impact on security awareness, etc.  My company, for instance, began a 'security summit' a couple of years ago, after a number of us expressed the desire to implement a proactive approach.  We openly discuss security issues, have industry experts and others give presentations and talks, and even have online 'hacking games' setup for the employees who want to participate, to encourage and enlighten.  I know we've had many folks from all our various divisions participate and present, as well, from our designers / consultants, to our full time developers, to our sales and support staff.  Additionally, they've had some internal pentests against new products awaiting public release, to help to minimize the flaws, and these tests have gotten a lot of participation from various groups within the organization, so that we get MANY hands working on each aspect of the product.  Overall, it's been very successful, and a great knowledge transfer opportunity.

This obviously still doesn't guarantee we'd catch EVERY issue, either, but it's a positive approach, and one that I think other vendors in the industry would be wise to follow / undertake.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Sat Mar 06, 2010 11:25 pm

Re: Why Doesn't Microsoft Look for Its Own Bugs?

If companies were to look for their own bugs, wouldn't the products be slower to get on market? That translates to lost dollars.

Having external security researchers finding vulnerabilities doesn't cost much at all.
CISSP, Security+, CEH, OPP, et alii
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Mar 07, 2010 1:09 am

Re: Why Doesn't Microsoft Look for Its Own Bugs?

I do think that companies do look for their bugs. They might not be as thorough as people doing it on their own because of dead lines.

The bigger problem though, was brought up a a Perl Mongers meeting, and fits here. It's the test tools they use. They're tools are usually written by themselves, who have written the code being tested. It's tested on their systems, maybe a random sample. It moves out.

Other people have different test tools + the time to look more for the problems. Problems are found.
OSWP, Sec+
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun Mar 07, 2010 3:24 am

Re: Why Doesn't Microsoft Look for Its Own Bugs?

Microsoft does look for security bugs in their own software before they put it on the market.  I think the problem (if I understand what others have said) is that they don't release hotfixes or small patches after release for any bugs found internally although they may be quietly rolled into a service pack.  Microsoft does have a large QA staff and they have a lot of very talented security people.  You can always argue that they should do more, but don't be misled into thinking they don't do anything.
BS in IT, CISSP, MS in IS Management (in progress)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun Mar 07, 2010 3:25 am

Re: Why Doesn't Microsoft Look for Its Own Bugs?

The heading sounds quite splashy to me, especially as Microsoft is actually doing a lot of research on their own products and gives a lot into their quality assurance, even though it might often not seems like it. Of course this can't apply to all products, but I think this also applies to most other vendors as well. Meeting one's deadlines, operating schedules and lack of money often prevents intensely QA testing.
Another point which I think might apply here, is, that often third-party companies or researches might have different ambitions, e.g. fame, and would therefore invest more resources into something, than the vendor might do or could. Some other factors, as already brought up by chrisj, apply as well, such as different testing tools, testing environments and experience of the auditor.
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Mar 07, 2010 3:50 am

Re: Why Doesn't Microsoft Look for Its Own Bugs?

Yes, I too think the article is little misleading.

Being a Microsoft MVP in Enterprise Security, I had the opportunity to interact closely with Microsoft Security groups. As pointed out earlier, the deadlines, schedules and budgeting aspects may create issues with the quality of any tool. They have various groups, process and programs in place to test the security posture of their products. Some of them include:

  • MSRC – Microsoft Security Response Centre,
  • MMPC – Microsoft Malware Protection Centre,
  • OSSC – Microsoft Online Services Security and Compliance,
  • The Microsoft Identify and Security Division,
  • Windows Sustained Engineering,
  • Security Update Validation Program,

These teams and process work very closely to ensure stability and security to their end products. And yes, as we always say, there is nothing known as 100% security and no security test can find out all the vulnerabilities in a system. So I think Microsoft is doing their part. :)
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 07, 2010 11:30 am

Re: Why Doesn't Microsoft Look for Its Own Bugs?

Just a note... I know MS gained Crispin Cowan a couple of years ago, when he and Novell parted ways.  Knowing Crispin and his work with AppArmour, as well as his experiences in the security realm, I can pretty well assure you MS is doing it's part to work out the bugs, themselves, before products and releases hit the public.  Nobody's perfect, and with as many lines of code as MS has, you'd have to agree, there are ample opportunities to miss flaws.  As noted above, 3rd parties, who desire recognition for finding these flaws, often spend a LOT of time, energy and resources to find the problems.  They don't always have the same responsibiltiy to continue to innovate and release new products and services, either, so they would definitely have more time and energy invested. 

The reason more bugs are found in MS code, that MS themselves have missed, is that they are the foremost, prime target, in most people's minds these days, and MANY folks are aiming at their code.  It's only logical.  If the same folks invested their time against others' products, I'm certain you'd see the same influx of holes, elsewhere.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software