“We must always think about things, and we must think about things as they are, not as they are said to be.” George Bernard Shaw
yatz wrote:The Microsoft response wholeheartedly condemns the public disclosure.
So I put it to you: your opinion on public disclosure of new exploits?
Public disclosure has never been in the best interest of any vendor for a lot of reasons. Firstly, it can be quite costly for them to run around and mop up their mess. Secondly, it can be quite embarassing. Thirdly, its almost always more economical for them to play damage control "condemn the researcher" than to do the right thing.
Let's take a theoretical look at what happens when a vulnerability is submitted to a vendor. Using MS as an example since we're speaking of them, let's go through the motions of submitting a bug. 1) Person in MSRC opens message and asks for more information. (n amount of time) 2) Person in MSRC acts to escalate 3) Other individuals on the team take a look at it. 4) Validation slash replication of exploitation takes place. 5) Buggy code in program investigated 6) Buggy code found and fixed 7) Marketing hype downplaying bug is created/generated
Patch Tuesday (or better depending on the severity of the bug).
I figure my numbers in man hours here... Let's assume it took 2 months to determine what was going on and I use this number based on the following comment from the Daily Dave mailing list:
Shows how well that "responsible" disclosure is working out:
ZDI-CAN-357 Microsoft High 2008-06-25, 720 days ago
ZDI-CAN-527 Microsoft High 2009-07-14, 336 days ago
ZDI-CAN-533 Microsoft High 2009-07-23, 327 days ago
ZDI-CAN-543 Microsoft High 2009-08-06, 313 days ago
ZDI-CAN-599 Microsoft High 2009-10-20, 239 days ago
What's responsible about letting a vendor sit on a serious vulnerability for almost two years?
So two months is generous. Let's suppose 12 people took 2 hours per work week on my personal bug. 24 man hours (salary) per week * 8 weeks (2 months). 192 total hours down the tube so far. Now let's assume all these employees average a salary of $75,000.00 per year which is extremely low if you ask me, but I'm trying to be fair and theoretical here. At that salary divided by 52 weeks they'd make an estimated $1,442.31 per week or 36.06 per hour. $4,615.38 to fix this bug? Highly doubtful... That cost is ENORMOUSLY low but I'll roll with it anyway. So we have a loss of $4,615.38 multiplied by how many bugs per year here? At my rock-bottom prices, ZDI disclosed 18 advisories to date for MS which would total $83,076.84 in loss from ZDI alone.
Now be realistic about this, I figure a typical bug to average about $10-20,000.00 in costs to fix and I have read that MS pays to the tune of $1,000,000.00 and up per bug fix in R&D, fixing, pushing out, etc.. So again, if this holds true, my numbers are peanuts (obviously). Let's round things off to 10k per bug found and fixed... Using last year's data (2009):
$ wget -qO - http://www.microsoft.com/technet/security/advisory/archive.mspx|awk '/Microsoft Security Advisory \(/ && /2009/'|wc -l
At this rate, (10k per fix) MS just threw out $230,000.00 on bugs alone which is peanuts in comparison to their earning. Now much would you like to bet that the actual number for 2009 was probably 20x more? Remember, my numbers are ONLY
based on exploit(ed)able issues. Imagine how much MS spends on investigating issues that don't produce results (false positives). So what do you think works better for companies like MS... Spending some marketing time downplaying security as a whole and security research and the researchers. Or actually providing fixes and or good code.Business as usual
dot dot dot Because businesses are in the business to (*drum roll*) make money, you have to understand the potential economic impact of a security hole being discovered and disclosed. For Microsoft, they're in the business to make money not throw it away so it boils down to damage control. If the bug triggers shaky confidence in Microsoft's stock a one percent drop means MS loses $2,310,540,000.00 at this moment based on its market cap. So you tell me, what would make more sense financially for you if you were in a business manager's shoes?