Microsoft has explained its rationale for quietly fixing some security vulnerabilities without issuing an associated bulletin. Such "silent updates" have been happening for years, but have escaped much notice outside the small community of reverse engineers. Normally the bugs in question are close relatives of disclosed …
IMO that's fair enough
Not often I agree with Redmond, but for bugs that have been found internally, just fix them!
That's why we all should keep up to date with our patches. The patching process exists to fix both publicly known bugs and internally identified bugs.
Why disclose a security vulnerability that you've already fixed? All that does is expose people who haven't patched yet.
It also ties up your internal developers with the job of constantly documenting every fix in the public domain, reducing the amount of time they can spend actually FIXING stuff.
As long as ...
... they don't then use the figures to claim their software is more secure than it is, as Grease Monkey points out below.
This is fine on paper. But with Microsoft, it's all in the practice.
The issue is
If they fix an internally located bug but introduce another problem in doing so.
True, but that's a risk fixing all bugs. Disclosure doesn't make my bug fixes better or worse and I can't see why that's any different for MS.
"We don't have to tell you because it's not a 'publicly disclosed' flaw"
Oh yeah....that's who I trust behind my OS....
Who does the disclosING???
For MS to publicly disclose internally fixed security issues would be irresponsible in a BIG way.
Imagine they fix a bug and then disclose it so the black hats can exploit the unpatched fool's systems.
whoever finds the flaw.
When a researcher finds a flaw and chooses to report it privately to Microsoft, then it's not a publicly disclosed flaw. It's really quite simple.
So what is the fuss here?
Every software company does this.
'Showstoppers' and publicly reported bugs tend to get stated as 'fixed' in updates, for obvious reasons.
But do you really expect every software company to publish their entire bugtracker database at each release?
Even if they did, many of these kinds of things don't even get into the bugtracker at all anyway, they only appear as notes in the commit log - the programmer fixes the reported bug, and notices something else that's going to cause issues later on. So they fix the bug, commit, then fix the other thing as well, commit. The 'related' issue probably never goes into bugtracker.
While that's probably a bad habit, it happens.
You have to wonder what else is going on in the background without disclosure.
I love a conspiracy theory as much as the next man (though, obviously, not as much as many around here) but come on people. If MS were to publicise bugs as and when they published the patches they could be advertising attack surfaces before anyone has had a chance to patch them.
How stupid would that be?
Umbongo tells all.
10.4LTS had half a dozen or so updates for me this morning. All fully listed, with links to the particular bug / vuln.
Just saying. :o)
Re: Just Saying
That's the same as Microsoft then.
The point of the article is that an updates might also contain fixes for stuff that isn't listed. Without reverse engineering, who knows?
In fact, it is possible that, in fixing a bug, a developer might tidy up the code to such an extent that bugs are fixed which are not known at the time and which (now they are fixed) never ever become known to anyone.
You're sure that the people who made the changes to the source code didn't change anything else when they were fixing the bugs that had been identified? I mean, really sure, you've checked the source and know exactly how it works, compared before and after versions?
So bearing in mind how many MS bugs we've known about in the past, how many more were fixed silently? Does that make a further mockery of some of the "Linux - Get the Facts" campaign that they ran a few years back?
"Microsoft said it is not under any obligation to add the silent bugs to the database because the index is restricted to publicly disclosed flaws. Security bugs discovered during internal testing are not included in this category."
It doesn't seem long since MS published a comparison between Windows and Linux which claimed to show that Linux had more vulnerabilities than Windows. Now there were a number of problems with this report. The largest of which at the time was said to be that many of the Linux vulnerabilities were actually application vulnerabilities and nothing to do with Linux. So in other words they were comparing apples with oranges.
It seems however that there was a much bigger lie in the report. Flaws in Linux are all public since it is open source, but if MS are telling us that they think it's OK for them not to disclose all of their vulnerabilities then that report was actually comparing an empty apple crate with a box full of oranges.
"Flaws in Linux are all public since it is open source, but if MS are telling us that they think it's OK for them not to disclose all of their vulnerabilities then that report was actually comparing an empty apple crate with a box full of oranges."
I think it's OK not to disclose bugs which weren't publicly known, otherwise we (developers) would be mostly documenting changes we made, instead of writing damn thing (and still deal with documentation). But I also agree that said report was indeed comparing apples to oranges. While I think not all fixes are documented in OS projects, the rules are different so the comparison is not valid, as you correctly stated.
Re: Bronek Kozicki
Every project I've ever seen includes a description with every commit.
Some projects require EVERY change to be peer reviewed (to the point that project founders are not even permitted to contribute code without review).
Err where did they say they are not documented?
They just don't release it the the public.
No different to nearly every other software vendor.
Why tell us?
How about this example:
"Should I install this patch or not?. Especially given that there is always a risk of it breaking something, and to be sure I have to do a lot of testing first!
Oh it says here it just updates the fonts you can use in Outlook Express, and we don't even have that installed, so we won't install that patch..."
Re: Should I install this patch or not?
"Especially given that there is always a risk of it breaking something, and to be sure I have to do a lot of testing first!"
The average user does no testing and does not get sufficiently badly burned to actually notice, which means they aren't getting very burned at all. The sys-admins here may have war stories, but a high-nines percentage of Windows users get by with the system set to automatically install all critical patches.
The paranoid user (probably a sys-admin for a medium-to-large company) is already testing, because they *already* take the view that a verbal description of the intended consequences of the patch just isn't good enough.
Both sets of users, for their own situations, are probably right. I don't see that Microsoft's "admission" actually changes the chain of logic for either group.
A bit off
What they're talking about is noticing a bug in the system that they're fixing, which hasn't already been identified, so your example would be more along the lines of a second problem being found in the Outlook Express fonts while the first was being fixed and both of them being rolled up into the same fix. Not like fixing the HAL when Outlook Express had a fault.
There seems to be an overabundance of Windoze lovers on here today!!!
QUICK!!! How many thumbs down can I get on this one?
simple really and parochial
You have a whole lot of worthless scared MCSEs praying they can make it to retirement without ever using the command line. Repeat after me point and click, *nix is evil, must always downvote.
@asdf - Have you seen the comments on WP7?
Also, I know just as many UNIX/Linux guys who are terrified of Windows as I do Windows guys who are scared of UNIX/Linux. I also know quite a few UNIX guys who spend a lot of time slagging off Linux. Don't even get started on Mainframe and Minicomputer guys...
It's human nature, particularly in IT people are shit scared of change. Which is odd, considering how fast moving IT is.
Oh and very good luck in even getting an MCSE without using the command line.
i had to give you one
just so you wouldn't look like too big of a fool.
I agree. Lots of uncharacteristic thumbs down. Am thinking MS is giving their staff Reg accounts for marketing purposes. That or rampant MS Fanboi. Whodathunkit?
(Back of hand on forehead) Whatever will I do with all these down arrows? I shall be socially ostracized! Forced to lower my gaze when walking on the streets! The shame; the embarrassment!!!! Oh no...!
MS published a study a while back saying Linux has more bugs than windows, although all Linux bugs are publicly disclosed while MS often do not disclose bug details...
Also by not providing detailed information about exactly what a patch fixes, how are you supposed to do a valid risk assessment? A patch might declare it fixes a bug which you arent vulnerable too for some other reason, while not stating that it also fixes one you are vulnerable to... Many organisations use this information to decide if the risk/cost of patching is worth it. Also the stated vuln might be low level or extremely hard to exploit, while the undisclosed bug is critical.
Hackers will quickly reverse engineer patches to determine what they change, and from there can usually work out what bug was fixed sufficient to write an exploit.
It's just a PR move
If Microsoft disclosed ALL of the bugs they fixed, you'd realize that their software quality is even worse than you thought.
I love bashing M$ but their code quality is actually better than some other crap vendors out there like Adobe. Yes they mostly brainwash fresh outs with the M$ way but most of their really stupid mistakes where architecture design mistakes made to please the marketing wonks (deeply embedding IE into every OS they ship for example).
Oh My God
Woah, hang on there! You mean to tell me that the Microsoft Product I purchased as new contains faults and design flaws? I don't believe you. There is no way that Steve Ballmer would allow his brilliant technicians to release an incompletely tested product.
I think you misunderstand Microsoft's press release. They must refer to minor feature enhancements. It is very considerate of them to add these enhanced features quietly so as to avoid worrying their highly valued customers. I'm really impressed when they manage to improve on their previously "best ever" products.
So you're trying to imply bias by calling people "Winlovers" ? There is an unknown security flaw. Which response is most useful: to (a) Fix It. (b) Fix it and announce to the world the existence of the flaw before most people have a chance to apply the fix?
Honestly, it is possible to agree with something because it is right, instead of because you're a "Winlover". And saying someone likes an OS is not, in itself, a sign of bias on their part. Maybe, you know, they just like the OS. Windows 7 is a delight to use in many ways.
BUT what about the user's rights to know what is going on with THEIR computer and THEIR data?
Oh, I forgot, they all agreed to the EULA, meaning they have no rights, and the Redmond boys and girls can monkey around all they want with their software. That's the beauty of it. Even if they screw up their latest band-aid "security patch", they can usually blame it on the huge plague of w32 and w64 Windows viruses circulating in the wild, OR on some "weakness" in another manufacturer's software.
Actually, this kind of makes me glad I run Linux.
It's not acceptable, it is about change management.
It is MY computer, I have to know what is happening to it.
I've worked production support on applications the same size as windows. When a user called to log a complaint, the first thing we did was check the change log to find out if any recent changes had been made to the code associated with the the problem log. Why, because "new" code is more likely to be "buggie" or have unexpected interactions than code that has been running for a while.
When MS "sneaks" a patch in without notifying me, I can't properly troubleshoot when there is a problem. The fix to my problem may simply be to roll back the last update, but because I don't know about the change, I can't do that so I end up wasting a lot of time trying to track down the problem in other places.
It's my machine, I know I only "license", not own, the Windows software, but I do have the right to know what is being done to the software running on my machine.
Why are we still having this discussion 50 years later!?!?!?
Any "Security Professional" worth their salt will tell you NOT publicly disclosing security fixes for what they are and the impacts of exploitation is INCREDIBLY irresponsible!
If you silently patch I don't know that it's a patch I need to secure my system/network.
If you silently patch I don't know there WAS a problem that I may need to search for on any of my systems/network
If you silently patch how can I review my security posture / controls?
I paid/pay for your product, if you find a problem with it don't you have a responsibility to inform me?
The fallacy of protecting users by not disclosing security holes is just that. You are all assuming that no one else found this vulnerability first. Review the last 50 years of security history to see how that assumption plays out.
Disclaimer: I am not a Windows hater. I do not run Windows on my own systems, but I do work on it and I am responsible (among other things) for reviewing the security bulletins MS releases for a network of over 25,000 windows systems.
I am obviously also not saying that you HAVE to provide full working exploits or the information to create them with your disclosure.
The fail is for the security industry.... if we can't get basic messages like these out and understood... well...
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth