Microsoft still using undercover patches

http://www.h-online.com/security/news/item/Microsoft-still-using-undercover-patches-1190204.html

This confirms my view (expressed in other threads here) that comparing bugs, e.g., in the open source browser Firefox (where all bugs regardless of their severity are published on Bugzilla) and Internet Explorer is equivalent to comparing apples and oranges considering Microsoft's practices.

 

So because they fixed one vulnerability, found another at the same time, fixed that, and didn't publish about it, they are wrong? Lol.

It's bad enough that you have the "insert dumb word here" people from Google broadcasting to the world the details behind exploits without them being patched yet.

The lower the amount of details about exploitation that's in the public the better. It's not like they aren't getting fixed, they ARE. I don't see a reason to give hackers more of a reason to hunt down what was invisibly fixed. You downloaded that security update for a reason, if it fixes more than is described, I'm GLAD!

 

Are on-line media without better things to write about? Who cares if Microsoft patches undisclosed vulnerabilities? I'd give credit to the article if they were in possession of information regarding unpatched and undisclosed vulnerabilities, for a while. Now, this would be some article, uh?

It seems nowadays everything is news or important to be even referenced.

-edit-

This sort of reaction towards Microsoft does remind me of a little thing that took place sometime ago - One of Mozilla's applications (I don't recall if it was Firefox or Thunderbird) making connections unrelated to updates. - It was an user that found it while taking a look at his/her firewall logs. But, that's all OK because it's Firefox and open-sourced software... I wonder what would have happened if it was Microsoft and IE. Hell would come on Earth. lol

 

Where do we get that from?

 

They're vulnerabilities that are being fixed, silent or not. The problem is? Looking for other bugs while they are in there, the problem is? MS is just an easy target, no matter what they do to try to change their ways.

 

@elapsed & m00nbl00d: Thought out thoroughly, you guys obviously think that publishing no bugs and no bug fixing at all is the best way how to deal with them?

BTW: Note that I talked about comparing bugs. I had critisized in the past that in other threads here bugs of various browsers were compared based, e.g., on Secunia advisories. I had argued that it's very problematic to compare an open source product where all bugs are published with a closed source product where you can never know what exactly is patched/published or not. And this news confirms my doubts. And it also ridicules claims by Microsoft Security Director Jeff Jones made in 2009 and also discussed here on Wilders.

 

According to the article you pointed Microsoft still using undercover patches, Microsoft when studying and fixing disclosed vulnerabilities also look for other ones and fix them, without disclosing them.

All I meant was I'd be more worried and would applaud an article showing evidence that Microsoft not only hides such vulnerabilities but also does not patch them. The articles says otherwise: They do patch them, but don't think it's worthy disclosing them to the public. If you look at it, from an attacker's perspective, the more disclosed security vulnerabilities the better, wouldn't you say so?

Again, as I said, I'd be worried if Microsoft knows about xyz vulnerability but doesn't fix it/them.

Sure, for geeks like us, it would be welcome to know about them and have workarounds, but for the general audience it would be far more dangerous than having them undisclosed, because most users have no idea bugs/security bugs exist and that Microsoft even has security bulletins.

It always depends on how you look at it. I try to analyze it from the angle I've shown above.

 

Sure, but why shouldn't they publish the bugs after fixing them? By not doing that they are beautifying their bug statistics, and their security director even uses them for marketing purposes claiming that Microsoft products are safer than others. That's shady.

 

I do understand why you ask shouldn't they publish the bugs after fixing them?, and it would be nice to know which ones were and how they affected security, but from Microsoft's own perspective: They're fixed, no point to make mentions to bugs that no longer exist.

I'm not saying I'm in favor, because it would be nice to know about it, but from the two scenarios, this one isn't worrying because bugs are fixed.

And, this is Microsoft. I guess we could say the same about others (I'm not talking about Mozilla), but non-relevant due to their poor market share. Mozilla wouldn't have much to work with, if wished not to disclose bugs, due to their apps being open-sourced. But, if Mozilla was doing a business like Microsoft and others, you can bet you'd be seeing the same thing.

Life isn't perfect.

 

But bug statistics are an important marketing tool, of course. Beautifying or, more exactly, forging them is unfair competition by Microsoft. Well, really not for the first time in history ...

See, that's why I moved to Linux. BTW: Red Hat as an example is a successful commercial Linux distro, and yet they publish all their bugs. It's a matter of trustworthiness.

 

I am in favor, why document exploits that have been fixed. So the people that don't have the patch yet have another attack vector?

Details behind "IE*" exploits. There have been articles about it posted here on Wilders before.

 

They are, but the way I see it, this all thing about bug statistics is a bit sensationalist. How so? Think about everyone using computers. Now, think about the % of people knowing bugs exist. Now, from these people, think about the % of people knowing there are different kind of bugs, from which I'll make emphasis to security bugs.

If you think about it, this % is very scarce. And, from this scarce % we include geeks and IT staff. I'd say both these species know exactly what something is and what something is not, and that when we're dealing with companies wanting to take a BIG profit out of a business, they aren't always 100% honest.

We're talking about Microsoft. But, why is that? Big market share? Yes. There's no point talking about smaller companies, because the article(s) won't be as sensationalist. Correct? But, the same doesn't mean they're 100% honest about (un)disclosed bugs. Correct? If no one else knows about them, why bother disclosing them? They may also try the opposite approach: Disclose them to show how trustworthy they are. But, the same is not to say if they were a big company they would be doing it/doing it still. What one doesn't know about, one does not complain.

Interesting... and what is Red Hat? Merely a Linux distribution/variant, which includes the common denominator: Linux kernel. Why would they hide what others can find? It would be stupid.

 

Which I totally forgot - a scenario where not every user would have it patched.

 

Keeping security patches secret only helps MS PR. The bad guys can reverse engineer the patches and find all the other bugs that got fixed anyway.
If you don't patch you deserve everything you get.

Which one, please post a link!

 

That's a bit harsh (IMO), considering some people simply don't know any better.

 

Has anyone said it's wrong? That is subjective. It's not as easy as distinguishing between black and white. Or grey if we want to be funny.

I see it to the contrary. Such details need to be disclosed at 1 point or another...the key question being 'when'? IMO, if they're not yet patched and remains as a possible attack vector, then having it disclosed can do some good. For some, it may be helpful not to disclose it at the earliest stages to prevent abuse but if the insiders can't find a way to close the gap/hole or if they're taking way too much time to do so, then letting the info out may be a necessary evil so to say...as in the other good guys not working for the company can take a look and try to come up with ways.

If those details are enough to guide the less skilled hackers hat are unaware of them, then sure - it is 'better' not to disclose them in the public so that the risk of it being abused is minimized to an extent.

However, we must bear in mind the bigger players in town won't wait for such details to actually make use of them later on...they'd have the skills and knowledge to uncover these for themselves.

The way I see it is that chances of hiding these details dampening the spirit of the bad guys is less than of it affecting the 'good guys'....

I agree but that's the nature of the beast so to say.

To be honest, I don't usually care either and I don't think most users would mind them patching it. However, some may be concerned and would appreciate that at the very least, MS could have disclose it after the fact/fix. Just because we don't care doesn't mean others don't have the right to.

You've got a valid point there. In my eyes, it's only a matter of how paranoid you are in regards to trusting the companies of software that you''re using.

Some argue for 'open-source' while others argue against it and prefer 'closed-source'. At most times, the 2 sides of the camp fail to see eye to eye on the matter and insist that only their way is right while the other is dumb.

I say bollocks. Open source or not - at 1 point or another, one just have got to learn to trust. Let me be clear that I am not a proponent of the Trusted Computing concept - it's a good idea, but I don't see it as perfect either. What I'm saying is one ought to define a balance.

No doubts they are but to be fair, so do the rest. Even GNU/Linux, Apple, Adobe, Mozilla, Google are all easy targets of journalists, bloggers, techies, fanboys and the likes...

Why? So that those who do not have the patch (for whatever reasons) know that they're risking something and may take other measures to prevent it. I'm not saying everyone does this or find the need to do so but is it fair to ignore the existence of such groups of users?

And for the sake of argument, even if one assumes that it isn't documented for the better sake of mankind, what is there to guarantee that the malware authors are not aware of it? In a battle, it is wise to never ever underestimate the opponent.

While I believe that patches are a great asset of avoidance, as in they help to minimize known 'holes'...I don't see it as a panacea. Whether or not you "deserve everything you get" - that depends on the context.

I tend to favor these 2 articles (although I don't necessarily agree with everything stated):

Software Makers Should Take Responsibility
What Sun Tzu Would Say

 

I think we'd all agree that patching itself is a flawed model.
But that's what we got, what we are stuck with for the foreseeable future and especially what we have to deal with when using an ease of use/consumer oriented OS.

The other thing we have to keep in mind is that while theoretically the concept is really that stupid in real life it works out pretty well.
The serious 0day attacks don't happen on a scale we mere desktop users have to worry about. What we deal with are automated and therefore publicly known attacks. They aren't clever or scary or anything and patching among other things takes care of that so well that we'll probably be stuck with it forever.

If you are in the mood for some full disclosure (i.e. unmoderated...) mailing list discussion: http://seclists.org/fulldisclosure/2011/Jan/index.html#113

There's another link I'd like to post about the "bad, bad Google guys" elapsed brought up. But I'd love to hear from him who he's talking about first.

 

I'm just going to be blatantly honest here, I'm far too lazy to do that for you.

I'm sure there are millions of users who don't even know what a patch is nvm being in the know of an active exploit they are vulnerable to. Many uneducated users just trust their AV to keep them protected and will simply turn off WU as a pest. The way you state it makes it seem that publishing makes people aware they need to patch, where as in general educated users will patch when there is one. If you change that to the context of this thread, where people are patching for one thing, and also being patched for another, how would knowing X patch you installed also patched Y vulnerability? Or that fact that you need to install patch X to fix public exploit X, but will also fix private exploit Y. If you know it fixes public exploit X chances are you want it already.

 

Well, then I hope it wasn't about Tavis Ormandy.

http://seclists.org/dailydave/2010/q2/58

Full disclosure is a good thing. It needs to be done in a way that is "responsible" but it's invaluable as a serious incentive for any lazy developer who simply ignores exploits as long as they aren't publicly exploited in the wild. The end result is always about improving the security of the users and decreasing what exclusive knowledge the bad guys can misuse and trade. Oh, and a bit of ridicule for the developer. It's just fair considering they care more about PR than the security of their users. (It's never because of lack of time/manpower/testing, once fully disclosured they suddenly have a fix ready in no time).

 

I'll agree on this. Patching is in most cases necessary and gives a peace of mind for most users, myself included. That's why I do my updates because first and foremost, I can. Secondly, I find that generally they do more good than harm for me. (rarely encounter problems with updates) I don't go around telling everyone not to do updates either.

Anyway, let me clear myself up on this: I didn't disagree with you earlier on. I just find the specific choice of words you used to be quite disturbing...

"If you don't patch you deserve everything you get"

I think the statement puts too high a pressure on users to update just because 'that's the right thing' - without regarding the situation that users may face when it comes to updates.

Some (heck, I'd say majority) users find updates a hassle, and some encounter problems doing updates. Is it their fault? Hardly. Others don't have the budget to upgrade their OS and hence may be left out on certain "patches" (no more support for e.g.) Again, is it their fault?

To say these 2 words 'deserves' and 'everything' in a single line needs to be weighed in with a higher degree of consideration IMO.

That triggered me to reply and hence, provide the 2 links to tell a different side of the story. It wasn't meant to disagree with your views but to point out my view that the term 'updating' can be over-rated at times and that it's not always the user's fault.

You're right. No amount of publishing can convince users to do their updates if they insist not to. But you're speaking in the context of uneducated users that know no better.

On the other hand, there are responsible educated users who can't afford to wait for (in cases where MS is 'slow' in releasing a patch) or install the released patch from MS (there can be many reasons for this **) BUT are still willing to do something about it. Here are a few examples I can think of atm:

a) apply a workaround

E.g. New workaround included in Security Advisory 2488013
-http://www.ghacks.net/2010/07/17/windows-shell-vulnerability-fix-inside/-

b) find an alternative means of 'patching' their system against the possibility of being affected by that vulnerability

E.g. Mitigating .LNK Exploitation With Ariad

c) evaluate their current security design/setup to see if they're sufficiently protected (be it with built-in tools or with 3rd-party software)

d) evaluate the likelihood or risk of the specific vulnerability affecting them

** E.g. incompatibility with the system (or specific 3rd-party software), a practice of not doing updates at the earliest (some Admins prefer to wait for a cumulative release of updates or Service Pack), etc etc

 

I admin what I said was clearly flamebait...
But let's face it, if you don't apply patches although you understand the implications you can't be surprised if things go wrong. It's 100% your fault and you deserve no sympathy if you come whining to anyone.
If you don't know what you are doing you can't be helped if you go out of your way and actively disable updates and override all warnings.

That's in response to Microsoft and other vendors that make patching easy and automated, most browser vendors do the same.
Other software vendors may make it very difficult for the end users. They don't autoupdate, sometimes they don't even notify their users. With those I put all the blame on their security and user experience teams.