News stories last week discussed a blog entry (at the URL below) by Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy thinks is a lack of adequate vulnerability disclosure. Murphy's beef with Microsoft relates to Microsoft Security Bulletin MS06-015--Vulnerability in Windows Explorer Could Allow Remote Code Execution. In a nutshell, Murphy wants Microsoft to offer more details about vulnerabilities. (MS06-015 also happens to be the security bulletin that proved to be buggy--an update was due to be released yesterday.)
http://blogs.securiteam.com/index.php/archives/394
Many think that Microsoft's disclosure practices border on the silent fixing of security issues. It's no secret that in the past Microsoft has silently fixed security problems and sometimes has misinformed the public about the ramifications of security problems. Microsoft and many other companies don't like the publicity related to security problems, so they try to keep matters as quiet and calm as possible.
Granted, each company is free to establish its own policies about disclosure and few are forthcoming with complete details in any given instance of vulnerability discovery. For example, Apple silently fixes security problems and rarely if ever releases any substantial details about them. But then people interested in security don't place Apple under the same microscope as Microsoft.
When Microsoft releases a security-related patch, numerous independent researchers go to work to analyze the patch to find everything that's changed in the related files. If they detect anything that isn't documented, the researchers either call Microsoft on the carpet or they keep their mouths shut for any of several reasons, including the ability to exploit the undocumented bugs in systems that don't have the patch installed. Thus the patch could actually aid in the proliferation of malware and increase the overall risk of security breaches.
Of course, Microsoft's disclosure practices have improved over the years, but there's still room for improvement, particularly if the company expects the masses to more fully buy into the Trustworthy Computing ideology.
Again, we're back to the same old issue of disclosure being a double-edged sword. While many businesses and researchers have seen fit to adopt some form of responsible disclosure in terms of timing the release of vulnerability details, another important point of contention remains. Microsoft and other companies argue that too much disclosure creates a more dangerous network environment. But many security researchers contend that not enough disclosure creates a more dangerous network environment. Obviously, the situation calls for balance, and I think there is balance. However, when the balance tips too far toward either perspective, then risk levels increase.
Here's an interesting thought, even if it's only tangentially related: What if software as a service or applications on demand become commonplace? Think of a scenario in which you no longer have an OS and sundry applications installed on your desktops and servers, but instead everything is driven by some hardware-based technology that loads everything from a remote location that you don't control. That would just about put an end to many aspects of security research, security administration, and the disclosure debate, wouldn't it?
