posted by steve | Category: Microsoft & Closed Source |

Folks out of Redmond have been talking more than normal about
the advantages of Microsoft’s security and track record. Witness
the statements from Microsoft’s Chief of Security in this article in Information Week and Bill Gates himself speaking about security in an
interview with the BBC. With these statements in mind, a reader might assume that Microsoft is responding to vulnerabilities quickly in order to ensure that their customers are protected. However, a cursory glance at two Microsoft-related security disclosures this week reveals that, for all of the rhetoric, Microsoft is very slow to respond to critical vulnerabilities. It appears that Microsoft is merely controlling the information rather than controlling the security vulnerabilities and
protecting their customers.

One such critical vulnerability allows an attacker to craft a URL that,
when viewed with Internet Explorer, results in the URL being viewed at the
security level of the “Local” zone which has much less protection than
other zones in Internet Explorer’s protection scheme. More details on this vulnerability are located in this post to the Bugtraq mailing list. While the vulnerability
itself isn’t of issue here, the length of time until the fix was released
is certainly cause for concern. According to the post, Microsoft was
informed of the vulnerability on February 16, 2004, nearly one year ago. It took until September for an initial fix to be released for testing which didn’t even fix the problem. Only this week was the patch released to the public.

Microsoft classified this vulnerability as critical but yet sat on the
information for nearly a year. The only people who have known about this
vulnerability for the last 12 months are Microsoft, the person who
disclosed the vulnerability, and any other malicious user anywhere in the
world. Microsoft merely controlled the information while leaving the
general public at risk of having this critical vulnerability exploited on
unwitting user’s computers.

The
“MSN Messenger PNG Image Parsing Vulnerability” disclosed this week by
Core Security is another example of an unacceptable delay in disclosing the vulnerability and providing a fix. Microsoft was originally informed of this critical vulnerability on August 23, 2004 yet a
fix wasn’t released until February 8, 2005.

Like other vulnerabilities, Microsoft also classified the MSN Messenger
vulnerability as critical yet took nearly 6 months to release a fix. While this vulnerability doesn’t affect as many users as the Internet Explorer vulnerability it’s still important to fix this flaw in a timely manner. Again, the only people to know about the vulnerability are Microsoft, the discoverer, and anyone else in the world who also discovered the vulnerability but didn’t report it.

Contrast Microsoft’s policy of information control rather than
vulnerability control with any given Linux vendor’s policy of open
information and rapid release of fixes. Many vulnerabilities for Linux
systems are fixed the same day that they are disclosed. In addition, Linux
vendors frequently fix third-party software packages that can be installed
on their systems. That would be akin to Microsoft releasing fixes for
software like Winamp or Real Player.

It’s time for Microsoft to devote more attention to providing timely fixes for their software and less time telling us how good they are at security.

[UPDATE: 2/15/2005]

I received a couple of e-mail comments from readers of the above story who pointed out that Microsoft’s delay in producing patches for these and other vulnerabilities is caused by the sheer complexity of producing patches for their software. Microsoft cannot simply patch the vulnerability and release the patch to the public, much testing needs to be done in order to ensure that the patch doesn’t create unforeseen problems with other software.

Testing is a reason for a delay in releasing a patch but it’s certainly not Microsoft’s reason. How quick we forget the
re-release of patches because of “unexpected consequences”. I should also hope that any testing performed on a patch doesn’t take a year, which was the length of time between the latest Internet Explorer vulnerability report and the patch being released to the public.

If complexity is the reason for the delay in releasing a patch, then Microsoft has indeed learned nothing from their repeated attempts to improve security and it only furthers my point that Microsoft truly does not understand computer security. Complexity is the enemy of security. If the software is sufficiently complex as to cause a months-long delay in fixing a critical vulnerability then it’s time to solve the root problem rather than merely and continually treating the symptoms.