Friday, July 17, 2009

Responsible Disclosure, Irresponsible Patching?

In December 2006 I reported a critical .NET security vulnerability to Microsoft. When I found the the issue it had already been fixed in Vista, but it still took them until July 2007 to release a fix for XP. Seven months, I thought that was pretty bad.

In September 2008 I reported another critical .NET security vulnerability to Microsoft. The fix for this issue was trivial and made it into the subsequent Silverlight 2.0 RTM on October 13th. This week the July patches were released and for the tenth month no security bulletin about this issue.

Wednesday I mailed the Microsoft Security Response Center to ask what the status is. I received no reply.

So I decided to investigate. I quickly discovered that my main (Vista) system was already patched (!). After some digging I found that on XP, Windows Update offers KB951847 which contains a fix.

The KB article makes no mention of any security fixes, nor is there a corresponding security bulletin.

If this is Microsoft's idea of responsible disclosure, then maybe I should also apply my "no Microsoft bug filing" policy to security issues.

7/17/2009 10:37:40 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [4]
7/17/2009 3:55:14 PM (W. Europe Daylight Time, UTC+02:00)
John, 1st off, IKVM is the most power full interoperability solution in existence, period!!!. Is there a mailing list or users-group for IKVM?

With regards to the survey, I clicked 'no', though I can certainly understand why so many people chose yes.

In general we need to be careful about publishing info on vulnerabilities. Even if Microsoft has exercised bad judgment, we must ask if publishing this info will improve the situation, or make it worse.

But obviously, only you can answer this question. Without knowing all the details, I can only speculate.
turtlewax |frankhevansAT NOSPAMyahoo dot com
7/18/2009 9:25:34 AM (W. Europe Daylight Time, UTC+02:00)
Thanks for your comment and praise.

You (and everyone else ;-)) are welcome on the ikvm-developers mailing list (https://lists.sourceforge.net/lists/listinfo/ikvm-developers). Even though it is named ikvm-developers it is also for developers using ikvm, since the list is so low traffic it doesn't make sense to have two lists.
Jeroen Frijters |blogAT NOSPAMjeroen dot nu
7/19/2009 9:51:49 AM (W. Europe Daylight Time, UTC+02:00)
I had to google the answer to your Anti-Spam Question before I could post this comment. what's up with that ?

Anyway, I wanted to comment about Microsoft's reaction to your bug-reports.

You are not the only one in the boat. Many people are getting the same treatment from MS for reporting bugs and issues.

I have programmed on .NET for 4 years; then one day I really got sick and tired of all the heartache and frustrations and moved over to community based open source platforms; where everything is discussed in the open, and people are not ashamed of bugs and security holes.

I suggest you do the same. You are wasting your precious time on the wrong platform.
Anonymous
7/22/2009 11:35:06 AM (W. Europe Daylight Time, UTC+02:00)
Yeah, no surprises there. Microsoft's bad reputation for security doesn't just come from the number of security bugs (impressive though it is) or their stupid ideas like ActiveX. It also comes from the way they handle security bugs when they're reported or (worse still) discovered internally.

Typical behaviours include, as you've found, long delays in releasing patches (sometimes years) and a tendency to not mention some or all of the security issues that a patch fixes in the release notes. This generally seems to be worse for internally-discovered stuff which no-one is going to embarrass them over, and better for stuff reported by security researchers.

If you've ever seen articles about how the number of security issues in Microsoft software is better than open source software, this is a big reason why. They all compare the number security vulnerabilities that have been publicly reported, which usually also means only the ones that have been fixed.
makomk |makosoftAT NOSPAMgooglemail dot com
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)