By Seth Ross
Imagine this dilemma: You know that the company you work for is
shipping a popular product that contains a dangerous problem. There
are hundreds of millions of dollars of revenue on the line and only
a handful of people outside the company who know about the problem.
Do you inform your customers about the problem -- thereby letting
them make an informed decision about whether to continue to use
a dangerous product or do you keep them in the dark until
you have a fix?
For many people, this would be an ethical test. For Microsoft,
it's business as usual: you maintain secrecy. Last October, independent
computer security researchers discovered and reported to Microsoft
a major vulnerability in Windows XP that allows a remote attacker
to gain full control over a machine running Microsoft's newest operating
system. Rather than promptly notifying customers, Microsoft waited
two months before releasing a security advisory and a patch. The
defect -- originally discovered by eEye Digital Security
is in Microsoft's Universal Plug and Play (UPnP) facility.
If you are running Windows XP and have not installed the patch,
you need to close the UPnP hole as soon as possible. Here's a link
to Microsoft's belated bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
and here is a link to eEye's report: http://www.eeye.com/html/Research/Advisories/AD20011220.html
Microsoft's decision to delay the release of information about
this vulnerability is consonant with the bug secrecy policy articulated
by Scott Culp, the Manager of the Microsoft Security Response Center.
Right around the time that the UPnP hole was reported to Microsoft
by eEye, Culp released a landmark essay entitled "It's Time to End
Information Anarchy". In his essay, Culp blasts the computer security
community which by and large practices full disclosure when
reporting security defects -- for publishing too much detail about
software vulnerabilities and for publishing before the software's
makers have had sufficient time to distribute a fix. He accuses
security researchers of propagating "information anarchy" by "deliberately
publishing explicit, step-by-step instructions for exploiting security
vulnerabilities, without regard for how the information may be used."
You can find the essay at http://www.microsoft.com/technet/columns/security/noarch.asp
While reputable computer security practitioners would be likely
to agree that publishing exploit code is irresponsible, Microsoft
is interested in suppressing any public discussions of vulnerabilities.
The company is now pushing for embargoes on third party security
alerts in order to provide time for fixes. Microsoft's certified
security partners must agree to not disclose vulnerabilities they
discover. According to Microsoft's code of conduct, if a security
partner finds a vulnerability:
Microsoft Gold Certified Security Solutions Partners
shall take easonable steps to ensure that they do not publicly disclose
details that would directly allow an outside party to develop or
execute an attack exploiting the vulnerability.
You can find out more about Microsoft's security solutions program
Clearly, Microsoft has a compelling economic reason for stifling
public discussion of security holes: the company sells and assumes
some liability for hundreds of millions of dollars worth of software
each month. The company would surely like to squelch the endless
stream of reported security problems and deal with them or
not on its own secretive terms.
But is this best for Microsoft's customers and users? Millions
of users deployed Windows XP between the time eEye found the hole
and Microsoft announced a patch. Most of them probably would have
deployed it anyway. Some, however, surely would have preferred to
hold off until a fix was available.
Last week, Microsoft Chairman Bill Gates sent an email to all
Microsoft employees outlining a major strategy shift for the company,
from a focus on adding more and more features to a focus on security.
In it, he states:
In the past, we've made our software and services more
compelling for users by adding new features and functionality, and
by making our platform richly extensible. We've done a terrific
job at that, but all those great features won't matter unless customers
trust our software. So now, when we face a choice between adding
features and resolving security issues, we need to choose security.
You can read the full text of Gates' email here: http://news.com.com/2009-1001-817210.html
In the email, Gates does NOT address the disclosure issue, so
it's not clear whether Microsoft will back off its "secrecy first"
approach. Overall, it's not clear whether his email is a PR stunt
or whether Gates is serious about re-aligning the company's priorities.
If Gates & Co. are committed, they should give serious consideration
to embracing security through full disclosure rather than security
by obscurity. Microsoft is an extremely important company, and its
customers deserve the full truth right up front, even if it delays
the company's market share growth. A security-focused Microsoft
should embrace the security research community, even as that community
discovers and publicizes embarrassing vulnerabilities.
Here are some links related to the disclosure issue:
Crypto-Gram Newsletter, November 15, 2001, Bruce Schneier http://www.counterpane.com/crypto-gram-0111.html
"Who Needs Hackers? We've Got Microsoft!", Richard Forno http://www.infowarrior.org/articles/2001-15.html
"Security Flaws May Be Pitfall for Microsoft", Joseph Menn http://www.latimes.com/business/la-000003463jan14.story
"Security in an Open Electronic Society", Elias Levy http://www.securityfocus.com/news/270
Here's coverage and commentary on Bill Gates' email:
"Microsoft Announces Strategy Shift", D. Ian Hopper and Ted Bridis
"Will Microsoft's Trustworthy Computing Sell?", Brian McWilliams
NEW SOFTWARE FROM PC GUARDIAN
The software development group here at PC Guardian has been cranking
out the code. In the past couple of weeks, we've released Windows
XP-compatible versions of Encryption Plus(R) Folders, our on-the-fly
encryption program, and Encryption Plus Secure Export, one of our
communications security tools. Both programs come in three varieties:
an enterprise version that supports administrative key recovery,
a single-user version for individuals, and a feature-limited freeware
You can find out more about Encryption Plus Folders 5.0 here:
And the enterprise version here: http://www.pcguardian.com/software/folders_e.html
You can find out more about Encryption Plus Secure Export 4.1
And the enterprise version here: http://www.pcguardian.com/software/secure_e.html
To download any of our freeware versions, visit http://www.pcguardian.com/securius_download/