Securius Newsletter

January 22, 2002
Volume 3, Number 1
http://www.securius.com

Windows EXPloitable

By Seth Ross

Imagine this dilemma: You know that the company you work for is shipping a popular product that contains a dangerous problem. There are hundreds of millions of dollars of revenue on the line and only a handful of people outside the company who know about the problem. Do you inform your customers about the problem -- thereby letting them make an informed decision about whether to continue to use a dangerous product — or do you keep them in the dark until you have a fix?

For many people, this would be an ethical test. For Microsoft, it's business as usual: you maintain secrecy. Last October, independent computer security researchers discovered and reported to Microsoft a major vulnerability in Windows XP that allows a remote attacker to gain full control over a machine running Microsoft's newest operating system. Rather than promptly notifying customers, Microsoft waited two months before releasing a security advisory and a patch. The defect -- originally discovered by eEye Digital Security — is in Microsoft's Universal Plug and Play (UPnP) facility.

If you are running Windows XP and have not installed the patch, you need to close the UPnP hole as soon as possible. Here's a link to Microsoft's belated bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp and here is a link to eEye's report: http://www.eeye.com/html/Research/Advisories/AD20011220.html

Microsoft's decision to delay the release of information about this vulnerability is consonant with the bug secrecy policy articulated by Scott Culp, the Manager of the Microsoft Security Response Center. Right around the time that the UPnP hole was reported to Microsoft by eEye, Culp released a landmark essay entitled "It's Time to End Information Anarchy". In his essay, Culp blasts the computer security community — which by and large practices full disclosure when reporting security defects -- for publishing too much detail about software vulnerabilities and for publishing before the software's makers have had sufficient time to distribute a fix. He accuses security researchers of propagating "information anarchy" by "deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used." You can find the essay at http://www.microsoft.com/technet/columns/security/noarch.asp

While reputable computer security practitioners would be likely to agree that publishing exploit code is irresponsible, Microsoft is interested in suppressing any public discussions of vulnerabilities. The company is now pushing for embargoes on third party security alerts in order to provide time for fixes. Microsoft's certified security partners must agree to not disclose vulnerabilities they discover. According to Microsoft's code of conduct, if a security partner finds a vulnerability:

Microsoft Gold Certified Security Solutions Partners shall take easonable steps to ensure that they do not publicly disclose details that would directly allow an outside party to develop or execute an attack exploiting the vulnerability.
You can find out more about Microsoft's security solutions program at http://www.microsoft.com/partner/partnering/goldcertifiedoverview/ gold_sec.asp

Clearly, Microsoft has a compelling economic reason for stifling public discussion of security holes: the company sells and assumes some liability for hundreds of millions of dollars worth of software each month. The company would surely like to squelch the endless stream of reported security problems and deal with them — or not — on its own secretive terms.

But is this best for Microsoft's customers and users? Millions of users deployed Windows XP between the time eEye found the hole and Microsoft announced a patch. Most of them probably would have deployed it anyway. Some, however, surely would have preferred to hold off until a fix was available.

Last week, Microsoft Chairman Bill Gates sent an email to all Microsoft employees outlining a major strategy shift for the company, from a focus on adding more and more features to a focus on security. In it, he states:

In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security.
You can read the full text of Gates' email here: http://news.com.com/2009-1001-817210.html

In the email, Gates does NOT address the disclosure issue, so it's not clear whether Microsoft will back off its "secrecy first" approach. Overall, it's not clear whether his email is a PR stunt or whether Gates is serious about re-aligning the company's priorities.

If Gates & Co. are committed, they should give serious consideration to embracing security through full disclosure rather than security by obscurity. Microsoft is an extremely important company, and its customers deserve the full truth right up front, even if it delays the company's market share growth. A security-focused Microsoft should embrace the security research community, even as that community discovers and publicizes embarrassing vulnerabilities.

Here are some links related to the disclosure issue:

Crypto-Gram Newsletter, November 15, 2001, Bruce Schneier http://www.counterpane.com/crypto-gram-0111.html

"Who Needs Hackers? We've Got Microsoft!", Richard Forno http://www.infowarrior.org/articles/2001-15.html

"Security Flaws May Be Pitfall for Microsoft", Joseph Menn http://www.latimes.com/business/la-000003463jan14.story

"Security in an Open Electronic Society", Elias Levy http://www.securityfocus.com/news/270

Here's coverage and commentary on Bill Gates' email:

"Microsoft Announces Strategy Shift", D. Ian Hopper and Ted Bridis http://dailynews.yahoo.com/h/ap/20020117/tc/microsoft_19.html

"Will Microsoft's Trustworthy Computing Sell?", Brian McWilliams http://www.securityfocus.com/news/310

NEW SOFTWARE FROM PC GUARDIAN
The software development group here at PC Guardian has been cranking out the code. In the past couple of weeks, we've released Windows XP-compatible versions of Encryption Plus(R) Folders, our on-the-fly encryption program, and Encryption Plus Secure Export, one of our communications security tools. Both programs come in three varieties: an enterprise version that supports administrative key recovery, a single-user version for individuals, and a feature-limited freeware version.

You can find out more about Encryption Plus Folders 5.0 here: http://www.pcguardian.com/software/folder_s.html

And the enterprise version here: http://www.pcguardian.com/software/folders_e.html

You can find out more about Encryption Plus Secure Export 4.1 here: http://www.pcguardian.com/software/secure_s.html

And the enterprise version here: http://www.pcguardian.com/software/secure_e.html

To download any of our freeware versions, visit http://www.pcguardian.com/securius_download/



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.