  Skeletons in Microsoft’s Patch Day closet
Time: 00:02 EST/05:02 GMT | News Source: ZDNet | Posted By: Kenneth van Surksum

Last Tuesday, when Microsoft released the MS07-030 bulletin to fix a remote code execution hole in Visio, the first line in the executive summary caught my attention:

This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. (emphasis mine)

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

#1 By 12071 ( at 6/21/2007 7:59:06 AM
What? Microsoft not announcing vulnerabilities to keep their public bug numbers down? Tell me it's not so! *shock* *horror* As if they would ever do that!

#2 By 15406 ( at 6/21/2007 8:10:03 AM
This is news like 'Dog Bites Man' is news. MS has done this before and will do it again. I wonder if the apologists will rush in and tell us it's because MS doesn't want to run out of incident numbers.

#3 By 23275 ( at 6/21/2007 8:16:30 AM
There's definately a legit scrub here - for admins evaluating the risks associated with bugs and thinking that "that" is all there is - when there could very well be additional bugs that would leave otherwise unknown vulns. exposed to those creating exploits.

Patching in our place starts early each "patch tuesday" - it is always a long day/night. It takes about every hand and it still takes hours. We're glad that there is a schedule and even more so for patch management systems; however, we've always assumed that there was more to it than reported. This leaves very little time for testing, which we jump on as soon as patches are made available for review. From there we have just a few hours before we begin to deploy patches and work until complete - not wanting to risk any hole in either reported, or unreported patches.

#4 By 13030 ( at 6/21/2007 9:30:29 AM
Good points by all. Obscurity is never a substitute for security.

By not detailing the "other security issues identified", this patch becomes a bit of a double-edged sword. You want to be patched, but how might these two mystery fixes affect your systems and dependent applications. I'm sure the specifics can be obtained through our Microsoft contacts, but this is not a good practice to get into.

#5 By 32132 ( at 6/21/2007 10:25:53 AM
Good for Microsoft.

If they come across other bugs while fixing a product, of course they should fix it.

I understand how some of the Microsoft haters would prefer that Microsoft not patch it and release some exploit code so people who don't patch are vulnerable (the standard method for haters). I prefer that they fix the bugs.

#6 By 13030 ( at 6/21/2007 12:07:38 PM
#5, Your alternate reality generator malfunctioned this morning. We all agree that bugs should be promptly fixed--duh! We do not agree with Microsoft deciding to keep the specific fixes a mystery--that's bad for anyone who has to develop, maintain and patch critical, integrated IT systems.

#7 By 15406 ( at 6/21/2007 12:21:49 PM
#6: But those are things even a junior sys-admin knows. Anyone who doesn't know that are either incompetent sys-admins, or posers. One of the two. Obviously, the hackers will use diff tools to find the weakness, so hiding the issue can only be for PR purposes. Good to see MS putting their dubious reputation above customer security.

#8 By 23275 ( at 6/21/2007 12:23:25 PM
#6, Exceptionally well said!!!

In our teams we say simply, "It is what it is" - then we deal with it.

I could really give a rip about the patch/bug count ratio, or stats. I am very happy with how MS schedules, tests and delivers patches - letting us know exactly how many bugs are being fixed is fine and consistent with how we see things - namely, we don't care how many and we're glad for the fixes. Just tell us what all of them are and let is decide what is best for us to do.

#9 By 15406 ( at 6/21/2007 1:18:55 PM
#8: I am very happy with how MS schedules, tests and delivers patches - letting us know exactly how many bugs are being fixed is fine and consistent with how we see things

Then you should be just as annoyed as the rest of us that they are hiding fixes without detailing what was fixed or how. Hiding fixes doesn't hurt the bad guys and it doesn't help the good guys. It's only purpose is to make MS look better.

#10 By 23275 ( at 6/21/2007 1:44:08 PM
#9, If you read my posts you'd note that I agree - all fixes should be revealed.

Did you read them? See #3, again as well as, the last sentence in #8 - not just the parts that you can latch on to.

#11 By 32132 ( at 6/21/2007 2:57:48 PM
#6 If they give out enough information on which bugs have been fixed, it makes it easier for malicious Google employees (FSF , IBM etc) to write exploits and release them in the wild.

Microsoft knows very well how few people actually patch.

Making it hard for hackers is the responsible thing to do.

Making it better for hackers is the FSF/Google/IBM way.

#12 By 3653 ( at 6/21/2007 8:53:55 PM
On a loosely related note...

#13 By 32132 ( at 6/21/2007 9:59:22 PM
#4 "Obscurity is never a substituye for security."

And isn't it funny how some Mozilla bugs are still kept secret.

March 5th 2007

You are not authorized to access bug #368763.

Of course not ... there is no reason at all to keep this stuff secret. All the FSF shills on this site will now proceed to roast Mozilla for such evil practices .... right?


This post was edited by NotParker on Thursday, June 21, 2007 at 22:09.

#14 By 32132 ( at 6/21/2007 10:02:08 PM

"During the first 6 months for Windows Vista, Microsoft released 4 Security Bulletins and corresponding updates that address 12 total vulnerabilities affecting Windows Vista."

"When RedHat 4 WS shipped on February 15, 2005, there were 129 vulnerabilities already publicly disclosed in shipping components prior to general availability – 40 of them High severity. On ship day, Red Hat issued 27 security advisories to address 64 of them.

During the first 6 months, Red Hat fixed a total of 281 vulnerabilities in rhel4ws. 86 of those fixed were rated High severity in the NVD.

In the first 6 months, Red Hat fixed 119 of the 129 that had been publicly disclosed at release time, but new disclosures during the period meant that 65 issues were widely disclosed, but unpatched at the end of the first 6 months. 12 of the unfixed issues were High severity and 7 were Medium severity according to NVD ratings."

#15 By 32132 ( at 6/21/2007 11:28:09 PM,1895,2149669,00.asp

"However, Cherry of Directions on Microsoft couldn't get excited about the issue.

"I don't understand what the surprise is about. Microsoft is continually finding things in the code, and they fix them. And so, if nobody's reported it yet, I don't see the harm in why they have to tell somebody they're there. And when they get to a service pack, they always have told us what's in it. [They have] a large list of what fixes are there. There will always be some that you've never heard a whisper about."

#16 By 3653 ( at 6/22/2007 12:27:17 AM
But NotParker, its so much more sensational and fun to just close our eyes and believe that this is a new and utterly destructive practice my Microsoft. You are such a kill joy.

#17 By 12071 ( at 6/22/2007 9:47:21 PM
Don;t lie Parkkker, Microsoft don't fix bugs... not even the publically disclosed ones, let alone the ones they are keeping a secret to keep the overall count down to a minimum:

#18 By 32132 ( at 6/22/2007 10:16:59 PM
The article you reference had a couple of accurate comments.

" Most Linux vendors don't actually write the majority of the packages they include,"

"But Microsoft has stepped up its security practices, he added. "I think their Security Development Lifecycle initiative has improved the quality of the code," he said."

"most of the unpatched Vista bugs were not critical. Microsoft had left only one high-severity Vista vulnerability unpatched during the period."

Please keep in mind the "I Hate Microsoft Cult" is deperate to divert you from the fact that int he first 6 months RedHat had 65 unpatched high severity vulnerabilities."

Stay away from the cults distros. They are not secure.

#19 By 23275 ( at 6/23/2007 4:54:01 AM
#18, One of the strongest aspects of the SDL - the Security Development Lifecycle, is that code is exposed to external security research and review - not unlike peer reviews in other forms of science. A lot of people are not aware of this and it is significant.

#20 By 12071 ( at 6/23/2007 7:07:45 AM
#18 So you agree that Microsoft don't fix bugs then, you're just arguing that they fix more than they used to (yay!). I'm not quite sure what you were trying to infer with the Linux vendor's comment - of course they don't all write the packages themselves - that's not how it works, or do you still not understand the difference?

#19 I'm curious if you can inform us all of the external security reviews/peer reviews that occurred for these (and many other) undisclosed vulnerabilities. As you say, we should all be more aware of it so I'd love to know who this peer is given that these vulnerabilities are kept hush hush. Other parts of Microsoft? How does that differ from any other process performed by any other vendor?

#21 By 32132 ( at 6/23/2007 4:11:04 PM
#20 "So you agree that Microsoft don't fix bugs then, you're just arguing that they fix more than they used to" and they have to fix very few compared to their competition.

As I've said, stay away from Linux and OS X. They have hundreds or even thousands more bugs to fix.

Please keep in mind the "I Hate Microsoft Cult" is deperate to divert you from the fact that in the first 6 months of release RedHat had 65 unpatched high severity vulnerabilities compared to 1 for Vista.

As for the 1 unpatched:

"Microsoft Windows Vista is expsoed to a weakness due to insecure Teredo protocol connections. Teredo is a protocol transition mechanism which accommodates IPv6 tunneling over IPv4 Network Address Translation (NAT) devices. The documentation states that Teredo protocol is disabled by default and requires user action in order to activate. Microsoft Windows Vista is exposed to a weakness which may result in a false sense of security."

Its something Microsoft should fix, but it certainly isn't worth getting too excited.

#22 By 247351 ( at 12/3/2009 5:02:58 PM
