Heroes Happen Here Launch Events Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »   Install What You Need with Windows Server 2008 Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Simplify Big Business IT for Small and Midsize Companies Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »   Q&A with Bob Muglia: Senior VP, Server and Tools Division Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »   Q&A with Lutz Ziob, GM of Microsoft Learning Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

Related Articles •Ctrl+Del To Control E-Mail Lists •How Not to Unsubscribe •Sender ID Declines, Domain Keys Shines •The Internet Ate My E-Mail •Security Vendors Defend Themselves Against Blink

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •IOGEAR KVM - Includes Audio/Peripheral Sharing •Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities •USSD Series - SDRAM-Based Solid State Drives to 256 GB •UltraSMS - Send SMS From Your PC •Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Verisign Whitepaper: Maximizing Site Visitor Trust Using Extended Validation SSL. Increase confidence on your site and see more conversions. Learn how by downloading this whitepaper.

Why Can't Microsoft Catch Its Own Bugs?
October 26, 2004
By Brian Livingston

They say the cobbler's children have no shoes. In a similar way, it may be that Microsoft, the world's largest software company, doesn't have enough programmers to discover security holes in Windows.

The Redmond technology giant released 10 separate security bulletins on Oct. 12, which are said to patch 22 different weaknesses in Windows.

When I was studying these documents, I realized that Microsoft had credited outside "security researchers" with the discovery of 9 out of 10 of the issues.

Microsoft is one of the most profitable corporations on the planet, earning $2.9 billion in the most recent quarter. That's up more than 10% from the same quarter a year ago and represents a profit margin of more than 31%. The company has over $60 billion in cash reserves alone.

Isn't Microsoft paying its own employees to find security holes in Windows? And, if it is, why are the insiders finding only a small minority of the problems that nonemployees are uncovering and reporting?

The Thin Grey Line

Microsoft appears to be unable to discover security weaknesses in its products faster than a small coterie of "white-hat" and "grey-hat" hackers — technically skilled people who either work in "good guy" consulting firms or in amorphous online networks. Here's how the system operates:

• Security First. Individuals known as security researchers delve into the inner workings of Windows, usually with little or no access to the original source code.

• Responsible Disclosure. Under current Microsoft policy, these researchers are expected to report any security weaknesses they find to Microsoft privately. No disclosure to anyone else is supposed to occur until a patch is announced by the Redmond company.

• A Pat On The Head. In return for this delay in telling others about any newly discovered problem, the researcher's name or company is acknowledged in the body of Microsoft's announcement with a hyperlink to the researcher's Web site. This link improves the site's ranking in search engines — but more importantly, it helps the security firm attract consulting customers who want advice on protecting their systems against future threats.

A Worldwide Elite Of Technorati

The number of programmers with the background and interest to discover subtle Windows security holes is probably a mere few dozen worldwide.

"There are only four people in the world who've discovered 90% to 95% of the Internet Explorer vulnerabilities," asserts Jay Nichols, a spokesman for eEye Digital Security, a leading security consulting firm. "Two are anonymous, one is in China, and the other is Drew Copley," an eEye employee.

Microsoft credits eEye (and, therefore, Copley) with finding and reporting the "ZIP Decompression Bug" described in this month's security bulletin named MS04-034. By exploiting this bug, a hacker can create a Web site or a ZIP file that can take control of an unpatched Windows XP or Server 2003 system, because the built-in decompression feature in those operating systems is poorly programmed.

Don't other decompression programs, such as WinZip and PKZip, have the same vulnerability to hacked ZIP files? "No, they don't," replies Copley, eEye's senior research engineer. "They [Microsoft] do deserve some scorn for that. This was a pretty easy-to-find bug."

Shouldn't a security hole like this have been found during Microsoft's much-publicized Trustworthy Computing Initiative in 2002, during which the company's developers were given two weeks of training and then told to examine Windows code for weaknesses?

"My best estimate is that it didn't do very much," Copley says. "That much code, you can't do that much in one month. It takes many years, that's an entirely different job. It [the initiative] strikes me more as smoke and mirrors."

Paying Top Dollar For Security Expertise

Another company acknowledged by Microsoft is the Bindview Corp., a provider of security management software. That firm identifies its senior security analyst Mark Loveless as discovering the problem entitled MS04-029. This flaw allows attackers to crash unpatched Windows NT systems.

When asked why Microsoft doesn't find most such holes on their own, Loveless replied, "They're getting a lot of it for free. It's free R&D."

"The best of the people looking for these bugs are fewer than 100 in number," says Loveless. "Within the past three or four years, the vast majority of these people got hired, and not by Microsoft."

Couldn't Microsoft afford to hire them? "The people who have the skill set to discover this kind of bugs, they're worth a lot of money," Loveless explains. "I've talked to people who wouldn't work at Microsoft because they [Microsoft] weren't willing to pay enough money. That's simply because their focus has not been on security. They're not a security company."

Microsoft Answers Its Critics

In response to my original question — aren't paid Microsoft employees supposed to be finding these security holes? — a Microsoft spokesman, who asked not to be identified by name, provided me with a written statement:

"At Microsoft, security response is a full time commitment that involves building and maintaining strong relationships with security researchers around the globe. Security researchers can offer unique expertise and insight and play an important role in helping Microsoft protect its customers and improve its products.

"No amount of testing can fully replicate the complex configurations of Microsoft's broad customer base. Reputable security researchers who share Microsoft's passion for protecting customers have uncovered elusive security vulnerabilities and worked with Microsoft to develop comprehensive fixes."

Regarding why most security flaws aren't found by Microsoft employees themselves, the statement said:

"All software contains bugs and some bugs result in security vulnerabilities. Microsoft is committed to keeping the number of security vulnerabilities that ship in its products to a minimum as evidenced by the work that went into Windows Server 2003, our focus on providing greater defense in depth and the ongoing work in the SBTU [Security Business and Technology Unit] — all of which help to deliver on Microsoft's vision of Trustworthy Computing."

Conclusion

The bottom line? It appears that one of the world's weathiest corporations is dependent on volunteers to discover most of the critical security flaws that make its biggest-selling products dangerous for Windows users to run.

That sure makes me feel a lot more secure. How about you?

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed