Dailydave mailing list archives
Microsoft silently fixes security vulnerabilities
From: Marc_Bevand () rapid7 com
Date: Fri, 14 Apr 2006 17:27:57 -0700
People working in the IT security industry, especially security researchers, seem to notice Microsoft is silently fixing more and more vulnerabilities. For example this recent article [1] shows Microsoft is misleading its customers by deliberately obfuscating details about patches. My personal experience is similar with MS05-043 (CVE-2005-1984). In November 2005, I had to reverse engineer the MS patches, in order to identify what vulnerabilities had been fixed. I basically discovered that the XP SP1 patch updated win32spl.dll by replacing about 40 calls to unsafe functions (wsprintf, wcscpy, etc) by calls to the safe versions (most often routines similar to snprintf, strncpy, etc). To my great surprise, I also discovered that the patch for XP SP2 was a "dummy patch" that did not even update win32spl.dll (it only updated spoolsv.exe to fix minor non-security bugs). Why ? Because the original version of this file in XP SP2 already contained the fix, in other words it was already calling the safe string manipulation functions. I contacted the original discover, Kostya Kortchinsky, to get more information about this and he confirmed that Microsoft did silently fix the vulnerabilities in XP SP2, and Windows 2003. What is shocking is that Microsoft, who are supposed to _support_ Windows 2000 SP4 and XP SP1, deliberately chose to NOT backport this security fix. To top it off MS is blatantly lying in its MS05-043 advisory by stating that XP SP2 and Windows 2003 are affected, as if they "just fixed it" and "just came out with the very first patch to fix 2000/XPSP1/XPSP2/2003". Also very interesting is this eEye advisory [2], explaining Microsoft discovered internally the CVE-2005-2120 vulnerability and fixed it silently in Windows 2003 without backporting it to earlier Windows versions. eEye then independently rediscovered it, "forcing" Microsoft to release MS05-047 to publicly acknowledge the vuln and backport a fix to all Windows versions. At least, in this case Microsoft doesn't lie and tells the truth in MS05-047 by listing Windows 2003 as not affected. I also would like to point some interesting statistics: by browsing the list of MS security advisories released over the past 2 years, at least 75% of all vulnerabilites credit external security researchers for having discovered them. The remaining 25% are either anonymously reported vulnerabilities, or are discovered internally by Microsoft itself. Do you guys believe that MS (a multi-billion dollar software company stating "security is our priority number one") is only able to detect and publicly report less than 25% of the vulnerabilities in its products ? This leads to the interesting question of: how many security fixes does Microsoft choose to NOT backport to earlier versions of its products, when no external researchers find them ? [1] http://www.eweek.com/article2/0,1895,1949279,00.asp [2] http://www.eeye.com/html/research/advisories/AD20051011c.html - Marc Bevand
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)