Microsoft silently fixes security vulnerabilities

[Marc_Bevand () rapid7 com]

People working in the IT security industry, especially security
researchers, seem to notice Microsoft is silently fixing more and more
vulnerabilities.

For example this recent article [1] shows Microsoft is misleading its
customers by deliberately obfuscating details about patches.

My personal experience is similar with MS05-043 (CVE-2005-1984). In
November 2005, I had to reverse engineer the MS patches, in order to
identify what vulnerabilities had been fixed. I basically discovered
that the XP SP1 patch updated win32spl.dll by replacing about 40 calls
to unsafe functions (wsprintf, wcscpy, etc) by calls to the safe
versions (most often routines similar to snprintf, strncpy, etc). To
my great surprise, I also discovered that the patch for XP SP2 was a
"dummy patch" that did not even update win32spl.dll (it only updated
spoolsv.exe to fix minor non-security bugs). Why ? Because the
original version of this file in XP SP2 already contained the fix, in
other words it was already calling the safe string manipulation
functions. I contacted the original discover, Kostya Kortchinsky, to
get more information about this and he confirmed that Microsoft did
silently fix the vulnerabilities in XP SP2, and Windows 2003. What is
shocking is that Microsoft, who are supposed to _support_ Windows
2000 SP4 and XP SP1, deliberately chose to NOT backport this security
fix. To top it off MS is blatantly lying in its MS05-043 advisory
by stating that XP SP2 and Windows 2003 are affected, as if they
"just fixed it" and "just came out with the very first patch to fix
2000/XPSP1/XPSP2/2003".

Also very interesting is this eEye advisory [2], explaining Microsoft
discovered internally the CVE-2005-2120 vulnerability and fixed it
silently in Windows 2003 without backporting it to earlier Windows
versions. eEye then independently rediscovered it, "forcing" Microsoft
to release MS05-047 to publicly acknowledge the vuln and backport a
fix to all Windows versions. At least, in this case Microsoft doesn't
lie and tells the truth in MS05-047 by listing Windows 2003 as not
affected.

I also would like to point some interesting statistics: by browsing
the list of MS security advisories released over the past 2 years,
at least 75% of all vulnerabilites credit external security
researchers for having discovered them. The remaining 25% are either
anonymously reported vulnerabilities, or are discovered internally by
Microsoft itself. Do you guys believe that MS (a multi-billion dollar
software company stating "security is our priority number one") is
only able to detect and publicly report less than 25% of the
vulnerabilities in its products ?

This leads to the interesting question of: how many security fixes
does Microsoft choose to NOT backport to earlier versions of its
products, when no external researchers find them ?

[1] http://www.eweek.com/article2/0,1895,1949279,00.asp
[2] http://www.eeye.com/html/research/advisories/AD20051011c.html

- Marc Bevand