I've never been one to shy away from praising Microsoft when I think that praise is due. My colleagues can tell you that I still insist Windows ME was a decent operating system and I've loved my Vista install since the first day I used it. I've also been quick to commend Microsoft when something is patched quickly and an issue is resolved. But, I'm not just another "Yes-Man".
Last night Jabulani Leffall referred to me as a 'security gadfly'. I had to look it up, discovered that it meant a pest, and was a little shocked. However, it was quickly pointed out by several people that gadfly also refers to someone not afraid to ask the difficult questions. I thought about that and really liked the term. I like to think that I'm not afraid to ask the difficult questions, and when I think about it, sometimes the responses I get to emails to secure@microsoft.com make me feel like they consider me a pest.
Why all this back story? Because I want to ask the difficult question with regards to MS09-032. It's a question I asked with MS09-008, and should have asked with MS08-032 (and I'm sure a few others).
That question is, when did it become acceptable for a mitigation to be issued as a patch? Forget the root issue, or the results and potential outcome... why does Microsoft continue to get away with this and why aren't we questioning them repeatedly? The CVE for MS09-032 as many people have discussed recently is CVE-2008-0015, it was assigned Dec. 13, 2007. That's 20 months ago... aka a very long time. Yet in all this time, the best they could do was a mitigation? Why not a patch to the affected DLL? The advisory contained the mitigation in FixIt package a few weeks ago, why rerelease that detection as a security bulletin? And a security bulletin that was simply a cumulative update to ActiveX killbits, something that is released every month as a "Security Advisory" suddenly became a "Security Bulletin" this month and I want to know why.
The (seemingly) obvious answer, at least in my eyes, is that this was entirely a marketing ploy. I've noticed that the Security Bulletins (the so-called "For IT Professionals" version) have become more marketing speak and less technical description with every Patch Tuesday. In this case the entire bulletin stinks of marketing speak. So why does Microsoft continue to get away with this? Why can't we put our collective foot down and put a stop to this?
It's actually quite simple to determine the difference between a patch and a mitigation. It becomes even easier if we think of the patch as the solution to the problem. The patch makes the problem go away, end of story. A mitigation doesn't solve the problem... it simple silences it temporarily, it is possible (under the right circumstances) for that problem to come back. A mitigation is not a silver bullet for the problem, and releasing Security Bulletins that contain mitigations is misleading to the every day user.
Let's take this to a completely different place. Imagine you're driving down the road and suddenly get a flat. You pull over and pull off the tire and head to the trunk to pull out your spare... a doughnut. The doughnut will keep you driving, but at a reduced speed and probably not as smoothly. It's probably not ideal but it's a stop-gap solution to your flat tire and will serve you well until you can buy a patch kit or replace the tire (depending on the situation).
In the above scenario, the doughnut is your mitigation and the patch kit/new tire is your patch. Imagine if you were told that getting a flat tire required you to permanently drive around with that doughnut... I doubt you'd be very happy, especially if you're a highway driver. So why should we be happy accepting mitigations as patches, especially if we're in a multi-user environment?
I think it's time that we put a call out to Microsoft, and any other vendor utilizing this practice, and insist that when they call something a patch, it actually be a patch.
Comments (4)
I feel that is a valid question. How is a work-around a solution? Frankly, I think we were all a little concerned that Microsoft was trying to avoid addressing a known security issue.
Posted by Eric "SecRunner" | July 15, 2009 2:12 PM
Posted on July 15, 2009 14:12
I don't think mitigation as a patch option is really a bad thing, especially considering the consequences of MS not putting mitigation
in. Let's assume they followed your rationale and decided not to release a patch until next MS Tuesday. Considering the present
exponential spread of the exploit affecting this vulnerability, and the unlikelihood of people setting the kill bit manually, this could have become really bad. How many more people are sudo-"protected" because they were able to push this out? 40%, 50%? I don't have
numbers on how many people patch within the first little while, but it's got to be exponentially higher then people setting it manually. Most people wouldn't have even heard of this exploit, even though it has gotten decent press.
However, I agree with your complaint about why did MS take over a year to set the killbit? They knew about the vulnerability for over a year (See cve number), had an idea of what it could do, and still had to wait until a public exploit went out for them to do something about
it. It would have made more sense to set the killbit in another patch made earlier and then they wouldn't have had to go to do this. That's
the killer. It's not like it's hard. THe risk of the information getting out (because people would want to know why they did set it) is
less then the egg on their face now.
Does a company who develops a product have any responsibilty to the user if they of an issue that can be used to damage/exploit the user
and does not tell them about it? In a lot of other fields, they do. They can get sued if something goes wrong. If an attacker used this exploit to gain information from a user that damages the user ( CC INformation ), could a software/hardware vendor get sued?
Posted by Ryan Poppa | July 16, 2009 7:00 AM
Posted on July 16, 2009 07:00
@Ryan,
I definitely think there are people that the manual mitigation wouldn't have worked for, especially considering there were 45 clsids involved. That being said, they'd already released a Microsoft FixIt to address the issue. This could have been used by people and Microsoft could have even offered it via Windows Update.
To take it a step further, Microsoft releases an Advisory for a cumulative update to ActiveX Killbits quite frequently. However, because of the press around this vulnerability, they decided to slap a bulletin number in front of the update and release it as a patch. This is nothing but a marketing ploy. They don't have a real patch ready and are getting hit hard in the media for leaving it unpatched for so long, that they attempted the oldest trick in a magician's book - misdirection.
I would never say don't release a protection to customers. That wasn't the point of this, the point was call the protection what it is, don't mislead those customers simply to protect yourself.
Posted by Tyler Reguly | July 16, 2009 9:43 AM
Posted on July 16, 2009 09:43
For the record Tyler, Gadfly was conferred on you in good stead. It means that not only are you not afraid to ask the difficult questions but you are unafraid to say what you think to who ever and when a noun such as security is placed in front of the word, it gives it that much more power.
Posted by J.Leffall | September 24, 2009 12:08 AM
Posted on September 24, 2009 00:08