« Pennsylvania adopts digital signatures for notarization
Good article on trusted computing initiatives »

Microsoft’s disclosure policy opens doors for malware writers

In the April 24 issue of eWeek ran two articles of interest.

The first (p14) reported on two aspects of Microsoft’s vulnerability policy. One, Microsoft does not to disclose internally discovered software vulnerabilities. Two, Microsoft’s failing to disclose all the vulnerabilities being addressed in a given patch.

The second (p30) reports that malware threats are on the rise. The article reports that McAfee Avert Labs has received a 700 percent increase in reported rootkit attacks during the first quarter of 2006 as compared to Q1 2005.

Virus and malware writers have a distinct advantage over security professionals in this environment. Fundamentally, malware writers can focus all of their attention on detecting an attack vector for a specific product or technology. For example, a particular virus writer may focus specifically on Outlook vulnerabilities.

The security professional, on the other hand, generally has a much bigger footprint to defend. He not only has to worry about his Outlook users, but the web servers, email servers, firewall boxes, print servers, etc.

In order to balance the scales, a slew of security products have been added to the security professional’s toolkit. Antivirus, antispiware, rootkit detection tools, firewalls, are all commonplace.

Microsoft’s failure to disclose internally discovered vulnerabilities keeps the security industry from being able to protect its IT infrastructure. Microsoft claims the opposite. Microsoft contends that disclosing the vulnerabilities decreases security.

If Microsoft adopts a policy of disclosing vulnerabilities it discovers, proactive security solution providers will be able to take immediate action. Virus definitions could be written, firewall rules configured, software systems temporarily disabled or modified.

Instead, Microsoft leaves known vulnerabilities un-patched, and as the result, leaves its customers at the mercy of malware writers.

Bill

This entry was posted on Wednesday, May 24th, 2006 at 9:29 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Microsoft’s disclosure policy opens doors for malware writers”

  1. Mark Says:
    June 16th, 2006 at 1:33 am

    It seems to me that if MS fails to disclose a vulnerability that it knows about and that vulnerability is then used to hack into, say, the Bank of America, MS would be on the hook for considerable cost. Not disclosing a flaw in a product is no defense against damage, as car manufacturers have learned.

Leave a Reply