Silent Security Fixes Are A Calculated Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
5/31/2010
09:26 PM
Dave Methvin
Dave Methvin
Commentary
50%
50%

Silent Security Fixes Are A Calculated Risk

Recently, the folks at Core Security noticed that Microsoft has been delivering more fixes during patch day than they have documented in their security bulletins. It's great that Microsoft is fixing more security issues, but when they're not documented the IT department's job could become even more challenging.

Recently, the folks at Core Security noticed that Microsoft has been delivering more fixes during patch day than they have documented in their security bulletins. It's great that Microsoft is fixing more security issues, but when they're not documented the IT department's job could become even more challenging.Most security issues aren't found by Microsoft, but instead by independent security researchers. In some cases, they're found by unknown black-hat criminals who immediately start to use them to deliver exploits and take over PCs. For either situation, once Microsoft knows about the exploit they start on a fix. Sometimes the fix comes in a few weeks; other times it can take months before Patch Tuesday delivers a fix for a problem that was reported to Microsoft. The urgency depends on the severity of the problem, and whether a known exploit is floating around in the wild.

A Microsoft patch is part of the Security Development Lifecycle (SDL) process. Whenever a security patch is required, Microsoft reviews the patch to ask "why did this happen, and what can we do to prevent it from happening again?" That process often involves a review of the code surrounding the area where the problem occurred. If it occurred because of a false assumption or a logic error, there's a chance that other areas of the code have similar problems that haven't been found yet. If new problems are found, it makes sense to fix them at the same time.

The white-hat researchers that report security problems know when their issues are fixed, since the security bulletin usually includes a "hat-tip" thanking them. The issues found by Microsoft during their own internal review don't necessarily need to be reported, especially if there seem to be no public exploits or knowledge they exist. That's how we get to situations like the Microsoft stealth fixes found by Core Security.

However, there's one complication with this just-fix-don't-tell policy. Once the patch is released, the bad guys can see what's been changed by comparing the old code to the patched code. They often do this to determine how they can exploit a particular problem. If some undisclosed-but-fixed problem is in there, the bad guys may be able to exploit it as well. Yet if Microsoft were to openly disclose the problems found during internal reviews, it's even more likely those problems would be exploited. Therein lies the conundrum.

Although some reports have made it appear that Microsoft is hiding important information from its customers, I don't see it that way. There's a very simple practice that can make the "disclose or don't" issue a non-problem for your organization: Apply patches as soon as possible. That way you'll be protected against both the disclosed and undisclosed problems.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll