A Super Response?

Critics hit Microsoft procedure for supplying fixes in wake of Gates memo.

In his now-famous memo in January outlining Microsoft Corp.s new Trustworthy Computing initiative, Chairman Bill Gates praised Microsofts efforts in building patches and responding to security problems swiftly and decisively.

But, Gates said, the new demands of Trustworthy Computing mean that what was good enough before would no longer make the grade.

"Our responsiveness has been unmatched—but as an industry leader, we can and must do better," Gates wrote. "As software has become ever-more complex, interdependent and interconnected, our reputation as a company has, in turn, become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall but our customers view of us as a company."

While the Microsoft Security Response Center has continued to pump out patches and hot fixes in the eight months since Gates memo, the company is drawing fire for including fixes for some vulnerabilities only in service packs and delaying responses to problems that arent reported directly to Microsoft.

Company officials said that any perception that they ignore customer security needs is erroneous.

"Theres nothing more important to us than responding to customer security issues," said Mike Nash, vice president of the security business unit at Microsoft, in Redmond, Wash., which oversees the MSRC, among other things. "Our goal is to minimize the lag time between when a vulnerability is found and the availability of the patch."

Thats not always an easy task. In August, a programmer released information about a problem in the way that Microsofts Internet Explorer checks the validity of certificate authorities used in Secure Sockets Layer transactions. The problem enables someone to generate and sign bogus certificates for another Web site, thereby enabling that person to trick users into sending sensitive data to an untrusted site.

The programmer, Mike Benham, said he purposely didnt notify Microsoft of the problem because he believed the company had downplayed the significance of an earlier IE problem. "After seeing that, I dont feel like wasting time with the Microsoft PR department," he wrote in his advisory on the problem.

Security experts said the problem was serious, but Microsoft officials, in a response written two weeks later, said that the scenario for exploiting the problem was narrow and that the user could easily identify the attacker. The company eventually produced a patch.

Microsoft also received criticism for choosing to fix a problem with the Windows XP Help and Support Center through Service Pack 1 rather than through a patch. The company has defended this practice, citing the much higher installation rate of service packs over individual patches.

"Without unusual circumstances, it makes more sense to patch through a service pack. It simply isnt efficient to build a patch for every bug that someone finds," Scott Culp, manager of the MSRC, also in Redmond, told eWeek earlier this year. "Customers do pick and choose between patches."

In another recent case, a researcher posted a note in late August to the BugTraq security mailing list detailing problems with Microsoft Word that could enable an attacker to retrieve files from a remote users machine without that users knowledge. The author of the post, Alex Gantman, went into detail in his note, describing exactly how the vulnerability could be exploited. He also suggested a workaround, albeit a fairly onerous and time-consuming one that few users are likely to implement.

Gantman did not alert Microsoft to the problems he found before posting to BugTraq. Meanwhile, officials at the MSRC—who monitor BugTraq and other lists—didnt acknowledge the vulnerability until more than two weeks later, on Sept. 13, when they posted a lengthy article to Microsofts security Web site.

The company has yet to produce a patch for the problem but sharply criticized Gantmans decision to go public with his information.

"The customer confusion and speculation around this issue is a clear illustration of the challenges faced when security reports are made public rather than reported to the vendor," Microsoft reported in an article on its TechNet site. "Responsible researchers work with vendors to ensure that the priority is ... the protection and safety of users."

Despite the criticism of Microsoft over some of these recent events, some in the security community said the company is moving in the right direction.

"Regardless of whether Microsoft rolls things up into service packs or not, youre still going to get those people who dont bother to alert Microsoft before posting, and this is where the real problem lies," said David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, and a researcher who has found dozens of flaws in Microsoft products. "I think the security response from Microsoft is quite good. Theyve certainly raised their bar over the past couple of years."