Friday, January 22, 2010

IE 0day failures

I wanted to comment on three failures related to the recent IE 0day.


The blogosphere started debating the merits of German and French recommendations that users dump Internet Explorer.

However, those governments made no such recommendations. Their Internet security agencies recommended that users switch browsers TEMPORARILY, until Microsoft fixed the bug. It is a reasonable thing to recommend: if hackers can easily break in to a software application, it is reasonable to recommend that you stop using that application until the problem is fixed. Implicitly, they both recommended going back to IE once Microsoft fixed the problem.

I tracked back to find the source of these false claims. They appeared to come this story from Tony Bradley at PCWorld where he misrepresents what Germany/France have said. Yet, he references two stories (here and here) that get their facts right.

For the record, the German bulletin from BSI says "Therefore BSI recommends that until Microsoft makes a patch available, to use an alternative browser". The French bulletin from Certa says "Pending a patch from the publisher, Certa recommends using an alternative browser". (I speak both French and German, these are the correct translations).


The equivalent of the German BSI and French Certa is the US-CERT. What did they say about the issue?

I went to their page at and found nothing. Their National Cyber Alert System ignored the issue. They didn’t publish an advisory until AFTER Microsoft published a patch on January 21.

That's bad, really bad. This IE bug was big. IE6, the one most commonly exploited, has 20% market share, and an versions combined of IE have over 60% mare share. US-CERT should have created a bulletin telling people hackers were widely exploiting browsers with this bug.

The measure of an "emergency response team" is not how well they respond to "normal" events, but how well it respond to "emergencies". The US-CERT does a lot of good work for computer security, but they failed at responding to this emergency. This is a problem, one that that cyber czar should look into.

FAIL #3 - Microsoft?

The bug itself isn't a failure. Bugs happen. Nobody has figured out how to create bug free software. In fact, Microsoft is probably the best in the industry at ridding their code of such bugs, with things like the SDL and operating-system protections like DEP.

Yet, it took a full week to release a patch for this bug, and it appears that Microsoft knew of the bug months ago. That’s a big window for an 0day out in the wild.

Microsoft used to respond faster, but their response time for major vulnerabilities is getting worse every year. That is because they employ directory or indirectly half of the security industry, and influence the other half. If Microsoft drags its feet not fixing a bug, and a researcher gets frustrated and publishes the bug, Microsoft will blackball them from the industry. Researchers keep quiet because they are afraid of Microsoft.

I know this because that's what Microsoft has threatened me with. We found a trivial Wifi vuln in Windows Mobile several years ago. It was never patched, largely because the mobile provider (Cingular, now AT&T) refused to patch it. Since we could not publish the bug until after the patch, this meant we could never publish the bug. We know of lots of researchers finding bugs in Windows Mobile that never get published for precisely the same reason.

It's a reasonable stance for Microsoft to take. There are lots of evil researchers who try to create havoc by making it difficult for vendors to fix the bugs they discover. Some bugs are difficult to fix, and indeed may take a year to fix, during which time the researcher shouldn't release details. Yet, Microsoft has successfully driven this idea too far the other direction, with the consequence that they are taking too long to patch bugs.

Another problem Microsoft has is "out-of-band patches". In theory, they patch precisely 12 times a year, on the second Tuesday of the month. Patching bugs at irregular times was expensive for them, and since each patch was a surprise to their customers, expensive for their customers. This schedule is cheaper and easier for everyone.

Yet, there are still surprises. I forget, but I think there were three out-of-band patches last year, and now one so far this year.

So, I asked Microsoft what they had budgeted for out-of-band patches. Microsoft’s response was nothing, because such out-of-band patches should never occur. I was surprised by the answer: emergencies will continue to occur, and Microsoft should plan for them. I would bet money that another IE 0day is going to occur in the next 12 months, Microsoft should plan for that as well.

Microsoft is still the best at eliminating bugs and responding to them, but I would call their response to this IE bug a failure. Moreover, Microsoft is getting worse every year at responding to bugs, not better.

UPDATE: The above text about Microsoft is pretty harsh, but I'd like to repeat that Microsoft is still the best at eliminating bugs and responding to them. Also, I like Microsoft, and I believe they are as an ethical and moral company with occasional lapses by individuals, as opposed to a company like Apple which is unethical from the top down. I'm afraid of Microsoft not because they are a lion that might eat me, but because they are an elephant that might step on me by accident.


DK said...

How were you threatened?

Robert Graham said...

You mean, did they threaten to break my kneecaps? No, of course not, it's nothing as overt as that.

Microsoft has a lot of tools at its disposal. For example, it gives credit to researchers for advisories. When they deem that a researcher has behaved badly, they don't give credit.

A good relationship is valuable to a lot of companies. Microsoft makes it known to those companies that their relationship will become a bad one if they hire certain people.

The worst threat is when the FBI threatened to change my file, to taint any background check, so that I could never to work for the government ever again. This was done due to pressure from Microsoft.

It's not as big as conspiracy as you think. Mostly it's just individuals at Microsoft who make bad decisions. Usually its because they don't recognize how powerful Microsoft is. I don't think the individuals responsible for the FBI threatening us realized that this would be the result of their actions.

Jeremy said...

Regarding #2, I don't know if the problem is common at US-CERT or not, but I have seen organizations so focused on patching as a security metric that they routinely ignore big security issues that aren't as simple as a patch but get all bent out of shape over patches to small vulnerabilities that aren't even exploitable. Sometimes they'll even make themselves less secure in order to get out of a situation where they can't apply a patch for some reason.

X-Istence said...

Was the Edit about Apple really necessary? It seems to detract from your main argument and what you were trying to say.