Security Watch

Microsoft's Rushed Full Disclosure Patches Found Just as Effective

Publicity gets Redmond's attention better than private disclosure of its vulnerabilities.

• By Russ Cooper
• 01/30/2006

Krebbs went on to note: "Security Fix did not attempt to determine whether there was a correlation between the speed with which Microsoft issues patches and the quality or effectiveness of those updates. A real glutton for punishment might be able to learn just how many Windows patches were later updated with subsequent fixes -- either because the initial patch failed to fully fix the problem or introduced new troubles."

(Read the full article here -- registration may be required)

The Cybertrust Risk Intel Team decided we'd be the "glutton for punishment." We had that data readily available to us, as part of our extensive research information. A number of interesting things came to light:

None of the so-called "full disclosure" patches have ever resulted in a re-release of that patch. MS not only got it done more quickly, but they also appeared to get it done more correctly than when they had endless amounts of time to release a patch.

Year-over-year, the number of re-releases have remained relatively unchanged: 2003 saw eight re-releases, 2004 had six and 2005 also had six. Of course, we have to remember that we may still see re-releases to patches from these years, as it is not uncommon for Microsoft to do a re-release many months after a patch was originally released.

It's difficult to qualify the patches that are requiring the re-releases. They are, on average (or median), patches that took less than the average report time to fix, but more than the average disclosure time to fix. The average report time to fix in days for patches that were re-released was 73.142 in 2003, 175.4 in 2004 and 102.333 in 2005.

Overall, since the beginning of 2003, Microsoft has done a reasonable job of getting its patches right the first time and is getting marginally better at it over time (79 percent, 83 percent and 84 percent over the past three years). Its problems don't seem to lie in the full disclosure debate -- in fact, full disclosure and the shorter time to release seem to result in better version 1.0 patches. The problems with having more time to fix a problem could be related to the number of other changes that occur in the OS or applications during that time. By the time the fix is released, other components may have changed and could affect the functionality of the patch.

While it may appear that initial disclosure to the public results in a more efficient patch cycle, it's important to note that no attempt was made to correlate attacks or victims against these disclosures. It may well be that the faster patches were due to the fact that victims were being reported to Microsoft, which would certainly explain a number of these findings.

One caveat: No attempt was made to determine the reasons for the re-releases. We referenced only those that produced new binaries for a given patch. Sometimes those new binaries were simply for operating system or application versions for which patches were not originally produced.

Malicious Code
Symantec Corp. has shipped an update to its Norton SystemWorks program to eliminate a rootkit-type feature it included, allowing Norton to hide a directory from the Windows API. The directory was intended to be a location for the program to store files Norton wanted to ensure customers would not delete -- but it could also be used by malware criminals to hide their malware.

Privacy
Fitography is a new Web service that trolls other peer-to-peer networks to collect pictures and images it finds there. It then makes those pictures available on its own site. Experts say the site could easily break laws in a variety of countries if images turned out to be, for example, child pornography. There is also the possibility of copyright violations. The U.K.'s Data Protection Act, for example, also requires that a person's consent is granted prior to divulging any personal information.

One really has to wonder what the point of this new service really is. Images are the least compressible data on the Internet, so they're going to chew up a lot of bandwidth and server storage capacity gathering. Metadata on images is also, typically, difficult to glean from the images themselves, so how are you supposed to search through the masses of images they may have to make any use of them?

On the other hand, if they keep records of where they got what, then they certainly could use such a service to identify rogue sites serving up child pornography…assuming they don't get caught themselves first.

Governance
An SMS service in Queensland, Australia, is coming under the scrutiny of the government there. "Road Spy" uses SMS messaging to alert motorists to speed traps and random breath test locations. The government would like to see the service shut down. The director of the service claims they are trying to encourage prudent driving via the alerts, while the government claims they are undermining road safety by helping motorists avoid police.

Come on, how can anyone claim that informing motorists of hidden speed checks or random breathalyzer locations could possibly make drivers more prudent? I can just see it now: Someone checks their SMS, presumably hours in advance, and discovers there's a check en-route between their source and destination. Their next step is to conclude they simply won't drink that night…instead of deciding to take an alternative route. Are we to believe the road system in Australia is so abysmal that they don't have alternative routes?