The Redmond technology giant released 10 separate security bulletins on Oct. 12, which are said to patch 22 different weaknesses in Windows.
When I was studying these documents, I realized that Microsoft had credited outside "security researchers" with the discovery of 9 out of 10 of the issues.
Microsoft is one of the most profitable corporations on the planet, earning $2.9 billion in the most recent quarter. That's up more than 10% from the same quarter a year ago and represents a profit margin of more than 31%. The company has over $60 billion in cash reserves alone.
Isn't Microsoft paying its own employees to find security holes in Windows? And, if it is, why are the insiders finding only a small minority of the problems that nonemployees are uncovering and reporting?
The Thin Grey Line
Microsoft appears to be unable to discover security weaknesses in its products faster than a small coterie of "white-hat" and "grey-hat" hackers — technically skilled people who either work in "good guy" consulting firms or in amorphous online networks. Here's how the system operates:
• Security First. Individuals known as security researchers delve into the inner workings of Windows, usually with little or no access to the original source code.
• Responsible Disclosure. Under current Microsoft policy, these researchers are expected to report any security weaknesses they find to Microsoft privately. No disclosure to anyone else is supposed to occur until a patch is announced by the Redmond company.
• A Pat On The Head. In return for this delay in telling others about any newly discovered problem, the researcher's name or company is acknowledged in the body of Microsoft's announcement with a hyperlink to the researcher's Web site. This link improves the site's ranking in search engines — but more importantly, it helps the security firm attract consulting customers who want advice on protecting their systems against future threats.
A Worldwide Elite Of Technorati
The number of programmers with the background and interest to discover subtle Windows security holes is probably a mere few dozen worldwide.
"There are only four people in the world who've discovered 90% to 95% of the Internet Explorer vulnerabilities," asserts Jay Nichols, a spokesman for eEye Digital Security, a leading security consulting firm. "Two are anonymous, one is in China, and the other is Drew Copley," an eEye employee.
Microsoft credits eEye (and, therefore, Copley) with finding and reporting the "ZIP Decompression Bug" described in this month's security bulletin named MS04-034. By exploiting this bug, a hacker can create a Web site or a ZIP file that can take control of an unpatched Windows XP or Server 2003 system, because the built-in decompression feature in those operating systems is poorly programmed.
Don't other decompression programs, such as WinZip and PKZip, have the same vulnerability to hacked ZIP files? "No, they don't," replies Copley, eEye's senior research engineer. "They [Microsoft] do deserve some scorn for that. This was a pretty easy-to-find bug."
Shouldn't a security hole like this have been found during Microsoft's much-publicized Trustworthy Computing Initiative in 2002, during which the company's developers were given two weeks of training and then told to examine Windows code for weaknesses?
"My best estimate is that it didn't do very much," Copley says. "That much code, you can't do that much in one month. It takes many years, that's an entirely different job. It [the initiative] strikes me more as smoke and mirrors."
Paying Top Dollar For Security Expertise
Another company acknowledged by Microsoft is the Bindview Corp., a provider of security management software. That firm identifies its senior security analyst Mark Loveless as discovering the problem entitled MS04-029. This flaw allows attackers to crash unpatched Windows NT systems.
When asked why Microsoft doesn't find most such holes on their own, Loveless replied, "They're getting a lot of it for free. It's free R&D."
"The best of the people looking for these bugs are fewer than 100 in number," says Loveless. "Within the past three or four years, the vast majority of these people got hired, and not by Microsoft."
Couldn't Microsoft afford to hire them? "The people who have the skill set to discover this kind of bugs, they're worth a lot of money," Loveless explains. "I've talked to people who wouldn't work at Microsoft because they [Microsoft] weren't willing to pay enough money. That's simply because their focus has not been on security. They're not a security company."
Microsoft Answers Its Critics
In response to my original question — aren't paid Microsoft employees supposed to be finding these security holes? — a Microsoft spokesman, who asked not to be identified by name, provided me with a written statement:
"At Microsoft, security response is a full time commitment that involves building and maintaining strong relationships with security researchers around the globe. Security researchers can offer unique expertise and insight and play an important role in helping Microsoft protect its customers and improve its products.
"No amount of testing can fully replicate the complex configurations of Microsoft's broad customer base. Reputable security researchers who share Microsoft's passion for protecting customers have uncovered elusive security vulnerabilities and worked with Microsoft to develop comprehensive fixes."
Regarding why most security flaws aren't found by Microsoft employees themselves, the statement said:
"All software contains bugs and some bugs result in security vulnerabilities. Microsoft is committed to keeping the number of security vulnerabilities that ship in its products to a minimum as evidenced by the work that went into Windows Server 2003, our focus on providing greater defense in depth and the ongoing work in the SBTU [Security Business and Technology Unit] — all of which help to deliver on Microsoft's vision of Trustworthy Computing."
The bottom line? It appears that one of the world's weathiest corporations is dependent on volunteers to discover most of the critical security flaws that make its biggest-selling products dangerous for Windows users to run.
That sure makes me feel a lot more secure. How about you?