They say the cobbler’s children have no shoes. In a similar way,
it may be that Microsoft, the world’s largest software company,
doesn’t have enough programmers to discover security holes in Windows.
The Redmond technology giant released
10 separate security bulletins on Oct. 12, which
are said to patch 22 different weaknesses in Windows.
When I was studying these documents, I realized that Microsoft had credited
outside “security researchers” with the discovery of 9 out of 10 of
Microsoft is one of the most profitable corporations on the planet, earning
billion in the most recent quarter. That’s up more than 10% from the same
quarter a year ago and represents a profit margin of more than 31%. The
company has over $60 billion in cash reserves alone.
Isn’t Microsoft paying its own employees to find security holes in Windows?
And, if it is, why are the insiders finding only a small minority of the
problems that nonemployees are uncovering and reporting?
The Thin Grey Line
Microsoft appears to be unable to discover security weaknesses in its
products faster than a small coterie of “white-hat” and “grey-hat” hackers
— technically skilled people who either work in “good guy” consulting
firms or in amorphous online networks. Here’s how the system operates:
• Security First.
Individuals known as security researchers delve into the inner workings of
Windows, usually with little or no access to the original source code.
• Responsible Disclosure.
Under current Microsoft policy, these researchers are expected to report any
security weaknesses they find to Microsoft privately. No disclosure to anyone
else is supposed to occur until a patch is announced by the Redmond company.
• A Pat On The Head.
In return for this delay in telling others about any newly discovered problem,
the researcher’s name or company is acknowledged in the body of Microsoft’s
announcement with a hyperlink to the researcher’s Web site. This link
improves the site’s ranking in search engines — but more importantly,
it helps the security firm attract consulting customers who want advice on
protecting their systems against future threats.
A Worldwide Elite Of Technorati
The number of programmers with the background and interest to discover subtle
Windows security holes is probably a mere few dozen worldwide.
“There are only four people in the world who’ve discovered 90% to 95% of
the Internet Explorer vulnerabilities,” asserts Jay Nichols, a spokesman for
eEye Digital Security,
a leading security consulting firm. “Two are anonymous, one is in China, and
the other is Drew Copley,” an eEye employee.
Microsoft credits eEye (and, therefore, Copley) with finding and reporting
the “ZIP Decompression Bug” described in this month’s security bulletin named
MS04-034. By exploiting this bug, a hacker can create a Web
site or a ZIP file that can take control of an unpatched Windows XP or Server
2003 system, because the built-in decompression feature in those operating
systems is poorly programmed.
Don’t other decompression programs, such as WinZip and PKZip, have the same
vulnerability to hacked ZIP files? “No, they don’t,” replies Copley, eEye’s
senior research engineer. “They [Microsoft] do deserve some scorn for that.
This was a pretty easy-to-find bug.”
Shouldn’t a security hole like this have been found during Microsoft’s
much-publicized Trustworthy Computing Initiative in 2002, during which the
company’s developers were given two weeks of training and then told to examine
Windows code for weaknesses?
“My best estimate is that it didn’t do very much,” Copley says. “That much code,
you can’t do that much in one month. It takes many years, that’s an entirely
different job. It [the initiative] strikes me more as smoke and mirrors.”
Paying Top Dollar For Security Expertise
Another company acknowledged by Microsoft is the
Bindview Corp., a
provider of security management software. That firm identifies its senior
security analyst Mark Loveless as discovering the problem entitled
MS04-029. This flaw allows attackers to crash unpatched
Windows NT systems.
When asked why Microsoft doesn’t find most such holes on their own, Loveless
replied, “They’re getting a lot of it for free. It’s free R&D.”
“The best of the people looking for these bugs are fewer than 100 in number,”
says Loveless. “Within the past three or four years, the vast majority of these
people got hired, and not by Microsoft.”
Couldn’t Microsoft afford to hire them? “The people who have the skill set
to discover this kind of bugs, they’re worth a lot of money,” Loveless
explains. “I’ve talked to people who wouldn’t work at Microsoft because they
[Microsoft] weren’t willing to pay enough money. That’s simply because their
focus has not been on security. They’re not a security company.”
Microsoft Answers Its Critics
In response to my original question — aren’t paid Microsoft employees
supposed to be finding these security holes? — a Microsoft spokesman,
who asked not to be identified by name, provided me with a written statement:
“At Microsoft, security response is a full time commitment that involves
building and maintaining strong relationships with security researchers around
the globe. Security researchers can offer unique expertise and insight and
play an important role in helping Microsoft protect its customers and improve
“No amount of testing can fully replicate the complex configurations of
Microsoft’s broad customer base. Reputable security researchers who share
Microsoft’s passion for protecting customers have uncovered elusive security
vulnerabilities and worked with Microsoft to develop comprehensive fixes.”
Regarding why most security flaws aren’t found by Microsoft employees
themselves, the statement said:
“All software contains bugs and some bugs result in security vulnerabilities.
Microsoft is committed to keeping the number of security vulnerabilities that
ship in its products to a minimum as evidenced by the work that went into
Windows Server 2003, our focus on providing greater defense in depth and the
ongoing work in the SBTU [Security Business and Technology Unit] — all of
which help to deliver on Microsoft’s vision of Trustworthy Computing.”
The bottom line? It appears that one of the world’s weathiest corporations is
dependent on volunteers to discover most of the critical security flaws
that make its biggest-selling products dangerous for Windows users to run.
That sure makes me feel a lot more secure. How about you?