Microsoft Speaks – Forked Tongue or Epiphany?

That’s what the Indians would have said, had they been given the line by the settlers, we, as users of the Microsoft product lines are being told.

This morning in ComputerWorld, it is explained that the company today will be rolling out a patch for Windows 7, to address a bug that the company states is unhackable.

Now, think about that for a moment. What has suddenly generated this tremendous good will toward the customer, and inner awakening of integrity, that it would repair a problem that is ostensibly incapable of causing harm. When did this corporate epiphany occur?

Oh, and where exactly do we start submitting the other long known bugs that no one has bothered to repair?

The story talks of the practice as defense-in-depth, which is not made clear whether the terminology is one from Redmond or elsewhere.

Later today, Microsoft will play it safe by patching a Windows 7 bug that it says can’t be exploited.

Of the 11 security bulletins that will be released in a few hours, "Bulletin 7" will address one or more vulnerabilities in Windows 2000, Windows XP and Windows Server 2003.

But Microsoft will also offer the same update to users running Windows Vista, Windows 7 and Windows Server 2008, even though the company maintained last week that they were impervious to attack.

"Windows 7 users will be offered Bulletin 7 as a defense-in-depth update even though the [advanced notification] states that the issue does not affect Windows 7," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in one of several e-mails replying to questions. "This means that the vulnerable code is in the software, but due to the improved protections built into Windows 7, there are no known vectors to reach it."

In other words, the vulnerability is there — in Vista, Windows 7 and Server 2008 — but Microsoft doesn’t know how it could be exploited.

Better safe than sorry, security experts said.

I agree completely, and though it feels as though I’m kicking a gift horse in the mouth, I cannot help but wonder what has triggered this sudden about face. For years the corporate mantra has been one where flaws that are not noticed, or exploited already, are simply noted and then held in abeyance, or ignored.

"Absolutely, it’s a good practice to fix these bugs," said Andrew Storms, director of security operations at nCircle Network Security. "Just a year ago, DEP [data execution prevention] and ASLR [address space layout randomization] were mitigating nearly every vulnerability for Internet Explorer on Vista. Yet we are seeing a steady rise in more researchers’ finding and taking advantage of DEP bypass methods. And if DEP bypass continues to happen more often, then we’ll be happy that Microsoft issued these fixes."

Wolfgang Kandek, chief technology officer of security risk and compliance management provider Qualys, not only agreed, but cited DEP and ASLR circumventions as well. "Installing the update for Windows 7, Server 2008 and Vista is definitely a recommended, and preemptive, action," he said. "We have seen cases in the past where attackers were able to string together multiple vulnerabilities to reach their goal, most recently at CanSecWest where Peter Vreugdenhil used two bypasses to first get by ASLR, then DEP when he exploited IE8."

For his exploit expertise, Vreugdenhil, a Dutch freelance researcher, last month won $10,000 during the Pwn2Own hacking contest. His one-two punch was called "particularly impressive" by the contest organizer because it sidestepped DEP and ASLR, two cornerstones of Vista’s and Windows 7’s security.

Microsoft has patched untouchable vulnerabilities before, Bryant confirmed, citing several examples, including MS09-032, a July 2009 update that disabled a company-made ActiveX control said to be unexploitable in Vista or Server 2008. Prior to that, Microsoft issued MS09-015 (April 2009) and MS08-062 (October 2008) for similar defense-in-depth reasons.

Is it possible that Microsoft has seen the light? Did someone hold an old time revival meeting in the Microsoft tent, and have an altar call, where Microsoft could repent and turn over a new leaf? If so, I could not be more excited, for I will enthusiastically trumpet any changes for the better from this company. However, you will pardon my cynicism for just a brief moment, as it is not easily shed after so long a time of dealing with the prevailing methods of the company that has historically spent much more time patting itself on the back, rather than doing the hard work necessary to get that last bug out of the code.

"These are typically situations where the vulnerable code exists but is not accessed in any way by the system," said Bryant. "We feel it’s important to continuously look at ways to reduce the overall attack surface, so defense-in-depth updates will continue to be offered to customers."

Storms argued that it was just Microsoft following established protocol. "This probably has more to do with the mechanics of Microsoft’s SDL [software development lifecycle] than anything else," Storms said. "A bug was found and validated, they are thus committed to issuing the fix. All supported platforms must receive the fix, even if it means that the possibility of an attacker even thinking about exploiting it is unlikely."

Bulletin 7 has a back story that makes it more interesting than most. Microsoft doesn’t map pre-patch bulletins to issues it has said will be addressed, but clues point to Bulletin 7 fixing a flaw in VBScript. Last month, a Microsoft advisory warned Windows XP users of a bug in the scripting language, and told them not to press the F1 key when prompted by a Web site.

Storms acknowledged that the situation was probably confusing to users, what with Microsoft claiming that Vista, Windows 7 and Server 2008 were not affected by the vulnerability, but still urging users to patch. But look at the bigger picture, he said.

"[Microsoft’s] basically saying that in order for an attack to work, many layers would have to be peeled apart first, essentially making an attack unlikely," he said. "Yet, Microsoft is saying they are still bound by an obligation to issue the fix."

Microsoft will release the 11 security updates, including Bulletin 7, at approximately 1 p.m. ET today.

Minor point: we are not told when the established protocol was instituted. One might think that if it was something that had been around for awhile, the company would certainly want to establish that time frame with the readers.

I remain cautiously excited, which is how I believe that all users of Microsoft products should posture themselves.


A Cat's Life

Opera, the fastest and most secure web browser

≡≡ Ḟᴵᴺᴵ ≡≡