Thursday, December 22, 2005

When Silent Fixes Backfire

On the SecuriTeam Blog, Matthew Murphy provides an extreme example of why it's important for software vendors like Microsoft to be totally transparent about the way security vulnerabilities are handled and fixed.

He explains how a security bug in a Visual Studio was reported to Microsoft in 2002 but remained unfixed for a long time. Eventually, Micosoft silently fixed the flaw but declined to provide information on the fix to customers or partners. That caused anti-virus vendor Trend Micro to unwittingly use the vulnerable code in its products, putting its customers at risk of code execution attacks.

Trend Micro, at the end of 2005, claims it has "recently become aware" of the flaw which Murphy says he reported to Microsoft in July 2002.

The lesson:

"While this is an extreme example, it goes to show just how important information is in shaping response. Security fixes cannot simply be made and forgotten: they need effective distribution and uptake to have real-world impact. It wasn't the lack of a fix, but poor distribution and uptake of a security patch that enabled Blaster to infect 25 million Windows PCs, and bring entire networks to their knees. And… what better way is there to cripple uptake rates than to simply not inform users of the availability of a fix?

We can only hope Microsoft has learned its lesson... if approaches like this remain the norm there, we’re going to be dealing with more viruses, more sleepless nights, and more pounding headaches for quite a while before they ever get it right."