Monday, November 13, 2006


To my faithful three readers, a quick note that I'll now be doing all my security blogging at Please adjust your feedreaders and bookmarks accordingly. There's a problem in RSS-land. Stay tuned.

Here's the feed URL to uppdate your RSS reader:

Auto-discovery works in IE 7 and Firefox 2.


Thursday, September 21, 2006

Best Wishes MJF

My pal Mary Jo Foley has left the building.

* Best of luck to a great reporter and champion person.

Friday, September 15, 2006

The Flaw Counting Game Redux

Since releasing Firefox 1.5 in November 2005, Mozilla has patched 59 security vulnerabilities in the browser, more than half rated by the company as "critical."

Over that same period, according to Microsoft's Jeff Jones, the IE patch count stands at 35.

There seems to be a subtle suggestion that flaw counting is a sign that one browser is more secure -- or has less bugs -- than the other. This is a shaky stance for a very simple reason: Microsoft does not publicly disclose everything that's been patched. Or those that they know about for months and months and just doesn't fix. If you don't believe me, just check with Aviv Raff.

A few days ago, I had this discussion with Mozilla's new security chief Window Snyder and she raised another interesting point. Mozilla may prioritize flaws but, when updates are shipped, the company will fix *every* bug reported. By comparison, there are hundreds (if not thousands) of bugs that Microsoft won't fix until a future service pack. "Vulnerabilities that are found internally are fixed in service packs or major revisions and are also not counted," Snyder told me. As a former Microsoft security strategist, she should know.

Borrowing from ideas presented by Dan Geer, Allen Jones and others, Snyder said Mozilla is working on a new proposal to accurately evaluate/compare product security, using things like:

Days of Risk -- How long is the customer at risk?
Transparency -- How can the industry validate the vendor's metrics?
Complexity -- How does the architecture of the product support security?
Scope of Fixes -- Which bugs get fixed?

In the final analysis, it's all for marketing/PR purposes. But, it would sure help stop the silly counting game.

Thursday, September 14, 2006

Patch Tuesday Remainders

** Cross-posted from eWEEK **

I've cobbled together a few leftovers from Microsoft's Patch Tuesday that are worth noting separately:

** If the updated MS06-042 bulletin includes a patch for a brand new, previously undiscovered vulnerability, why is it being re-re-released? Shouldn't this have been rolled out as a fresh IE update? eEye's Ross Brown sums it up perfectly:

Badly-mangled patches are rare, having a patch for a badly-mangled patch is extremely rare. Because of this, the onus is even higher on Microsoft to practice the vendor version of responsible disclosure -- don't bury the details, but actually speak with a loud, clear voice -- "Guys, this isn't a re-release of the update you already have, this is a new release you need to apply immediately"

** The Microsoft Publisher flaw covered in the MS06-054 update was originally discovered and reported to Microsoft on 3/8/2005. It took the company 1 year, 1 month, 6 days (402 days) to provide a fix.

** It was interesting to see that Computer Terrorism, the British hacking group that exposed Microsoft's inability to properly diagnose a flaw warning in Nov. 2005, is now working "responsibly" with software vendors. The group held its tongue for 402 days on the high-risk Publisher flaw and also worked closely with Adobe on the critical Flash patch that was also released alongside the Microsoft updates.

** It took Adobe 4 months (123 days) to push the Flash fix out the door. Computer Terrorism says a reliable multi-platform/multi-browser Web-based proof-of-concept was created and shared with the vendor.

** There are at least three publicly-known, high-risk flaws in Microsoft Office products that will remain unpatched for at least another 30 days. The most recent MS Word vulnerability, Microsoft confirms is being used in zero-day attacks was not addressed. Patches for two separate high-risk Excel vulnerabilities, known to Microsoft since at least July 2006 were also not fixed.

** The vulnerability covered in the MS Publisher bulletin is the 25th Office flaw fixed this year. That's not counting the silently fixed bugs that Microsoft admits it doesn't tell us about. By comparison, for all of 2005, the company only released fixes for five vulnerabilities. As an aside, a quick peek at the flaw credits in the barrage of Office bulletins has conspiracy theorists wondering whether Microsoft's decision to share the Windows source code with China is linked to the uptick of flaw warnings from the Far East.

** While we're counting, McAfee's Monty Ijzerman points out in an e-mail that Microsoft has already patched more critical vulnerabilities this year than they patched in 2004 and 2005 combined.

** Lastly, did Apple deliberately sneak out its critical QuickTime patch to hide behind Microsoft's Patch Day and the media glare of its more sexy iTunes/iTV/iPod announcements? This is a question I've asked before.

Monday, August 14, 2006

Is this thing still on?

Anyone out there?  <echo echo>

Hello?!?  <echo>

Friday, February 17, 2006

A Flaw in Microsoft's Security Rating System

The brilliant Matthew Murphy finds that Microsoft's severity rating system is rather flawed. In this analysis of the MS06-006 vulnerability rated "important" by Microsoft, Murphy posts a proof of concept to prove how serious -- and easy to exploit -- the bug really is.

Thursday, February 16, 2006

Security Bulletin Facelift

Joris Evers is reporting that Microsoft plans to give its Security Bulletins Web page a facelift to make it easier for technology professionals to read the bulletins

Bill G, Security Influencer

My colleague Dennis Fisher picks Bill Gates among the top three people who have helped shape the future of the IT security industry.

Wednesday, February 15, 2006

Vista Would Have Been...

Microsoft chairman Bill Gates: "Believe me, Vista would have been out nine months ago if we hadn’t had to do all the security design reviews and put the security features in."

Sunday, February 05, 2006

In Support of Rootkits

Greg Hoglund, one of the guys who (literally) wrote the book on rootkits, makes the argument that it's OK to use rootkits in commercial software:

If you want my opinion, my opinion is this: Let Symantec, Kaspersky, F-Secure, and all the others use rootkit technology, it only makes their anti virus products more effective. Let anti-spyware companies like Sunbelt use rootkits against rootkits. Use fire against fire. I don't agree w/ people who say such approaches take away an administrators capability to administer a box. To solve the administrator problem, you only have to do one thing: Treat your rootkit features as a black box and uninstall them with the rest of your product. If an administrator doesn't want your product, then he can uninstall it. You aren't taking anything away.

Thursday, February 02, 2006

Gone and Back in 60 Seconds

David LeBlanc, the former security architect in Microsoft's Office division who quit Redmond to go sweeping for spyware at Webroot, is now back at Microsoft in his old chair. So says an excited Michael Howard.

Wednesday, January 25, 2006

Tuesday, January 24, 2006

Oracle v Microsoft

Ed Moyle: Take a look at Oracle's vulnerability process, compare it with Microsoft's, and tell me again why Microsoft is the security pariah?

Wednesday, January 18, 2006

XP LUA Goodness

Microsoft has published a technical white paper describing the least-privileged user account (LUA) approach in Windows XP. Lots of useful guidance, tools and resources.

Which reminds me: If I had one major quibble about the MSRC's security advisories pilot program, the absence of LUA guidance from the suggested actions would be it. What better place to spread an important gospel?

/. questions for Mike Nash

Microsoft's security bigwig Mike Nash is taking questions from Slashdot readers.

UPDATE: Todd Bishop has picked out some of the highest modded questions so far.

Saturday, January 14, 2006

Two-way Vista Firewall

Ed Bott has the skinny on the fact that Windows Vista will feature a two-way firewall.

Thursday, January 12, 2006

Rotten Apple

Microsoft security guru Michael Howard thinks that Apple's just-released QuickTime update presents one of those OMFG, APPLY THE PATCH!! scenarios. On the heels of the recent problems with these kinds of image-parsing bugs, he might be right.

It's somewhat amusing, in a sad way, that Apple chose to sneak out the QuickTime update on Microsoft's patch day. I've already written about this tactic, which has its pros and cons. Someone just mentioned to me that the QuickTime patch coincided with the MacWorld festivities, when everyone was looking the other way.

Wednesday, January 11, 2006

Zero Day Alive and Well

Long before the release of Microsoft's patch for the Web fonts flaw, researcher Piotr Bania had already started working on a blow-by-blow description of the vulnerability. More proof that the zero day is very much alive, and even more dangerous.

* Via Daily Dave.

Thursday, January 05, 2006

The Win2K SP3 Dilemma

If you are like a certain West Coast city government (I'm withholding the identity to avoid placing them at risk of targeted attacks) and you haven't migrated yet from Windows 2000 SP3 because of app compatibility problems, you'll have to fork out upwards of $200,000 to get custom support and, by extension, a patch for the WMF vulnerability.

Microsoft likes to slickly say that they'll continue to provide patches for Windows 2000 but that's not entirely true. Patches are only available for Windows 2000 SP4. Joris Evers mentions some others in a blog entry but still misses the fact that Windows 2000 SP3 users are also left out in the cold.

That's why I recently asked if Microsoft would tell us how many Zotob infections occured on Windows 2000 SP3. I suspect the answer is startling.

UPDATE: Paul Roberts finds Microsoft playing word games with severity ratings and older OS versions.

Hi, I'm Mike Nash

And I approve this message:

"With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft."

Tuesday, January 03, 2006

The Problem With Ilfak's Patch

I see that third-party distribution of the third-party WMF patch has started. How soon before a fake malicious version of this 'patch' gets into the ecosystem? Sigh.

Fearmongering Redux

The SANS Internet Storm Center is conducting a poll on the impact of the WMF exploit. 80% of the 1142 respondents said they had not seen an exploit. Yet, if you read the nonstop diary entries, you'd think we're seeing a blended Blaster/Slammer/Sasser attack.

* Very uncharacteristic.

Monday, January 02, 2006

WMF Risk Management

This man should be writing the MSRC security bulletins. Seriously.


Matthew Murphy on why talking heads with doom-n-gloom soundbites are the people you should most avoid.

Here's a beauty from the oft-quoted privacy/security expert Richard Smith:

"We could see the mother of all worms here. My big fear is we’re going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that’s extremely virulent."