return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Immediate self-policed, self-notification of flaws buttressed by workarounds and security recommendations ]

Immediate self-policed, self-notification of flaws buttressed by workarounds and security recommendations


It was pleasantly startling to see Microsoft announce a program, albeit in 'pilot' status, that I have long been on record as favoring: a security advisory service that will "strive to issue an alert within one business day of [Microsoft's] becoming aware of a problem and offer ways to mitigate it."

In Vast differences in major flaw handling separate software and manufacturing firms, I noted:

How different the handling of analysis and subsequent disclosure of security flaws between software and computer makers on the one hand and hardware and industrial vendors on the other. Whereas the software industry too often seeks to muzzle "amateur and professional researchers who have found flaws in their products" to the point of imprisonment via the Digital Millennium Copyright Act (DMCA), hardware vendors tend to work with those investigators who discover faults, if not outright halt production before their customers halt deliveries.

I am equally disturbed that "all the special-interest organizations created by vendors for vendors" such as Microsoft's Organization for Internet Safety are designed to shield said vendors from public censure. I have less patience from governmental entities, especially those from the intel community, that should know that that criminal and terrorist groups are working just as quickly to build a repository of hacks and will employ them when it is financially rewarding or when DDOS or other strike is ordered.

Such a possible about face deserves the benefit of the doubt, and while it was clear from the talkback entries to the announcement that much ill will was sent in Microsoft's direction, it is noteworthy that Microsoft, given its visibility and market leadership position, has elected to establish a threat watch list.

In that spirit, I find it quite acceptable to "include alerts that do not necessarily relate to a flaw, but to issues that could pose a security risk," e.g., phishing. While some, myself included, could think that this is a means to dilute the focus from purely Microsoft generated issues, it is also long overdue to have a general security threat list as even the most fearsome defense can be undone by a well-socially engineered attack that entices Homo Boobus to click on a link or open a file. See Malware, phishing, cracking, and social engineering all point to increasing criminal profit.

It is also good that "advisories will notify [when] exploit code [has] been made public or "proof of concept" code that might be related to a released update or vulnerability" is released as the status of the attack - from discovery of the flaw to proof-of-concept code being shared in virus IRC chat rooms to code seen "in the wild" gives the thoughtful user a 'timeline to realistic potential attack.' I would also add which chat rooms the code is seen or discussed so as to build a geographical tracking history of how fast a particular group gets code into the wild.

Also good is the appending of a "tracking number that will enable people to follow any changes in the warning" on to patch release.

As large firms are loathe to self-flagellation, the advisories "will not rank the severity of the security problem," but I do not despair as many other firms will pick up the Microsoft list and append rankings and their rationale. Ultimately, I would expect Microsoft to harvest the best of these ranking systems for incorporation into its threat advisory series.

An open issue is when the clock starts on the advisory list and who can contribute to the advisory list beyond Microsoft. For example, a long standing fault list for Internet Explorer contains items that have been open for some time. Having opened the advisory list, Microsoft would be well advised to acknowledge legacy faults and get on with the business of resolving them - publicly - so as to also get an advertising and trust bounce from the effort.  Were I Microsoft, I would invite security firms to post their discoveries on the advisory list as well as their own websites. Over time, I could build a center of expertise around the handling of flaws and threats.

Given the current competitive environment, I think that this is a calculated gain for Microsoft. Done well, the advisory list puts Microsoft in the same tier as open-source software vendors that provide "alerts and list potential workarounds." While a self-policed "full disclosure" advisory list allows Microsoft some control over the spin that describes a particular fault, I would think that it would ultimately pressure Microsoft to reduce the lag time between identification and patch dissemination. If software liability, heretofore excluded in almost all US software contracts, does materialize in North America, Microsoft would be better positioned to show that it is proactive in resolving faults before litigation commences.

Long overdue, yes, but a very sound step for an industry software leader.

Microsoft to sound early alert for flaws
By Dawn Kawamoto, CNET
Published on ZDNet News
May 6, 2005, 11:08 AM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

<<  |  October 2019  |  >>
view our rss feed