In recent years, software manufacturers appeared to be increasing the transparency of communication about bugs. The Internet has allowed for rather rapid delivery of software patches, and Microsoft Corp. (Nasdaq: MSFT) even releases details in its security bulletins and accompanying Webcasts.
However, Core Security Technologies has revealed that in April, Microsoft patched two vulnerabilities that it did not disclose. While researching the fixes issued by Microsoft in Microsoft's Security Bulletin MS10-024 published April 13, 2010, exploit specialist Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange. These vulnerabilities were fixed by the patches referenced in MS10-024, but they were not disclosed in the vendor's security bulletin and did not have a unique vulnerability identifier assigned to them.
This situation revealed what Microsoft, and many other software vendors, are still hiding -- namely, the fact that they do not disclose internally discovered flaws.
What Core Security has helped to highlight is that once somebody else, perhaps a security firm or perhaps a hacker, reveals that a bug exists, then most software vendors will discuss that issue in the light of day. Essentially, the software vendors are transparent on the issue only when their hands are tied and they have to go public.
You might argue that if nobody knows about the flaw, why does it matter? But when you consider events like the March 13 patch-tastic Tuesday, you can see how overloaded IT departments have been just trying to keep PCs and servers up-to-date. If the public flaws are less serious than the hidden flaws, then there is the chance that in the challenge of juggling so many updates, they will place a low priority on a certain patch. The enterprise IT team may have a false sense of security because they don't have the full details.
Software vendors like Microsoft have a history of hiding update information. As recently as 2007, Microsoft was caught patching files
on Windows XP and Vista without users' knowledge, even when the users turned off auto-updates. This is one of the many reasons IT departments struggle with allowing software manufacturers free access onto the local network to push software updates.
Many system administrators have put in place automated management solutions that allow them to either test the updates themselves or rely on the testing from third parties like Shavlik Technologies or Core Security.
As the maker of an operating system, perhaps Microsoft has a higher responsibility to report these issues. Not only are enterprise IT departments making decisions based on what the vendor tells them, but there are tens of thousands of other software makers that build upon Windows. They rely on security updates, consolidated into databases like the CVE (Common Vulnerabilities and Exposures list), to decide what changes need to be made to their Windows-based software.
In the most recent case, Core Security urged company administrators to "consider re-assessing patch deployment priorities" if they have not already installed the patch for Microsoft Security Bulletin MS10-024. Though, in fairness to Microsoft, even without it including the two secret patches in this bulletin, the patch was given Microsoft's second-highest rating: "Important."
Even when you consider the two unreported flaws, the Important rating seems reasonable. It's unlikely that in this case, enterprise IT teams would have delayed this update.
However, the issue is still on the table: What happens when a critical bug goes unrevealed simply because it was discovered by a Microsoft employee?
And what happens when unreported bugs lead enterprise IT teams to make bad security decisions because they trusted the software vendor's security bulletins? Can IT teams really trust their vendors?
— David Silversmith is VP Information Technology at FirstBook.org, an organization that provides new books to children in need.
Good comment about Adobe. But it can go further and include Apple.
Everyone bitches about Microsoft but at least they try to make themselves transparent, at least to a degree. Yet Apple, the darling people there (and I'm including Jobs) leave vulnerabilities unpatched for months and sometimes longer.
When talking about crime, it seems to me to be a clear violation of Securities laws for a public person, and if Steve Jobs isn't one then no one is, and especially one that figures so deeply into a company and it's public look, not to mention Apple being a public company run by him, not to disclose that he is getting a liver transplant is blatantly against the law.
As for Texas law, I was born there, my Grandmother worked for Lyndon Johnson for thirty years and one of my Uncles was Chief Investigator for the State Bar of Texas. I called him whenI read the comment on Texas law and he laughed about the comment. I asked why he was laughing and he simply said that an End User License Agrement was a valid contract, is a valid contract and always will be. You, the person agreeing, don't have to click through and you have the right to ask the EULA be altered. I don't think that's going to happen with any software or hardware company.
I don't live in Texas, in fact left there as soon as possible. Dad was in the Air Force for 32 years so I only had to live there about six years total of my life. And that was sixty too many. I don't like the State. I think that's pretty obvious. I lived there of my own volition for about six months when Mother had a stroke.
But as for the EULA being against Texas law, don't go to court with it. You'll be laughed out of the courtroom. That is if it's even allowed to go forward and with Texas you never know.
As for 'silent'upgrades, security patches and so on, I wonder what Google, Apple, Canonical or any of the other OS pushers, and that includes all in the Open Source world, do?
Don't rag on Microsoft until research has been made into other companies practices.
No. That's why most contracts have a clause stating that if any part of the contract is found to be in violation of law, the rest remains in effect and enforceable.
A software license is a contract. It is a contract between you and the copyright holder, granting you specific rights to the software, reserving all others, and getting your agreement to the terms of the contract before use is authorized. When you have to agree to terms, either in writing, or by clicking through, it's a contract.
You may be right the EULA says that - to be honest I've never waded through one.
But the EULA is not a contract. It's a license. That may be splitting hairs, but I wonder if - in either a license or a contract - one party can consent to an action by the other party that would otherwise be violation of a legal statute.
I guess we'd need a lawyer to weigh in on that one.
If you read that convoluted mess of legaleze they call the EULA, by using the OS, you give them the right to do this.
The single, most annoying thing about EULA's is their one-sidedness. It's an all-or-nothing, take-it-or-leave-it thing. IMO, a contract should be negotiable to be legal. And, let's face it, a "license" in this case, is nothing more than a contract.
Not that MS gives three flips about my opinion on it.
This is a very interesting discussion. But one aspect no one has hit on is the possible violation of criminal statues here.
I am not a lawyer, but in Texas, the penal code includes in it's definition of "access" the words "alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system."
It also states "A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner"
So my question is - if MS patched systems without effective consent of the owners of those systems, did they commit a criminal offense?
Well, many of you know I am not an M$ hater (like Terry, ha ha), but, what laws DID M$ actually break here by pushing something out secretly? I don't see a privacy issue and not to defend them too much either but, I guess I'd rather see them push something out to patch an issue covertly so as to NOT alert the cyber criminals in order to better protect users, rather than have bozos like over at Adobe DO NOTHING for 8 mos with a known flaw. NOW THAT is troubling! And it should be criminal if it isn't already!
Troubling, yes. But impacting privacy? That I don't see.
This isn't some form of monitoring or revelation of data, after all. To use a bit of a silly example, if a mechanic from your auto's manufacturer snuck into your garage and applied a recall fix without your knowledge, does that violate your privacy? He or she didn't take anything (at least, not in the analogous context here). The mechanic applied something to your car. That's it.
Is that troubling? Yes. Is that worthy of investigation by a comsumer protection agency? Arguable, I'd say, but certainly not something I'd argue against. Should we take companies to task for it? Yeah, I could even go with that.
This is a reiteration of the full dicosure debate. "Transpanency" is a new buzz word, that gets more attention than "Open Source-Full disclosure." Places like Tipping Point's zero day initiative, make money an issue on such disclosures. There may be a bit of counter espionage at work here. But unless you are in on it. Don't expect any new insight on the issue. Vendors aren't disclosing their flaws. No matter who doesn't like it.
In re "As recently as 2007, Microsoft was caught patching files on Windows XP and Vista without users' knowledge, even when the users turned off auto-updates." How can this be legal, or is this another protection or "right" we blithely sign over when we accept the terms of service on the original OS?
Whatever it is, it's sneaky and bad form. And it begs the question of what else they (or others) have silently pushed out, or worse, gleaned from harvested end-user data. Hard to believe with all the state and federal laws passed on data handling and end-user privacy that this sort of practice is legal, despite how any TOS may read.
With respect, I don't have to look at software changes pushed to me against my explicit well from the vendor's side. I'm sure the EULA covers such contingencies. spend 90% of my browsing time in Google Chrome's dev channel so I'm speaking from a consumer perspective.
One of the most impressive updates I ever saw was when Google realized it had a massive exploit in Website Optimizer. I wrote about my experience at the time because Google started with daily emails for several days and then moved to automated phone calls and finally a live one. I finally told the person who reached me that the code was on a development server, and I did't care because it was behind a password, but I would delete it next time around. The caller was very nice and said bluntly, "We would appreciate you doing that today because we don't know if someone else in your organization will re-use the code"
That was admirable.
When a consumer, even a B2B customer, makes clear their intentions by turning off auto-updates, the company has no right in my opinion to push fixes without permission. To me, this isn't even a shade of gray.
This behavior is the kind of behavior that gets industries regulated.
And bottom-line, there's no harm in pushing the word out instead of the code because bad people who use exploits reverse-engineer any patch. You may be protecting some small business by violating their wishes and pushing unauthorized code out there, but disclosing the fact doesn't let the hacker world know about the exploit.
They knew the minute their test boxes registered and isolated the new code and spent last night awake trying to beat the clock by pushing out an attack against vulnerable machines. That's why you use mainstream media to help.
David, thanks for the explicit citations on this. I'm going to bring it before the Consumer Protection Commission tomorrow to get a sense of the Commissioners and staff opinion on this matter. I don't know enough yet about the matter, but if consumer requests are being ignored in a paternalistic, for-your-own-good matter, I think this merits a look.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Last week, a flawed McAfee Inc. (NYSE: MFE) anti-virus update overloaded enterprise IT staff as the updated signature file quarantined a crucial Windows system file and crippled unknown numbers of Windows XP computers -- causing the computers to shut down until they could be repaired and rebooted.
If Charles Dickens were alive today, his MySpace page would most certainly be headlined by “It was the best of times, it was the worst of times,” for that is the story of MySpace .
The information age is built upon data. Often data is structured in neat spreadsheets and databases. But more often, data is unstructured and stored in text documents, emails, Web pages, books, instant messages, blogs like this, and even Tweets.
Web 2.0 has created numerous scenarios in which enterprise IT policies are at odds with social media. But we are seeing the early signs that the social media vendors have realized that a new focus is required to sustain businesses as customers.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
