It is time to admire Microsoft for out-of-band patching
In a recent blog update as part of a look forward to the Black Hat Conference, Microsoft Security Response Center (MSRC) director Mike Reavey commented on its latest work to address vulnerabilities in its software.
He commented that ‘some will say that we take too long to fix our vulnerabilities', especially with memories of the Windows Help and Support Center vulnerability that was left unpatched for almost a month until July's Patch Tuesday.
Reavey said: “It isn't all about time-to-fix. Our chief priority with respect to security updates is to minimise disruption to our customers and to help protect them from online criminal attackers. These customers own and operate a diverse ecosystem of nearly a billion systems worldwide.
“It's humbling to think about the responsibility this entails and yet we embrace the challenge. Even in the face of that, our overall track record shows the window of vulnerability is being reduced and we have additional plans to improve.”
He said that the MSRC receives more than 100,000 email messages per year, almost 275 per day or 11 per hour, which is filtered down to approximately 1,000 legitimate investigations per year.
Once a vulnerability has been confirmed, he said that a comprehensive examination is undertaken to ensure that the reported vulnerability is addressed and any other vulnerabilities that might exist in related code are identified and addressed, and that no new vulnerabilities or bugs are introduced during this process.
So why does Microsoft not commit itself to fixed timelines?
Reavey said: “Because it is important to consider the overall customer risk when focusing on updating software for security issues. Most security updates released by the MSRC will be rapidly deployed to hundreds of millions of systems worldwide helping to protect customers from attacks in a very short timeframe, and the software being updated is being used by hundreds of thousands of applications on all sorts of hardware in all sorts of scenarios.
“So it is imperative that the update has been rigorously engineered and tested in order to avoid creating any type of disruption to these systems. During this time, the MSRC monitors for signs that the vulnerability, or variants, are being used in active attacks.
“The MSRC does this by using comprehensive telemetry systems, as well as data and information provided by customers and partners around the world and the rest of the industry. This approach helps Microsoft balance between the potential urgency of releasing an update for a particular vulnerability and ensuring high confidence that the update will address the vulnerability, all of its variants and maintain the functionality and stability that customers expect from the affected products.”
He said that for the majority of issues it is able to release high quality and comprehensive security updates to customers well before any indication of attacks, and well before they are disclosed publicly. However, there are exceptions. In some cases attacks happen so the MRSC has to compress testing to release updates quickly. Also, when there are attacks, it releases workarounds in days that can block these attacks even without the updates. Usually these take the form of a 'fix-it' that can protect customers with one click or be easily deployed throughout the enterprise.
Pointing to the active template library vulnerability that was disclosed at last year's Black Hat Conference, Reavey said that it took over a year to coordinate that release, and in the end, even the finders themselves understood and commented that with the complexity involved, taking over a year was not unreasonable.
He said: “When seemingly simple security issues, such as a memory corruption bug, affect multiple different products, the coordination and calibration can drive longer timelines so no product, or customers of those products are left behind.
“There have been cases that are such deep architectural changes that they can take multiple years to fully resolve or may not be able to be resolved in some of our older products. Usually these issues result from new threats emerging that product designs or assumptions couldn't anticipate. Changing those assumptions for products that have been in market for several years does take time and coordination so customers and applications can work effectively with them.”
He concluded by claiming that focusing on resolving security issues has, and will always be a priority for the MSRC and it will continue to work to improve its processes, but it must always strike a balance between timeliness and quality.
Even though vulnerabilities are disclosed and often with little time given to the MSRC to create, test and release a patch, the actions of the centre are admirable and I rarely hear criticism of its processes. While exploits are increasing with strength and depth, I think it is time to appreciate what sort of a task the MSRC is really up against, and welcome the patches when they are released.