Patch Tuesday: Security or PR?
|
Microsoft's second release of patches—making three, counting last week's update to the update—gives new meaning to the phrase "security by PR." Microsoft could have and should have disclosed the number of critical flaws and warned about the patch for Vista, which IT organizations are testing or deploying. |
The phrase refers to putting the interests of public relations ahead of security. That's not saying Microsoft diminishes its security efforts, just that PR's role—the positioning—is more important in the communications process.
Today's regularly scheduled release of patches is another example of security PR spin.
Last Thursday's advance notice gave no indication that there would be four "critical" vulnerabilities and one "important" addressed in today's security bulletin. Microsoft typically issues a notice the Thursday before the regularly scheduled patch release on the second Tuesday of the month.
At best, based on a post on Microsoft's Security Response Center Blog, end users or IT managers might have inferred as many as two critical flaws. The post discussed four patches for Windows and another for Content Management Center: "The highest Maximum Severity rating for these is critical."
Given that Microsoft had already issued one unscheduled critical patch, clear notification of more could have benefited IT organizations' planning, particularly around deployment testing. By giving limited information, Microsoft diminished the critical significance of the second round of patches.
If Microsoft is going to identify one or two patches as critical, why not all? Other than PR, there is seemingly no good reason to withhold information that could be highly beneficial to customers. Sure, Microsoft could have chosen to give no advance notice at all about the Tuesday patches. But that's no excuse, because the company already made the decision to notify customers. If the decision is made, what reason is there to give out limited information? There is going far and then there's going far enough.
More "security by PR" behavior: In keeping with what has been Microsoft's practice for some time, each security notice covers vulnerabilities affecting multiple products. In the case of MS07-021, nine iterations of Windows client or server products, including Windows Vista, are affected.
A company with a "security by PR" approach diminishes the extent of problems—or at least doesn't emphasize them—when issuing alerts. A "security to solve problems" approach would involve clearly explaining the full breadth and number of flaws.
In a text chat on April 15, 2004, Mike Nash, then with Microsoft's security group, answered a question about my "security by PR" allegations. He responded:
"There are really two key things here. One, we really wanted to focus on quality of these updates. One of the issues we face is that as we look at various patches, we have the need to test all of the combinations. By moving things into a single patch, we have the ability to have more in depth testing, to deliver a higher quality set of updates. The second issue is that many customers told us that they wanted a smaller number of patches to reduce the number of times that people need to touch their machines. There is no intent to do anything funny with the numbers. We are pretty clear on the number of issues fixed in each bulletin. Our focus here is helping people to have an easier time with the process of updating, so we are 100-percent focused on that."
His answer isn't really what's going on. Microsoft doesn't just move "things into a single patch." Microsoft moves multiple patches into single security bulletins, diminishing the apparent number of overall vulnerabilities.
Again, using MS07-021 as example, three separate security vulnerabilities are included, consolidated as Nash indicated. But there are also separate patches for each product, as in the cases of Windows 2000, Windows Server 2003 and Windows Vista. One could argue that the actual number of vulnerabilities patched is three times nine, however. The consolidation of vulnerabilities and patches into one security bulletin greatly diminishes the total number. Being generous to Microsoft, one security bulletin covers nine patches. But going by the number of products and patched vulnerabilities IT organizations must test for, the number looks more like three for each of nine products.
Last month's rosy report on Vista security vulnerabilities is another example of the security by PR effort. The report claimed five Vista vulnerabilities in the product's first 90 days of release. But the real release, January 30 for the masses, was two months later than the report's start date. The longer Vista is in the market, the more vulnerabilities appear.
The Department of Homeland Security National Vulnerability Database has issued 16 alerts affecting Vista since March 17. The real number of vulnerabilities looks more like eight, when sifting out duplicates, and most affect other Microsoft operating systems as well as Vista.
To date, Microsoft has issued two bulletins, MS07-021 (released today) and MS07-017 (released April 3), with patches for Vista.
It's understandable that security is a sore spot with Microsoft, in part because vulnerabilities tarnish the Windows brand. But Microsoft's core customers, at least from a revenue perspective, are businesses. They need to feel confidence that Microsoft is doing all it can to battle security problems. Microsoft isn't the only target for criminals, but it's the biggest one, because of the market dominance of Office and Windows.
Microsoft needs to disclose more and do so more quickly, and in doing so build customer confidence in the security efforts.
Last week's Security Response Center Blog ANI patch post is good example of transparency giving way to security by PR. Microsoft took about four months to develop and test the ANI patch before releasing. At first read, Mike Reavy's post is disclosure about the process. But the post is more security PR spin, more justifying—diminishing, really—the lengthy process. Microsoft should have taken the PR bullet by informing customers sooner rather than after the fact.
Related Posts:
- Security at the Forefront, Microsoft Watch, April 9, 2007
- Microsoft to Post Critical Flaw on Patch Tuesday, Security Watch, April 5, 2007
- ANI Patch: The Day After, Microsoft Watch, April 4, 2007
- Microsoft Sees Double (Security Tuesdays), Microsoft Watch, April 3, 2007
- Vista Security by the Numbers, Microsoft Watch, March 26, 2007
Comments (23)
I'm sure you're absolutely shocked to realize that Microsoft may be gaming their patch statistics. I think that's an inevitable result when an organization self-evaluates and self-reports its performance. We've already had situations where security patched seemed to fix behavior that weren't even reported or documented. The whole process has become a game.
The obvious solution is for everybody to ignore Microsoft's alleged, purported numbers. Frankly I could care less about security issues that are closed. I wanna know about the ones that stay open!
Posted by Dave | April 10, 2007 5:46 PM
Patch Tuesday: Security or PR?
Ans: Security :)
Posted by DD | April 10, 2007 6:53 PM
This rant is way to convoluted for me to follow. Microsoft should just say whether or not there are patches and leave it that. Patch Tuesday is so routine most of the internet security media pay little attention anymore.
Posted by Roger | April 10, 2007 7:28 PM
"Patch Tuesday: Security or PR?"
Compare that to Apple, where it's all PR and no security. Patch Tuesday? Try Patch Quarterly....on second thought, try OS Upgrade Annually!
Posted by Waethorn | April 10, 2007 7:32 PM
Try ... Joe Wilcox has something against microsoft and won't disclose it !
As being "editor" of Microsoft Watch and taking every chance he can to denegrate MS, I have little time for you Joe, this is just another one of those days when days when you can't get anything responsible to say.
Mind you as I said previously you take any chance you can to denegrate MS and the reason, we know not !!!
But you have got it in for them haven't you Joe !!
Posted by Neil | April 10, 2007 9:25 PM
The problem is that Microsoft can never help itself from treating everything that comes along as in effect a sales opportunity.
So, security has become the latest excuse to obsolete the old version of Windows and replace it with a newer version; watch for XP to get less and less security attention on the pretext that MS must focus on current OS products because customers are demanding it of them.
The predicate here is IE 7, which we are told features must-have security improvements BUT IS DENIED OUTRIGHT to Windows 2000 and windows 98 users.
Lest people think Windows 98 is too old to get support, may I note that MS doesn't deny a Genuine Advantage validation check on Office 2000 when it runs on Windows 98, however. Windows 98 appears young enough for MS to digitally police for unlicensed office copies, but too old to get security fixes. Who would have guessed!
Like I say. it's about selling first, with MS.
Posted by PolarUpgrade | April 10, 2007 10:29 PM
PolarUpgrade: you should learn about a little something called a "support lifecycle". You talk about Microsoft's lack of supporting old software as if they somehow invented it, even though their support lifecycle is one of the longest of any software developer - 5 years of free support (which includes public updates and patches) and 5 years of extended support. Take a page from any software developer and see how well supported their old software is. (see my above post for an example: Apple's support lifecycle is much worse) Windows 98 and Windows 2000 are out of support, so there's no reason to adapt newer security technologies to band-aid them over gaping floodgate holes in old software. Windows XP is already nearly 6 years old now. It's time to move on.
Posted by Waethorn | April 10, 2007 11:14 PM
Waethorn: Your argument would hold water were it not for the cold hard Waethorn-countering fact that MS SUPPORTS its Genuine Advantage policing software ON WINDOWS 98--even installing an Active-X control to do the check when the office update is done via the Office web site--in terms of Office 2000 on WINDOWS 98!
It is pure hypocrisy for the firm to declare they can't support Windows 98 and then do so on the sly in terms of license policing, when it suits the firm's economic interest.
Q.E.D., Waethorn, proof beyond all doubt that MS is about sales more than about security.
Posted by PolarUpgrade | April 10, 2007 11:46 PM
The last article of yours I will ever read Mr Joe. That is the best thing to do. For people here who feel that Joe wanted to join MSFT and he did not clear the interview...... well Joe... We understand your feelings. Keep trying... or else get to Google watch. They need you.
Posted by Biju | April 11, 2007 12:48 AM
How is what microsoft's doing with security bulletings covering multiple vulnerabilities different then what Linux, MAC and others are doing? They do exactly the same thing...
Posted by evan | April 11, 2007 6:26 AM
Indeed, indeed. Back when I discovered the Microsoft waited 2 years (until attacks began) for the .ANI patch to come I just wondered how many flaws they sweep underneath the carpet. In Vista's last security patch for Vista (.ANI), they NEVER told anyone that THREE (not ONE) flaws got fixed. How many "critical" flaws have already been mended in Vista? Security is a serious matter (unlike 'black art' in sales figures). They should be honest.
Posted by Roy Schestowitz | April 11, 2007 6:37 AM
Boooo. I knew about the patches last week and I am just wondering why didn't you? It wasn't a huge secret.
Posted by James | April 11, 2007 6:44 AM
"MS SUPPORTS its Genuine Advantage policing software ON WINDOWS 98--even installing an Active-X control to do the check when the office update is done via the Office web site--in terms of Office 2000 on WINDOWS 98!"
There are two things wrong with that statement. First off, Microsoft doesn't support Windows 98 anymore. Period. Windows Genuine Advantage was also NEVER supported on Windows 98. Support ended for Windows 98 in 2002, well before WGA was introduced. Secondly, Office Genuine Validation doesn't support Office 2000, nor does it support Windows 98. It was never required to get downloads for Office 2000 (which were "Service *Releases*" NOT "Service Packs"). It was only introduced after the launch of Office XP when product activation was also introduced.
Here's a quote from Microsoft's own website:
"Q: What versions of Office are supported by the OGA validation process?
A: Eligible products include Office XP and later suites, as well as individual Office 2002 and later applications (such as Word and Excel)."
Finally, Office Genuine Advantage is supported thusly:
"Q: Which operating systems support the OGA validation tool?
A: In order to successfully run the validation tool, you must be using Microsoft Windows 2000 or a later version of Windows. If you are using an older version of Windows, you may compare the special security features of your Office installation CD and Certificate of Authenticity (COA) with those included in genuine Microsoft software by visiting the How to Tell site"
Q.E.D. PolarUpgrade: Proof that when you don't do your research, you come out looking like a fool.
Posted by Waethorn | April 11, 2007 11:37 AM
Waethorn is simply wrong in asserting that MS is not running OGA on Windows 98. I have a Windows 98 system with Office 2000, and not only is the check mandatory, it installs the Active-X control and does the validation check. This is what I mean by support on the sly when it is in the MS interest.
Further, I run Office 2000 on Windows 2000 and XP Pro and XP Home. The OGA validation check is MANDATORY for Office updates via the Office web site when running the auto update option ON ALL THESE SYSTEMS with respect to Office 2000.
This is again what I mean by support on the sly when it is in the MS interest. I did not say that MS had said in public that it was policing Office 2000 on the sly.
I guess it's time to finish my Youtube video on this issue and get it posted. Perhaps a copy to the U.S. Federal Trade Commission will also be in order.
Posted by PolarUpgrade | April 11, 2007 3:02 PM
"The OGA validation check is MANDATORY for Office updates via the Office web site when running the auto update option ON ALL THESE SYSTEMS with respect to Office 2000."
Yes, I didn't state otherwise about the auto-update feature, however, **Office 2000** updates themselves don't require OGA whatsoever on the Microsoft download site, and automatic updates don't automatically download and install updates for Office 2000 through the browser - it only launches the classic-style installer. They do however require that you have an installation CD for most updates. The whole "with respect to Office 2000" is a complete farce though, since Office Updates doesn't support Office 2000.
You can whine all you want, but Office 2000 mainstream support is no longer available (and hasn't been for 3 years), so nobody is there to help you get more free updates from Microsoft. Get over it!
Posted by Waethorn | April 11, 2007 3:44 PM
The fact that MS now issues patches on a monthly basis vs. willy-nilly (except for out-of-cycle patches, of course)was a direct response to the businesses (per one of the above posts, MS's "core customers")who wanted a sane system that would enable them to schedule testing and deployment of security patches. When something poses a more immediate risk (when exploit code is found in the wild, etc.) then MS issues an out-of-cycle security patch. Waethorn is correct in his assertion that Apple and Linux do the same (although not nearly as assiduously); even a brief perusal of the Department of Homeland Security National Vulnerability Database will net you an amazing number of vulnerabilities affecting virtually all major software/software companies. These never seem to make the press, although some are quite exploitable. In my opinion, MS is doing the best it can, and holding it up to some insane standard that no other company can maintain is simply unfair. Asking that MS do what it does without utilizing PR or without protecting its own intellectual property is ignorant and unjust. It is a business, just like the rest. To ask that it conduct itself like a government or like a charity is ridiculous. Grow up and get real.
Posted by Scriptwitch | April 11, 2007 4:31 PM
Congratulations Waethorn...
You're just as much the arrogant and obnoxious know-it-all here as you are over at Thurrott's site :-)
Even introduced Apple out of the blue for no reason other than to diss it. I'll have to bookmark this for the next time the "off topic" issue is mentioned at PT's site.
Deflect all you want but it still doesn't absolve MS of it's "patch" process and a criticism of "hiding" multiple fixes in seemingly a few "patches".
A typical MS PR numbers game.
...
Posted by MacCanuck | April 11, 2007 4:34 PM
What a lame rant. Who cares how many patches there are, or when we are told about them? Why write a column about something so trivial? I don't need to read this spew, I have work to do.
Posted by Doug | April 11, 2007 4:35 PM
"Deflect all you want but it still doesn't absolve MS of it's "patch" process and a criticism of "hiding" multiple fixes in seemingly a few "patches".
A typical MS PR numbers game."
You mean like this?:
tinyurl.com/2hdgqe
No? How about this?:
tinyurl.com/3xaewp
Still not convinced? Let's see....:
tinyurl.com/hbfw4
So WHOM is playing the PR game??!
Posted by Waethorn | April 12, 2007 1:34 AM
Simple answer .... Microsoft Bash !
Although it should be "Microsoft Watch"
Posted by Neil | April 12, 2007 4:09 AM
I'm sick of patches altogether. I've lost count of how many I've received in the last month that require a reboot. Every reboot costs 10 minutes + more time reopening the apps and files I was working on. I've configured updates to install only when I say so but it's still a PITA. I would be extremely PO'd if I learned those patches weren't critical and I'd start to ignore them. In fact I think I've just convinced myself to start doing that.
Posted by Jeff in Boston | April 12, 2007 9:38 AM
Waethorn: Your mention of Macs is germane in context. I noticed yesterday that, despite having manually engaged the Windows Update process on both an XP Home and XP Pro machine on Tuesday and obtaining ALL of the then-available patches, the XP Home machine on Wed. night, and the XP Pro machine on Thurs. morning both indicated ANOTHER download was now on offer.
The Malicious Software Removal Tool was being offered. The belated push of the tool suggests that Microsoft has been a bit off kilter in managing patch Tuesday this month.
One must ponder whether the issue with Vista/XPPro/XPHome/2000Pro/Me/98/95 security isn't in the end a problem of how Windows is constructed at its core, rather than a problem of just making Windows more secure. After all, the ANI vulnerability carried through to Vista despite Vista being built as a secure version to Windows.
It seems reasonable to argue that there were two keys to Windows' success. The first was that DOS and then Windows achieved market hegemony by virtue of having little if any security and were therefore lighter on their feet and easier for consumers to adopt than than competitor OSs. And therefore also faster and easier to develop as products.
The second feature is Windows-specific and relates to the pervasive interconnectedness of the "forms" that comprise Windows programs. It always struck me as amazing when examining a VB 4-6 program, for example, and even a VB 2005 app today, in the program development IDE, and noting how many of the properties for each form are readable OS-wide. And also how Windows apps are so automatically able to read back so much about the state of the OS and other apps. It's like the OS is one huge communal data shower with the digital OS equivalent of cell phone cameras all over the place, with respect to functionality being accessible.
The ability of Windows apps to flow data and pull data from all over the OS it seems to me may be more at the core of the insecurity of Windows than malware authors being out there. Just as this design of Windows makes for amazingly rapid application development, it also makes for amazingly rapid malware development.
Moreover, as MS builds Windows release on Windows release--with even Vista not being a full break from XP code-wise as ANI intimates--the "malware API" grows ever more-complete and ever more capable in terms of rapid malware application development. At the core of ANI's sweeping corss-Windows applicability is the evident fact that Vista is not really built new from the ground up; rather, Vista is built new from the ground up with some new and some evidently old code.
Here again marketing has got the better of Microsoft, because to break the growing "Windows malware API" will logically require an OS that is essentially not Windows.
Let's see, is there an OS out there, or more than one, that is UNIX-derived and built originally with security at its core? Perhaps if Windows were based on such an OS with a "Windows skin"...
One option would be for MS to license the Mac's OS and go with a Windows skin, or to go with Linux and a Windows skin.
Posted by PolarUpgrade | April 12, 2007 10:19 AM
"After all, the ANI vulnerability carried through to Vista despite Vista being built as a secure version to Windows."
Actually, all of the security features of Windows Vista run at the default settings protected itself (IE Protected Mode). It wasn't until you run a 3rd-party app that damage could occur. (This leads to the fact that Firefox is NOT more secure than IE.) If I recall, that's what Mackies were arguing about MoAB a few months back, even though the bugs were still in the underlying OS.
"It always struck me as amazing when examining a VB 4-6 program"
What strikes me as amazing I that you judge security policies by examing VB apps. That's why VB has been deprecated in the recent version of Visual Studio.
"Let's see, is there an OS out there, or more than one, that is UNIX-derived and built originally with security at its core?"
There is no such thing - the proof is in the security advisories. OSX has many more security advisories than Windows, and Linux, FreeBSD, and even Solaris are much worse off.
Rant all you want, you still couldn't counter my argument.
Posted by Waethorn | April 12, 2007 11:22 AM