Do Microsoft’s vulnerability tip-offs give the U.S. a cyber sword or a cyber shield?
By Ian Paul
PCWorldJun 14, 2013 3:24 pm PDT
Windows users know it’s a good idea to apply security fixes to their PCs as soon as patches are publicly released to prevent malicious actors from infiltrating their machines. But what if, before a patch was issued, the U.S. government was able to exploit those vulnerabilities using information fed to it by Microsoft?
That’s what Bloomberg suggests is happening in a recent report exposing a deep working relationship between a number of technology companies and American intelligence agencies. Microsoft provides the government with information about flaws in its software before publicly releasing a bug fix, the news agency reported today.
Microsoft reportedly has no knowledge of what the government does with the security information it provides, but two anonymous U.S. officials told Bloomberg that Microsoft is aware that the vulnerability information provided allows the U.S. to exploit the computers of terrorists and foreign governments.
Recent reports have highlighted the U.S. government’s special interest in technology vulnerabilities. In May, Reuters reported that the U.S. government was one of the largest online buyers of security exploits and infiltration software from hackers and computer security firms. That news came shortly after the Washington Post reported the Pentagon’s plan to expand its cyber command more than five-fold.
Microsoft’s disclosures are ostensibly to bolster the government’s defenses, however, giving multiple U.S. agencies a head start on risk assessment and mitigation. Foreign governments such as China and Iran are suspected of frequent hacking attempts into U.S. government and corporate networks, so the early warning can help the nation defend against unanticipated attack vectors.
Microsoft has not yet responded to our request for comment. Update: Here’s what Microsoft had to say.
Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have Government participants. Prior to any fix being released to the 1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.
One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft’s monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publically available.
Microsoft is not the only major technology firm reportedly helping the American intelligence community. Intel’s McAfee provides security threat data to the government, and Bloomberg reports that major cell phone carriers such as AT&T and Verizon allow the government to actively seek out security flaws on their networks.
Windows, windows everywhere
But more so than other firms named in the report, Microsoft’s early tip offs have direct implications for everyday users, most of whom have Microsoft software running on their PCs at home.
“If Microsoft is giving information about vulnerabilities in software that hundreds of millions of people use to intelligence agencies there is a huge potential for abuse,” Lee told PCWorld. “Bloomberg’s report says that this information could be used to access the computers of terrorists or military foes, but in reality it could be used to access the computers of anyone running vulnerable Microsoft software.”
Security fixes for critical vulnerabilities can already take a long time. So-called white hat security researchers who discover previously unknown security issues, known as zero-day flaws, typically report them to the affected company. Researchers then give the company time to fix the flaw before going public with their discovery.
This process sometimes take weeks or months, leaving users unwittingly exposed to malware designed to take advantage of the exploit.
Making matters worse, some developers have been accused of dragging their feet to fix critical problems. Delays in fixing security flaws are what prompted Google’s recent call for a seven-day waiting period before publicizing critical security issues being actively used by malicious actors.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products,” Google said in a recent blog post. “But it should be enough time to publish advice about possible mitigations.”
Lee thinks Google’s move is a good one.
“If it weren’t for deadlines like this, it’s possible that companies might avoid fixing security problems for months or years,” he said. Lee also pointed out that companies aren’t legally obliged to disclose security vulnerabilities within a given timeframe.
Microsoft doesn’t publish a timeline for how long it should take to produce a fix for reported vulnerabilities, but does say that it will develop a fix as quickly as possible.
“We ask the security research community to give us an opportunity to correct the vulnerability before publicly disclosing it,” Microsoft says on its coordinated vulnerability disclosure page that explains how the company deals with security flaws discovered by third parties. “As we ourselves do when we discover vulnerabilities in other vendors’ products.”