Jeff Jones: 2008 desktop vulnerability report

Posted By: Maddus Mattus | Oct 31st, 2008 @ 3:19 AM
page 1 of 1
Comments: 12 | Views: 1182
#Oct 31st, 2008 @ 3:19 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda
I didnt see this in the Coffee house yet, excuse me if it posted allready.

Jeff Jones together with some other peeps put together a desktop vulnerability report.

http://blogs.technet.com/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx

It caused quite an uproar on a dutch site I often visit. It was debated that the report was biased and conveniently left certain things out of scope. Is this report truly the report that it is ment to be or just a publicity stunt?

I am a really big fan of Microsoft, because I like the technology, but are these types of public reports really nessesairy?

Wouldnt it be much better to report on their own time to bug report and patch? Instead of comparing it to the other OS-es?

It seems to do more harm then good.
#Oct 31st, 2008 @ 3:30 AM
blowdart
blowdart
Peek-a-boo
Well the problem MS have is that they're viewed as generally insecure. This isn't true, and hasn't been since XP SP2 and Server 2003.

So I would surmise that the report is partly to balance that; but partly to start the discussion off again. The out of scope comment is interesting. It's certainly fair when compared to the initial bits of the report where everything installed by default is examined (and RedHat and Unbuntu do install a lot of stuff by default; whereas you'd have to buy or download extra bits from MS to replicate it).

However he feely admits this and then narrows the scope on the Linux distros to minimise it excluding, for example, OpenOffice.

These sorts of reports have been floating around for a while; sure there's a certain amount of trumpet blowing (and why not, the SDL has made a big different) and part of it will be marketing to counter the "MacOS/Linux is more secure" arguements that hold very little water.

Days of risk though? It runs from when the vunerability was publically disclosed. Most researchers won't publically disclose until things are patched and the patches are released, or are at least in the pipeline. I'm not sure how useful a metric it truely is, but he does make the point clearly it's not a time to fix measurement.
#Oct 31st, 2008 @ 3:34 AM
stevo_
stevo_
Human after all
Not really, I don't see why they cant do something like this.. although I'm not going to bother reading it, I'd seen stats earlier this year anyway showing how badly apple have been doing. Boo ya!
#Oct 31st, 2008 @ 3:44 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

That part about publically disclosed was exactly the point of debate.

Microsoft does not publically disclose any vulnerability. I had a friend who's hobby it was, when he was bored, to find vulnerabilities in Internet Explorer 6. He found a couple wich he notified Microsoft about, but some didnt get publically disclosed. So he chose to disclose him out of his own accord.

The writer could have easily counter that argument, by including the report date instead of the disclose date in the report. Would have been more creditable.

#Oct 31st, 2008 @ 3:49 AM
Ray7
Ray7
I can't really see why they shouldn't be doing it.  I certainly don't see any of these folk complaining when folk write reports saying how crap Vista is ...



#Oct 31st, 2008 @ 3:52 AM
blowdart
blowdart
Peek-a-boo
Actually MS does disclosure vulnerabilities; when they're fixed. That's part of the technical information for a patch.

However considering the data is on CVE disclosures, where 3rd parties report to then really the point is moot. You cannot use the report date because no-one ever releases that; not apple, not ms, not redhat.
#Oct 31st, 2008 @ 3:59 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

I still think they should use that date. It's the same process we use in software development;

A bug get's reported. We check if we can replicate the bug. If not, we decline the bug report. If so, we can continue in to fixing the bug and release a new version or patch.

This is the same for each of the companies, and the only valid benchmark if you want to measure someones time to fix. Public disclosure relies way to heavy on company policy and is therefore open for interpretation.

#Oct 31st, 2008 @ 4:05 AM
Bas
Bas
It finds lightbulbs.
It caused quite an uproar on a dutch site I often visit. It was debated that the report was biased and conveniently left certain things out of scope.


Tweakers.net: where insightful comments get buried by 15 year olds that don't know a remote from a secure desktop, and believe Microsoft is the devil.
#Oct 31st, 2008 @ 4:20 AM
blowdart
blowdart
Peek-a-boo
So where does that date come from? The company who fixes the problem or the reporter? What happens if there are multiple reporters? What if, as Apple generally does, they patch but don't say what or why? It's simply not a reliable datum.
#Oct 31st, 2008 @ 5:18 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda
@Bas

No, different dutch site. With 16 year olds Wink

@Blowdart;

I hear ya, but I think it is still better then the date the company chooses.
#Nov 6th, 2008 @ 2:27 PM
SecurityGuy
SecurityGuy

Heh, thought I'd share my thoughts on this.

There are two things one can measure about issues being fixed:

  • Days of risk.  This is a measurement on (greatly) increased public risk to customers.  It is what I care about because I think the optimization goal should be reducing customer risk. 
  • Time to fix.  This is the time from when a vendor is notified until a fix is available.  One of the ways to optimize this value is to release alpha code – if you don’t test it, you can release really fast!  And even better if you have few customers, because a screw-up then wouldn't have many negative affects.

A note on the customer risk.  I distinguish between 5-10 people maybe knowing about an issue (discovered, but not broadly dislosed) and publication on bugtraq, where every script kiddy on the planet can find it.  There is risk associated with a vuln in both cases, but in the later case the risk is orders of magnitude higher because the base of potential threats is so much higher.

Ultimately as a security guy, I think the right thing for any large software vendor (open or closed source) is to optimize policies and procedures towards reducing customer risk, not towards releasing as quickly as possible.  I also think Responsible Disclosure conveys other benefit that help this, in terms of being able to prioritize multiple issues and give more time and resources to the most critical issues, even if they are reported *after* other, less severe, issues.

Jeff <http://blogs.technet.com/security>

#Nov 7th, 2008 @ 12:43 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

Thanks for the reply! I really appriciate it Smiley

#Nov 7th, 2008 @ 1:53 PM
Sampy
Sampy
This will be the sixth time we have destroyed it and we have become exceedingly efficient at it
Thanks Jeff.

I've flagged your account as Microsoft so you'll get a cool flag watermark on your posts.
page 1 of 1
Comments: 12 | Views: 1182
Microsoft Communities