Microsoft Vista
Vulnerability Ranking
Over the weekend I noticed an interesting
article the ComputerWorld site with the awe inspiring title “Microsoft
security guru wants Vista bugs rated less serious” covering
comments made by Microsoft’s Michael Howard (a senior security
program manager in their security engineering group).
The discussion revolves around depreciating the ranking applied
to Microsoft vulnerabilities that affect Microsoft Vista.
Now, don’t get me wrong, I have a lot of respect for Michael as
well as the Microsoft MSRC – they have a tough enough job
already. But, quite frankly, it doesn’t matter to me - and
it shouldn’t really matter to any customers of Microsoft - what
evaluation of vulnerability ranking they apply to a security
patch.
Why not? Two reasons
(1) As with any vulnerability disclosure, at this point in
history, it’s in the vulnerable vendor’s interest to downplay
the vulnerability,
(2) Risk rankings of a security patch appear to reflect the most
severe ranking of the vulnerabilities that are being publicly
disclosed (and credited to external discoverers).
Vendors
Vulnerability Rating
Given the competitive nature of the software business
(don’t you just love those
Apple ads?), vendors will always seek to minimize any
perceived weaknesses. People love to count vulnerabilities
and study them for trends (I know I do), so minimizing the
relative risk ranking of a particular vulnerability can help to
some extent.
I trust the security experts at Microsoft to study, understand
and fix the vulnerabilities that get uncovered in their
software. I also trust them to get out a stable security
patch in a timely manner. However, I ‘expect’ to see some
kind of spin to minimize the perceived threat of the
vulnerability.
That said, I also ‘expect’ the discoverer to overestimate the
threat the vulnerability represents. In fact, perhaps
someday in the future someone will have the opportunity to do an
analytical study on what the average difference is between
Vendor and Discoverer risk rankings?
A step in the right direction for all concerned would be to
wholeheartedly adopt the
Common Vulnerability Scoring System (CVSS) – at least it
helps set a common level for evaluating the vulnerability that
can be evaluated by any security team.
Some of the talk has been about the extra security advancements
that Vista has that help mitigate possible threats. Mitigation
steps are of course very important in understanding the level of
risk a vulnerability can represent to a business, however they
should be applied in the calculation of risk as opposed to the
ranking of the vulnerability itself. Why? Well, I’d kind
of hoped the industry had moved on from the 1990’s “I have a
firewall, I’m safe” approach to security.
Risk Based on
Public Disclosure
This probably scares me the most. What I’ve
observed in the past is that security patches tend to only have
a ranking equivalent to the maximum ranking of a vulnerability
that was discovered by a (vocal) third-party. Since it's
almost never the case that only one
vulnerability gets fixed in a Microsoft security patch, what
happens if the patch contains fixes for 12 vulnerabilities, with
only one of them discovered by a third-party, and that one was a
denial of service (DoS)? Most likely the security patch
would be ranked as a DoS – regardless of whether any of the
remaining 11 vulnerabilities internally discovered were more
severe or critical.
Granted, there have been cases when Microsoft have released
critical patches for vulnerabilities that were discovered
internally – and that’s great – but (until someone proves to me
otherwise) I don’ trust them to tell me the nature of all the
things covered in a security patch.
Now the part that really scares me – in this world of
increasingly rapid patch reverse engineering and
application/usage in malware as well as the growth industry of
“Managed Exploit Service” providers – is that businesses are
making decisions that directly affect their patching cycles
based upon these patch ratings supplied by Microsoft.
Therefore, underestimating the ranking of a vulnerability and
excluding all those “internal finds”, can ultimately affect the
security of Microsoft’s customers – including me.
Who do I Trust?
To be perfectly honest, the people I trust to make an evaluation
of the risk a particular Microsoft (or any other vendor)
vulnerability are the people I work with day-in, day-out,
sitting on the 5th floor here in Atlanta. Their full-time
job is to impartially assess and evaluate every vulnerability
disclosure, and to look beyond the text contained in both the
vendors and discoverers advisories.
As time goes by and we see the period between vulnerability
patch release and exploit release decrease even more, it’s going
to be even more critical that we understand the makeup of each
patch a vendor releases and look beyond the things they credit a
third-party with.