Shostack + Friends Blog Archive


Microsoft pre-warning of patches

[Microsoft] will publish a general summary
of planned security bulletin releases three business days before each
regularly scheduled monthly bulletin release…

The advance notifications will include the number of bulletins that
might be released, the anticipated severity ratings, and the products
that might be affected.

This has been available to select customers for a while. Its good to see it expanded; they’ve found the notifications to be quite useful.

My initial thought was that this was bad. That clever hackers would find the issues, and write exploits for them sooner. While this may be the case, I expect that the clever hackers are getting the early notices now, and they’re not helping.

We know that the software we use is full of bugs. All of it. The only surprising part of the claim “There are critical vulnerabilities in (Internet Explorer, Safari or Firefox) that will be fixed next Tuesday” is that a bug has been discovered that will be fixed on Tuesday. To put it another way, I can tell you, without any fear of being wrong: There is a critical bug in Internet Explorer. That doesn’t help you find it.

Now, there’s a broader risk, which is that Microsoft’s delaying patches for a while allows problems to be exploited while they test their patches. We haven’t yet seen evidence of that, nor has anyone (as far as I know) really looked for such evidence. One way to do so would be to take advantage of cheap storage, and record a few gb of traffic from a network. Run snort over the captures. Run snort again 6 months later. See if new attacks, not known at the time of the capture, now have signatures for them. See how prevalent such things are. There are doubtless other ways, like a nice big bug bounty for exploit code for a bug before the patch has come out. We lack good data, and that frustrates me.

(From Microsoft, via Susan Bradley posting to the Patchmanagement list.)