Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Computer Hardware
Compare Prices
Promote Your Website
Compare Prices
Best Price
Build a Server Rack
Online Education
Prepaid Phone Card
Online Shopping
Desktop Computers
KVM Switches
GPS Devices
Condos For Sale
Holiday Gift Ideas

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Why Can't Microsoft Catch Its Own Bugs?

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles
Ctrl+Del To Control E-Mail Lists
How Not to Unsubscribe
Sender ID Declines, Domain Keys Shines
The Internet Ate My E-Mail
Security Vendors Defend Themselves Against Blink
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities
USSD Series - SDRAM-Based Solid State Drives to 256 GB
UltraSMS - Send SMS From Your PC
Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Download: SQL Backup & DBA Best Practices eBook. Future Proof Your DBA Career and make the most of your office hours. Get this download now to learn how.

Why Can't Microsoft Catch Its Own Bugs?
October 26, 2004
By Brian Livingston

Brian Livingston They say the cobbler's children have no shoes. In a similar way, it may be that Microsoft, the world's largest software company, doesn't have enough programmers to discover security holes in Windows.

The Redmond technology giant released 10 separate security bulletins on Oct. 12, which are said to patch 22 different weaknesses in Windows.

When I was studying these documents, I realized that Microsoft had credited outside "security researchers" with the discovery of 9 out of 10 of the issues.

Microsoft is one of the most profitable corporations on the planet, earning $2.9 billion in the most recent quarter. That's up more than 10% from the same quarter a year ago and represents a profit margin of more than 31%. The company has over $60 billion in cash reserves alone.

Isn't Microsoft paying its own employees to find security holes in Windows? And, if it is, why are the insiders finding only a small minority of the problems that nonemployees are uncovering and reporting?

The Thin Grey Line

Microsoft appears to be unable to discover security weaknesses in its products faster than a small coterie of "white-hat" and "grey-hat" hackers — technically skilled people who either work in "good guy" consulting firms or in amorphous online networks. Here's how the system operates:

Security First. Individuals known as security researchers delve into the inner workings of Windows, usually with little or no access to the original source code.

Responsible Disclosure. Under current Microsoft policy, these researchers are expected to report any security weaknesses they find to Microsoft privately. No disclosure to anyone else is supposed to occur until a patch is announced by the Redmond company.

A Pat On The Head. In return for this delay in telling others about any newly discovered problem, the researcher's name or company is acknowledged in the body of Microsoft's announcement with a hyperlink to the researcher's Web site. This link improves the site's ranking in search engines — but more importantly, it helps the security firm attract consulting customers who want advice on protecting their systems against future threats.

A Worldwide Elite Of Technorati

The number of programmers with the background and interest to discover subtle Windows security holes is probably a mere few dozen worldwide.

"There are only four people in the world who've discovered 90% to 95% of the Internet Explorer vulnerabilities," asserts Jay Nichols, a spokesman for eEye Digital Security, a leading security consulting firm. "Two are anonymous, one is in China, and the other is Drew Copley," an eEye employee.

Microsoft credits eEye (and, therefore, Copley) with finding and reporting the "ZIP Decompression Bug" described in this month's security bulletin named MS04-034. By exploiting this bug, a hacker can create a Web site or a ZIP file that can take control of an unpatched Windows XP or Server 2003 system, because the built-in decompression feature in those operating systems is poorly programmed.

Don't other decompression programs, such as WinZip and PKZip, have the same vulnerability to hacked ZIP files? "No, they don't," replies Copley, eEye's senior research engineer. "They [Microsoft] do deserve some scorn for that. This was a pretty easy-to-find bug."

Shouldn't a security hole like this have been found during Microsoft's much-publicized Trustworthy Computing Initiative in 2002, during which the company's developers were given two weeks of training and then told to examine Windows code for weaknesses?

"My best estimate is that it didn't do very much," Copley says. "That much code, you can't do that much in one month. It takes many years, that's an entirely different job. It [the initiative] strikes me more as smoke and mirrors."

Paying Top Dollar For Security Expertise

Another company acknowledged by Microsoft is the Bindview Corp., a provider of security management software. That firm identifies its senior security analyst Mark Loveless as discovering the problem entitled MS04-029. This flaw allows attackers to crash unpatched Windows NT systems.

When asked why Microsoft doesn't find most such holes on their own, Loveless replied, "They're getting a lot of it for free. It's free R&D."

"The best of the people looking for these bugs are fewer than 100 in number," says Loveless. "Within the past three or four years, the vast majority of these people got hired, and not by Microsoft."

Couldn't Microsoft afford to hire them? "The people who have the skill set to discover this kind of bugs, they're worth a lot of money," Loveless explains. "I've talked to people who wouldn't work at Microsoft because they [Microsoft] weren't willing to pay enough money. That's simply because their focus has not been on security. They're not a security company."

Microsoft Answers Its Critics

In response to my original question — aren't paid Microsoft employees supposed to be finding these security holes? — a Microsoft spokesman, who asked not to be identified by name, provided me with a written statement:

"At Microsoft, security response is a full time commitment that involves building and maintaining strong relationships with security researchers around the globe. Security researchers can offer unique expertise and insight and play an important role in helping Microsoft protect its customers and improve its products.

"No amount of testing can fully replicate the complex configurations of Microsoft's broad customer base. Reputable security researchers who share Microsoft's passion for protecting customers have uncovered elusive security vulnerabilities and worked with Microsoft to develop comprehensive fixes."

Regarding why most security flaws aren't found by Microsoft employees themselves, the statement said:

"All software contains bugs and some bugs result in security vulnerabilities. Microsoft is committed to keeping the number of security vulnerabilities that ship in its products to a minimum as evidenced by the work that went into Windows Server 2003, our focus on providing greater defense in depth and the ongoing work in the SBTU [Security Business and Technology Unit] — all of which help to deliver on Microsoft's vision of Trustworthy Computing."


The bottom line? It appears that one of the world's weathiest corporations is dependent on volunteers to discover most of the critical security flaws that make its biggest-selling products dangerous for Windows users to run.

That sure makes me feel a lot more secure. How about you?

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live