Ryan Naraine from ZDNet is lamenting over Microsoft's strategy of secretly releasing patches without disclosing its corresponding vulnerability. This certainly is an old discussion. However, how frankly Microsoft admits this in a bulletin of a patch, I suppose, is new.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
Ryan found this line in the executive summary of this security bulletin:
This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation.
He calls this "silently fixing a vulnerability" which surely is an exaggeration. After all, Microsoft admitted that they fixed something. But he forwards two arguments why this practice is questionable:
Microsoft's official stance is that disclosing flaws will make it easier for the bad guys to write exploits. Ryan's counter argument is this:
On the other hand, white hat hackers warn that silent fixes is a dangerous practice because exploit writers already have the tools to reverse-engineer a Microsoft patch to find all the silently fixed issues.
This argument contains a logical flaw which is typical for security experts. It is only valid if "exploit writers" is supposed to mean "all exploit writers". However, reverse-engineering is not a piece-of-cake. Not every bad guy has these tools and not everyone knows how to use them. And maybe even more important, it takes more time until the exploit is ready if the "black hat hacker" doesn't have a detailed description of the security bug. Hence, administrators will have more time to patch their systems.
However, there is another argument which seems to disprove this point:
The problem, according to security research professionals, is that Microsoft keeps a tight lid on the details of those internally discovered issues, a move that makes it difficult for an IT administrator to make an informed patch deployment decision.
There certainly is some truth in that. Some administrators only install those patches which seem to be dangerous enough for them. So if Microsoft doesn't give them the details of a bug, they might just neglect this patch which in turn makes it easier for the bad guys.
But if I were a "security research professional" I would recommend to administrators installing any security patch no matter how dangerous it would seem to be and would recommend to Microsoft to make it clear in their bulletins that this is an important security patch even though the details remain unpublished.
Subscribe to 4sysops newsletter!
Imagine this: Ferrari finds a serious flaw in the anti-theft system of your new red pride. Do you want them to publish the trick in all newspapers? Or would you rather have Ferrari call you to bring your runabout to the garage? You might say that the bad guys will find this bug anyway, sooner or later. The point is do you want Ferrari to tell the kids next door how to go for a spin with your red darling before you have the chance to get things fixed?
