What if Microsoft behaved like the Coalition Provisional Authority?

 So I’m listening to NPR this morning and I ran into this short article on Morning Edition:

The Coalition Provisional Authority in Iraq provides information on electricity production and reconstruction projects, but not on security. The coalition Web site declares, "For security reasons, there are no security reports."

The actual web page can be found here.

Could you imagine if Microsoft (or Suse, or Debian, or any other operating system vendor) attempted to do the same thing with security bugs?

“For Security reasons, we can’t provide any information about security bugs in our products.”

The industry wouldn’t stand for it (heck, I wouldn’t stand for it (as if my opinion counts J)).  They’d rightly want to know what we were covering up.

This is not to say that Microsoft or the others couldn’t be justified in making such a claim – since most (if not all) the security bug exploits that are found in the wild are released after the vendor announces the security hole (18 months for ms-blaster, 1 week for the last couple of security holes).  This isn’t done because the hackers want to be nice and let the vendors involved get a patch out.  Instead, a fairly strong claim could be made that the hackers figured out the exploit from information in the vendors’ security release.  So if the vendor didn’t release information about the security holes, the hackers couldn’t/wouldn’t reverse engineer the holes, and thus there would be fewer exploits in the wild.

There have been very few examples of a zero-day exploit actually discovered – in a quick Google search, I found only one or two legitimate 0-day exploits out there (no, I’m not posting them), most of the exploits found in the wild are 7-day or 14-day exploits, which tends to justify the argument above – if software vendors didn’t disclose their vulnerabilities, then the hackers would have less to work with.

Fortunately, the various powers that be have decided that full disclosure’s the way to go – at least for computer security.  Now, if the CPA would only consider doing the same…


Btw, in case it’s not obvious: This posting is provided "AS IS" with no warranties, and confers no rights.  All opinions enclosed are the opinions of the poster and are not those of his employer.



Comments (12)
  1. Anonymous says:

    The only problem is, Microsoft has third parties finding the security flaws. Nondisclosure isn’t really an option.

  2. Anonymous says:

    First off, so does everyone else – if you read Bugtraq, most of the vulnerabilities announced are against other products.

    But this article wasn’t intended to be about security disclosure – it was intended to be about the CPA’s policy of not announcing security issues in Iraq.

  3. Anonymous says:

    My apologies if it seemed as if I was targeting MS specifically in that last post. I should have said that software companies, in general, have third parties finding security flaws.

  4. Anonymous says:

    Unfortunately, in the world of the CPA, when exploits are tested, people die. Significantly more dire consequences than if a company’s email goes down for a couple of days.

  5. Anonymous says:

    I’d like to point out that Google searches aren’t ‘0-day’ in and of themselves: the Google index isn’t updated every day, so when you search for something that was posted today…you see what I mean.

  6. Anonymous says:

    Matt: A good point, people do get killed in Iraq. But if the CPA refuses to provide information about the state of security in Iraq, the only thing that potential contractors have to go on is the news reports.

    pds: I never said that Google searches were 0-day. I searched for news reports (and newsgroup reports) of 0-day exploits. And there were surprisingly few – maybe three or four. And only one of which appeared to cause damage – a previously unknown 0-day exploit was used to break into the source code machines of an OS vendor and the source code of the OS was compromised for a very short period of time. The vendor discovered the intrusion almost immediately and corrected the situation.

  7. Anonymous says:

    What if? I thought MS was sueing the CPA for theft of Policy! 🙂

  8. Anonymous says:

    Disclosing general information (say, "xxx component is affected by something") doesn’t provide much. I think the patches are reverse engineered, since the changes will apply to specific parts, and then an attacker can narrow down the specific part that is modified, and hence, vulnerable.

  9. Anonymous says:

    Out of curiosity, what kind of information would be published in a CPA security report?

  10. Anonymous says:

    I don’t know – "It’s dangerous here in general, but the city of Xxx has had fewer occurrences of problems"?

    One of the ongoing complaints about Iraq is that the media only says the negative things that are happening in Iraq, that the country is much less chaotic than the media reports. This would be a place to make that clear.

  11. Anonymous says:

    They wouldn’t be able to go into much detail, since saying "Point X,Y is more secure than Y,X" just reveals your own information, which an attacker can use.

    From your comment, I’m supposing they need more marketing/propaganda/etc. to make people feel better about what’s going on. They information they could release would need to be so generic, so both would have roughly the same effect.

Comments are closed.

Skip to main content