Microsoft’s attitude toward vulnerabilities in their code disgusts me. It’s difficult to interpret what people say online, but reading the Microsoft Security Response Center Blog seriously raises my blood pressure. One of the latest bugs allows remote code execution due to a buffer overflow in the DNS RPC interface. The security response center says this:
“Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service…” (link)
Every time I read one of their advisories I roll my eyes because they unnecessarily throw in words like “limited”. I’m not very knowledgable about their whole security notice process, but their website says this:
“Microsoft Security Advisories, a supplement to the Microsoft Security Bulletins, address security changes that may not require a security bulletin but that may still affect customers’ overall security. Microsoft Security Advisories are a way for Microsoft to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin.” (link)
I decided to fetch all of the advisories in their latest advisory RSS feed and see what exactly is in them. There are 46 total, and the oldest one is from 5/10/2005. I’m not surprised by that, because most vulnerabilities in Microsoft products are pretty severe and warrant a bulletin. If that is the case, I’d expect to see very few instances of possible remote code execution under the advisories list, but wait:
kian@algernon:~/microsoft_stats$ ls -al *.mspx | wc -l
46
kian@algernon:~/microsoft_stats$ grep -Hic 'remote code execution' *.mspx | grep -v ':0' | wc -l
23
I was curious about how many of these 23 vulnerabilities contained the exact word “limited”:
kian@algernon:~/microsoft_stats$ for i in `grep -Hic 'remote code execution' *.mspx | grep -v ':0' |
cut -d':' -f 1`; do grep -Hic limited ${i}; done | grep -v ':0'
917077.mspx:1
925444.mspx:1
925984.mspx:1
926043.mspx:2
933052.mspx:1
935964.mspx:2
I don’t know about you, but I don’t really think of “remote code execution” as “limited.” One example of the use of “limited” is in advisory 933052:
“Microsoft is investigating new public reports of very limited, targeted attacks against Microsoft Word “zero-day” using a vulnerability in Microsoft Office 2000 and Microsoft Office XP. In order for this attack to be carried out, a user must first open a malicious Office file attached to an e-mail or otherwise provided to them by an attacker.”
During the recent drama about the Windows ANI vulnerability, Christopher Budd posted this to the MSRC blog:
“I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly. I mentioned on Friday that this issue was first brought to us in late December 2006 and we’ve been working on our investigation and a security update since then.” (link)
Brought to their attention in December 2006, and fixed in April 2007? Somehow that doesn’t strike me as “quick”, especially considering the nature of the vulnerability.
Maybe someone who works with them could set me straight on their choice of words, because right now it seems like they’re less concerned with security than they are with image. Does “limited” mean “difficult to exploit” or “not widespread” or “limited damage”? None of them are really satisfactory, so I wonder why Microsoft uses the word in the first place.
UPDATE: I decided to write to Microsoft and ask about the usage of the term “limited.” Here is the response:
Hi Kian,
The word limited is used in context of the number of attacks that Microsoft and its partners have seen.
Here’s the extract from advisory – “limited attack exploiting a vulnerability”.
It really means that we are not seeing widespread attack at this point in time.
Hope that helps to explain the situation.
