Microsoft Corp. is giving early versions of its software security patches to the U.S. Air Force and other organizations, a practice some experts fear could give rogue hackers important details about how to break into unprotected computers on a massive scale.
Microsoft maintains that participants in its security-testing program abide by strict rules to protect these early software patches from leaking into the Internet’s underground. For added security, it doesn’t provide documentation to participants about which Microsoft products might be affected and allows only for limited testing in a computer laboratory.
Hackers who study such repairing patches can identify the vulnerable software and build tools to attack it. Microsoft said the program’s goal is to more thoroughly test its upcoming security patches for reliability; some repairing patches from Microsoft in previous years have inadvertently disrupted computers.
“The challenge for us as a company is to make sure the updates we provide are good quality,” said Stephen Toulouse, a program manager for Microsoft’s Security Response Center.
For years, Microsoft had denied suggestions it privately shared detailed information about vulnerabilities discovered in its software before it’s publicly announced. Craig Mundie, a senior vice president, said earlier this week that fears about dangerous leaks compel Microsoft to keep such sensitive information a closely guarded secret.
“We’re very highly incented not to be too generous,” Mundie said.
Some security experts challenged Microsoft’s year-old practice, which was first disclosed in Friday’s Wall Street Journal. They cited the likelihood that even early versions of software patches may leak from participating organizations into the hacker community.
The U.S.-funded CERT Coordination Center at Carnegie Mellon University suffered such breaches when hackers stole and publicized sensitive details about software vulnerabilities before repairs were available.
“Leaks definitely do happen,” said Marc Maiffret, an executive with eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers have found dozens of serious flaws in Microsoft’s products. “You run the risk of this getting out to the wrong people. It will be interesting to see whether they can contain it.”
Peiter “Mudge” Zatko, a security expert who has worked for both the Clinton and Bush administrations, said the risk from Microsoft’s effort was “the worst possible thing for national security.” He said outside the U.S. government’s classified military environment, it was nearly impossible to guarantee secrecy.
“What Microsoft is doing is really, really bad,” Zatko said.
Microsoft said its program participants, which it declined to identify except for the Air Force, were carefully selected and sign nondisclosure agreements. Toulose acknowledged there was some risk but said building hacker tools by examining a software patch was “a significant engineering challenge.”
“One of the things we have to weigh is that risk against making sure we can provide a quality update,” he said.
Another outside researcher, Russ Cooper, said he was mollified by Microsoft’s efforts to enforce secrecy agreements and withhold important details about any future vulnerabilities.
“I’m not terribly worried,” said Cooper, senior scientist at Cybertrust Inc. “Anybody participating in this program probably enjoys the status and will do everything they can to make sure they don’t violate any agreements and get pulled out.”
On the Net: