FFS people, this is called MAPP and the program has been public and a huge security success for the last few years. Microsoft advises lots of security companies about patches slightly before they are issued. That way, everyone has options on day 1 and people aren't scrambling for additional mitigations every Patch Tuesday.
If you want to be outraged, check out all the Chinese companies on the list of partners!
Funny you mention this, because I don't see US Government, Department of Defense, or the Natural Security Agency on that list (not that I expected to find them there in the first place). Also, last I checked, the purpose of MAPP wasn't to allow MAPP-partners the ability "to exploit vulnerabilities in software sold to foreign governments"... And indeed, that would only compound the problem (have a look at the last question on the MAPP Application Request: "Do you sell or create products used to attack or weaken the security posture of networks or applications?").
> If you want to be outraged, check out all the Chinese companies on the list of partners!
Wow, really? :|
I might be outraged if I saw Government of China on that list, but the majority of Chinese companies on that list are large telecommunications companies (like Huawei) or Chinese-based antivirus companies. And even then, Chinese-based companies only make up a fraction of the (unsettlingly large) list.
Thats because there is more than one program providing this sort of information. MAPP is for AV and other security software companies. There is also: CIPP http://www.microsoft.com/security/cipp/ and another one for "Defence" which is all government, military and intelligence agencies (apparently).
> last I checked, the purpose of MAPP wasn't to allow MAPP-partners the ability "to exploit vulnerabilities in software sold to foreign governments"
The phrase you quoted is utterly meaningless, and the article provides absolutely no evidence that the vulnerability notifications are used for that purpose.
It's just an anonymous source is saying "with knowledge of unpatched vulnerabilities, the government could exploit that knowledge." Obviously! With knowledge of unpatched vulnerabilities, YOU could exploit that knoweldge. Anybody could. What of it?
I think the US government is not on the list because they don't need this program. The NSA finds its exploits directly from the source code, which Microsoft shares with them and many other governments, not second-hand from Microsoft.
This program may have been publicly ongoing, but it is no less scandalous. Do you really believe that this early access to information will not be used for offensive ends ? How is that respectful of Microsoft's other customers, such as other governments ?
This has been going on for years. It's a program that Microsoft created for passing along 0days to AV Vendors and companies so they could create detection mechanisms for it.
Nonetheless, it's significance increases in the light of the current NSA revelations.
After all, previously one could justify Microsoft's actions by claiming they were notifying the NSA of flaws in Windows so that the NSA could patch their systems ASAP. Now we would likely infer a more sinister justification.
Right. Disclosing to some people first before you blow the patch out to the public can be of great defensive benefit. But it has to be people you trust not to blab about it, deliberately or accidentally. Apparently USG is in that category.
This may allow the USG to also perpetrate attacks. But we really need some evidence of that.
Stuxnet? Is it too far of a stretch to think that this could have aided in the development? Obviously I have no evidence that it actually did, but I wouldn't be surprised and personally think its likely.
Probably not, once a vendor is aware the bug has a relatively short life and using it increases the possibility of detecting your attacks. To avoid constant maintenance, one must review code for new exploits and then not inform the vendor.
More likely they watched for indications that their bugs were independently detected to keep ahead once they were operational.
1. Oil rig fires actually occur with the same frequency in water without dolphins (making data up to go along with your example).
2. I can not see what motive dolphins could have for torching oil rigs
(usg has a motive)
3. I don't think they are able to do it, we have never seen evidence them being able to harness the power of fire.
(usg has access to 0days)
4. Dolpins have no record of performing other crimes or acts of sabotage before
(usg has)
3.Just because you haven't seen it doesn't mean it doesn't happen. They've had a lot of time to figure it out (they don't even have jobs)
4. They're clever animals. How can you say they wouldn't?
...to be more serious about it, I was using an extreme example to make a point. It is next to impossible to prove that someone has never done something, so when you start arguing on a basis like that you just descend into an abyss of unanswerable mess.
Early access to the knowledge of vulnerabilities is just good customer service when you're talking about your biggest customer who is also very security conscious. It allows them to protect themselves. The fact that the same knowledge can facilitate developing of offensive payloads is unfortuneately unavoidable - but that doesn't mean that's the purpose of the program or that it should preclude any early sharing at all.
Most of the time (with other vendors, say cisco) these early warnings include general descriptions of the problem and remediation steps - but not explicit descriptions or code patches. While that can be enough to point someone on the right track and develop an exploit for it (depending on a ton of unknown factors), I'd say that 99% of the time the exploit doesn't actually get written until the author can get their hands on the actual patch, so they can see exactly what code was changed. Many of these vuln disclosures are enormously generic in scope. think "a parsing vulnerability in an xml format" and remediation - don't allow connections to xxx port or turn off major software component y.
It wouldn't surprise me if the us government gets pre-public access to inofrmation that makes it easy to weaponize 0-days (what the hell is the zero day initiative, anyway?) but you'll have to do a hell of a lot more digging and analysis before you could convince me that this is one of them.
> Early access to the knowledge of vulnerabilities is just good customer service
Customers who don't have early access might object, especially if they are foreign governments who might sometimes have competitive issues with the USA - which includes pretty much everyone.
I learned a thing or two about this in 2009-2010 when I uncovered a critical SSL/TLS bug CVE-2009-3555. The fix for this bug would require a change to the TLS protocol itself (RFC 5746) which would take months in the best case, so my boss and I set upon a disclosure plan. (This was long before we ended up employed at MS.)
Microsoft, like many other vendors, would need to patch. They were the most responsive, a bit aggressive even, vendors about wanting to get the full details of the bug as soon as possible.
We also disclosed the US Government. We did this as part of the planned disclose process to vendors as well as customers and other stakeholders. I felt it was important that there were customers in the process in order to motivate the vendors a bit and so we weren't the only ones taking heat from the vendors. The US Government probably had more affected systems than anybody and it could even be a nat security issue, so we disclosed them.
I think it worked. Some of the other (non MS) vendors heard about it via their Federal business and were a little annoyed at us. The US Government really wants to keep their own systems patched.
I never did hear of the bug being used in anger (not that I would have), but among the major vendors (Linux distros included), Microsoft was the first to engineer and release a patch and push it down the update channel.
I remember TLS extensions support being backported to XP just to implement this. I wonder if it was backported to Win2000 too for Custom Support customers. It is funny that the patch was released August 2010, just after Win2000 went out of support.
While I am completely against PRISM and what has occurred, I might be more against the necro-stories that are surfacing trying to paint the complicit companies in a more harsh light.
Stop muddying the waters and let's focus on fixing today.
"Hey your systems have been vulnerable for a week; here's the patch!" just doesn't fly too well with major customers with very real needs for security.
I personally don't mind them being used in real targeted surveillance either. That surveillance is going to happen anyway.
> I personally don't mind them being used in real targeted surveillance either.
You hear this and then, on this website, people get all incensed when China sponsors industrial espionage against US companies. What I'm saying that moral consistency is required, it makes people predictable.
> "major customers with very real needs for security"
Major customers with very real needs for security probably aren't running Windows... Even if they are, they should be sandboxed in such a way as to reduce potential damages from a 0-day.
Major customers with very real needs for security probably aren't running Windows
Plenty of big organisations use Windows for almost everything, and certainly don't go around sandboxing it. They manage regular security patches just as you would for any other operating system.
As a (perhaps extreme) example - the Royal Navy use Windows to run several of their warships: http://www.theregister.co.uk/2009/01/05/windows_for_warships...
Is this why Microsoft called the Google engineer, who uncovered one of these bugs, "irresponsible"? Because they couldn't give it to NSA anymore? If they are doing this, at least they should shut up, and let the engineers who uncover them help the public.
There are other researchers too, who disclose bugs to Microsoft without spewing unnecessary vitriol? And he was being irresponsible. Microsoft's security division has been proactive earlier, regarding zero-days [1].
Also at this stage, no company is helping the public. Even Google. Every step of my digital life is mined through US corporations, and Gmail, Google analytics and Facebook have a major chunk of my private life between them. So let's focus on every company, without furthering one single company or defending another.
Exploits or vulnerabilities? If they are handing out fully built exploits, I have a problem with it. If they are just vulns then yeah, it is probably MAPP which isn't news really.
I'd argue it doesn't really matter, as I assume the US government is fully capable of creating a fully-built exploit out of a major software company's early disclosure of a vulnerability... And yes, I also assume they are using it to their full potential for surveillance (or put another way, unless someone told them explicitly not to, why wouldn't they?). And indeed, this is what the article itself hints at: this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.
I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.
Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).
Security researchers are in high demand right now and with good reason - a competent security researcher can write an exploit given a limited amount of information, and I find it unlikely MS themselves necessarily has exploit code for all situations.
I bring this up because there's nothing particularly magical about writing exploits, even if it isn't a skill a ordinary programmer possess. If the vulnerability has already been found, so whether or not this is simply MAPP/CIPP or something more nefarious, your distinction seems a bit academic.
If they are handling out exploits, MSFt management is pretty bad incompetent. This would negatively affect their sales to foreign companies and sovereign nations. US government may not hack us companies but there does look like there some evidence they hack foreign countries and governments. And MSFT is handing over keys to the US government.
Depend on the timing - if NSA gets info less than a patch tuesday before me it is no big deal. If it is more than it is huge and will hurt them in the long run.
And you were wondering how the spooks that targeted the Iranian nuclear facilities were somehow able to get their hands on no less than 4 different zero-day exploits.
So MSFT was holding off on the fixes for as long as it took USG to weaponize them?
Those are the worst bugs for USG to weaponize. First, Microsoft is going to patch them soon. Second, there is now a paper trail from Microsoft talking to the US about the bug.
LATE EDIT: in fact, if the person in charge of Stuxnet also saw the exploit they were already using come across the wire from Microsoft, he would likely order it pulled from Stuxnet. They want total deniability.
You know you can get the source code to Windows? You have to be a very large customer and have data protection measures in place.
Postgres worked with Heroku to test one of its security patches before releasing it to the public, and no one blabbed. You can probably find a way to get on Microsoft's early-bird notification program, too, if you are an extremely large customer and can assure them that you won't leak the data out.
It's not build-able. Parts are not released. You might be able to build parts of it and compare that to parts of the binary. But it isn't useful for auditing.
Wait, so there is a problem with MS helping out our government protect its secrets? I agree, PRISIM was bad an invasion of privacy but people need to realize that government agencies have more secrets and do more then spy on us. I wouldn't want China, Russia or some other foreign country getting its hands on the locations of weapons, R&D, or our defense plans because of a exploit in a MS program.
Hackers will always be faster to take advantage of loopholes then companies or the government are at patching them. Do people really see the problem with MS doing this?
Have you told them about the SSH key fiasco? I've been running Debian/Ubuntu servers since the late 90s but I wouldn't make those kinds of claims about anything you haven't personally audited – and it's certainly not like it'd be impossible for an attacker with nation-state level resources to compromise an OSS project as well.
Oh I agree, but when discovered we don't have to wait for a government to do its dirty work before the mere mortals are allowed the patch. Patched, poked in the repository and job done.
The temporal window of attack is pretty low. Take a look at Microsoft when CVE's are issued versus when the KB article with hotfix is announced and it hits windows update. Not a good story.
Regarding the key fiasco, we used puttygen for key generation.
This is hyperbole. Most large software companies report vulnerabilities to CERT and DHS so that they can start patching critical infrastructure sooner rather than later.
Back in 2001/2002 I argued with friends that Microsoft must have made a deal with the government in its antitrust case [1]
Basically divulging or intentionally leaving holes or backdoors in the system accessible to the government in exchange for practically dropping their antitrust case.
If you want to be outraged, check out all the Chinese companies on the list of partners!
https://www.microsoft.com/security/msrc/collaboration/mapp.a...