Skip to main content

Security at the big software vendors

Cesar Cerrudo of Argeniss here. I was thinking what to write about in this blog post and I decided that this would be a good opportunity to acknowledge Microsoft security efforts by highlighting Microsoft improvements, and also to compare how security is currently handled by the other big software vendors.

While I don’t like some Microsoft policies and how some security issues are handled by Microsoft sometimes, Microsoft is currently the software vendor that cares the most about security, and this can be seen in the increased security of their software. It has improved a lot in the last few years. Of course nobody is perfect, and Microsoft software will continue to have security vulnerabilities, but they will continue improving.

My team and I have been finding and reporting hundreds of vulnerabilities to major vendors for the last 6 years, so I guess I have some experience in the subject.

Let’s talk about two of the biggest software vendors. I’m not going to mention their real names. Let’s just say they are Vendor A and Vendor B.

First we have Vendor A. This vendor talks more than it acts. They are always talking about how much they train developers in security, how much they care about security, how they use these wonderful products that find all security issues, and even make and serve coffee while doing it, and blah, blah, blah. But reality is far different from what they say.

Let’s take an example: You report X vulnerability in Y functionality to them, and they will take their time to fix it (and it could take a couple of years sometimes). Furthermore, they just fix the X vulnerability in Y functionality. They don’t investigate whether the same vulnerability is present in Z functionality. But that’s not all, they only fix your reported attack vector. They don’t look for other attack vectors. But wait, that’s not all – the developer will produce a fix that can’t even prevent a variation of the reported attack and this fix goes straight to production. I really wonder how this vendor determines when a fix is ready to go into production, since not enough testing seems to have been done.

Nobody seems to notice that the fix sucks, then when the fix is ready, the vendor will inform you they have produced a fix for the vulnerability in software version 1a, 2a, and 2b, and that they will release it at some future date. When the fix is released, you test the fix in the corresponding versions and then you realize that there is no fix at all in version 1a and that the fix on version 2a and 2b only works when trying to exploit the vulnerability in the exact way you reported. If you change the exploit slightly, then the fix doesn’t work, so you contact them again.

You go through the same process one more time, and then a new fix is released. With the new fix, you find out again that the fix in version 1a is not present, and the fix in version 2a works well, but the fix on version 2b still doesn’t work with exploit variations. The same process goes on again and again, until some day after 2, 3, or 4 fixes, the vulnerability is finally fixed on all the affected software versions.

Unbelievable, eh? Well, that is how Vendor A is currently producing security fixes. Vendor A is clearly many years behind Microsoft when it comes to security.

Let’s talk now about Vendor B. This vendor has a lot of experience producing software, and like Vendor A, it is one of the big vendors. Vendor B seems to produce good fixes for security vulnerabilities, but they have a bigger problem. It seems their developers are not very familiar with security.

For instance, the latest version of one of their most popular software packages still has stack overflows that you can find in 5 minutes. It also has everything open by default, and by changing just one byte in software protocol packets you can easily crash the software.

You can tell that some developers don’t really get security and that they have the final decision when to produce a fix. If you report a vulnerability related to some functionality that’s accessible to all users by default, and that can be abused to perform evil actions, they will just respond that the functionality is used by their customers and that it can’t be abused. And that’s it, developers don’t realize that their competitors’ software has restricted the same functionality by default for security reasons a long time ago. Vendor B doesn’t seem to have a security response team, since most of the time, reports are handled directly by developers or software managers. I could continue with more examples, but I think you get the picture. What is weird is that Vendor B some time ago acquired an important security consulting company that had really skilled people. I wonder why these people are not helping to improve their own software security, instead of doing cool research on new attacks on software from other vendors and providing external consulting services in order to help other companies. Weird.

Again Vendor B is clearly many years behind Microsoft when it comes to security.

I have criticized and pointed out Microsoft security problems many times and I will continue doing it when it’s necessary, but I really think that Microsoft is ahead by many years in security, compared to other vendors. Microsoft is leading security efforts in the software industry.

I have seen Microsoft make huge improvements over time. Some Microsoft products’ previous versions had dozens of vulnerabilities, but now the newest version has almost no vulnerabilities. I haven’t seen that in any other products from other vendors, and this is something really amazing that nobody seems to notice.

I think other vendors will improve over time and that Microsoft is indirectly helping them with the knowledge and research it generates. By looking at Microsoft, these other vendors could get an idea on how to get better at security.

BlueHat is another innovative way Microsoft has developed to improve security. If you have something to say that will help to improve security in its products, then Microsoft will listen to you.

As I always say: “Vendor A and Vendor B are very lucky because they never had a worm.”