Microsoft Security Patches Include Hidden Surprises

Corrected: March 22, 2006

by Alex Woodie

As a Windows user, you've become accustomed to the drill: When Patch Tuesday rolls around, you'd best get those security updates applied quickly, before the hackers start targeting the new vulnerabilities that the patches fix. But did you know that Microsoft's patches may change parts of the system other than what is disclosed in the advisories that accompany the patches? While it's generally a good idea to trust your vendor's patches, sometimes what you don't know about them can hurt you.

Earlier this month, Steve Manzuik, security product manager at eEye Digital Security, and Andre Protas, an eEye research engineer, presented a session at the at Black Hat Europe security conference called "Skeletons in Microsoft's Closet--Silently Fixed Vulnerabilities." In that talk, Manzuik and Protas shared how they discovered that Microsoft fixed potential vulnerabilities in Windows 2000 with an Update Rollup, and didn't bother telling anybody about it.

IT Jungle didn't attend that show, but after returning from Amsterdam, Manzuik shared some of the details about eEye's discovery. The company, which has made a name for itself in the security research arena by discovering several major holes in Windows--including the vulnerabilities that led to the Code Red, Sasser, and SQL Sapphire worms--found out what Microsoft had done by using a combination of approaches, including reverse engineering the patches to decipher exactly what problems the patches fixed.

What eEye found was that Microsoft doesn't necessarily share all the details about their patches, and what's more, it's a regular occurrence with the Redmond, Washington, software giant. (For what it's worth, Microsoft isn't the only vendor practicing a "don't ask, don't tell" policy on patching. IBM is also very tight-lipped about the security vulnerabilities it fixes in its proprietary operating systems.)

Most casual Windows users couldn't care less about Microsoft's lack of full technical clarity concerning patches. After all, these users just want their operating system to be secure, and are more than happy to rely on Microsoft to do this. However, for other classes of users, including enterprise shops that do QA testing on patches and security product developers like eEye, the omissions pose significant risks of missing an important security vulnerability, and possibly breaking legacy applications.

eEye would like to see full disclosure from Microsoft to help it build better security products. "It would help those of us creating protection technologies, and those doing risk assessments on the patch. What does this patch change? How can I know what it changes, if it changes three things, and not just one?" Manzuik says. "They feel that by talking about every little problem in the patch, it increases the end user risk . . . [But] not talking about it doesn't mean it doesn't exits. It just means the bad guys will be finding them."

The omissions mean that security product developers that rely on the information Microsoft supplies about patches to update the signatures for their products, such as intrusion detection and prevention systems, will not be aware of threats fixed with silently distributed patches, Manzuik says.

"If they don't have a research organization, and they just rely on what's being publicly told to write their signatures, they're not going to be able to catch the issues," he says. "The bad guys are reverse engineering the patches, too." Because eEye does its own research, it doesn't have to rely on details provided by Microsoft to update its own security products. It considers this a competitive advantage.

Despite the lack of full disclosure on patches, Microsoft has made big improvements in security over the past few years, says Manzuik, a 13-year veteran of the IT security business. "In the '90s, they were horrible. You'd report a vulnerability, and you wouldn't hear back from them for weeks, if at all," he says. "Now they have a good process in place and are communicating with researchers.

"There are definitely areas they can improve, but if I compared them to Oracle or Apple, I'd say they're doing very well. I'd suggest they [Oracle and Apple] get in touch with Microsoft and adopt their model of doing things."

This article has been corrected. The name of the company is eEye Digital Security, not eEye Security Technologies. IT Jungle regrets the error.