Internet Security Systems - AlertCon(TM)

Microsoft publishes great technical information

Posted by Tom Cross on October 23, 2008 at 6:01 PM EDT.

Recently we've noticed that Microsoft has been publishing a lot of technical details about their security vulnerabilities on a couple of different blogs, including their Security Vulnerability Research and Defense (SVRD) blog as well as their Security Development Lifecycle (SDL) blog. These blog posts are excellent resources and we're really excited that Microsoft is doing this.

For example, the SDL post about today's Server Service vulnerability provides an excellent analysis of the way that layers of security in Windows Vista and Server 2008 prevent this vulnerability from being effectively exploited against those platforms.

The SVRD blog post goes even further, with actionable details about the interaction between this vulnerability and several Windows security features such as the Firewall and ASLR, and an interesting C program that can remove ANONYMOUS from the access list for named pipes. In the recent past, SVRD has even gone as far as to take you through the disassembly of a vulnerability so that you can see the sort of questions that X-Force researchers are looking into in the hours before a XPU is released.

Generally speaking, exploits for serious vulnerabilities end up circulating publicly within a short period of time after patches are released, particularly if they affect popular Microsoft products. We don't think this kind of information will accelerate exploit development, both because it is so rapid already, and because Microsoft is being very careful about exactly what details they disclose.

However, this information does help administrators understand exactly what the impact of a particular vulnerability is likely to be and exactly why particular mitigations are effective. This enables them to make truly informed decisions instead of blindly following the sort of vaguely written advice that often appears in security bulletins. These resources are also helpful to software developers across the industry, as they provide an up-close look at the kinds of mistakes that appear in even the most carefully audited software.

We applaud Microsoft's decision to make this technical detail available and we hope our customers have noticed and are making use of it.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.