Home / Thoughts / On Patching Security Bugs

On Patching Security Bugs

Hello fellow bug hunter!

I want to share with you my thoughts on a slight change that the folks at Microsoft could embrace to make security better. This change, in my opinion, will make the security process more transparent for all, attracting bug hunters and making the lives of the bad guys more miserable, or at least less profitable.

Personally, I think Microsoft is full of smart people with good intentions, but I disagree in many cases with their current way of treating security bugs so I expect a change to a similar direction the other big ones took long ago. Let’s see something concrete:

  1. To patch every bug considered a vulnerability in no more than 60 days.
  2. To keep a permanent reward system (aka bug bounty) open for their supported browsers.

This is essentially what other big companies do. Both Google Chrome and Mozilla Firefox have clear rules about what’s a bug and what’s not, to the point that Google publishes exactly what’s the reward on each bug type (see Chrome and Firefox rewards). But I’m not speaking of the exact amount of money that these companies pay because this is and should be determined by the companies themselves. I don’t expect anyone to match the value of others, but I do expect everyone to agree on what’s a bug, what’s not, and a transparent patching process.

Good changes

Last week Microsoft included design bugs in their Edge bounty (by design bugs I mean SOP bypasses, UXSS, referer spoofing, etc). The list is clearly incomplete but it’s a good start, however, Internet Explorer is still excluded. In other words, a researcher who finds a way to grab your Paypal credentials on IE will be rewarded with a “thanks, we will try to patch in 120 days but if you speak publicly about it we will not credit you” while the same thing on Edge is rewarded with money.

I completely understand the business logic here: Microsoft wants to get rid of IE and move that user base to Edge, but I disagree because we are leaving behind too many people, a user base five times bigger than Edge.

Make no mistake, I applaud that decision because they are moving in the right direction: a faster and more secure browser. However, we can’t leave IE behind unless the user base decreases to almost zero. We need to protect those users even more because evidence shows that they are being attacked again and again, and abused with all type of design bugs like fingerprinting the PC and delivering the bad bits only to unsavvy users.

Browser Market Share 2016 Q3

Desktop Browser Market Share

Source: netmarketshare.com

Even if I agree with the idea of moving users away from IE, the current market share shows that we should continue taking care of them during the transition. Attackers do not waste their opportunities and as long as there are innocent vulnerable users they will be attacked with no mercy. Attackers can fingerprint IE users pretty well in order target their victims with precision. And this is something that we also need to consider: when we know a bug is exploited on the wild, we should patch it ASAP with no excuses. Of course I understand Microsoft patching mechanism can’t be immediate today, but at least we should make sure -honestly- that it is prioritized correctly and patched fast.

Today standards are higher than the ones from the previous decade. We are now concerned about privacy like never before and just being able to fingerprint the user is considered bad, and browser makers try to avoid that at all costs. Microsoft, please do the same!

We need to attract honest-decent-bug hunters and give them motivation to research and report properly. This is what other companies promote and I firmly believe Microsoft should join them. Why not? If we want to move IE users to Edge, why not being respectful and really support them during the transition? Also, the engine that runs IE, Trident, is still used by several desktop applications and leaving that engine behind means leaving those applications behind. Windows users with desktop Skype are essentially running an IE.

Patching Time

The other extremely important thing is to really patch during in a max 60 day period. Microsoft says they do it in 90/120 and maybe that’s what they try to achieve, but the reality is different and more than once researchers complain because Microsoft seems to be sitting on the bugs for more than what’s advertised. This should be taken seriously: patch quickly and if you can not do it because -say- you could break a 3rd party application, it would be transparent to say which application and why. Not disclosing reasons with a researcher that served you a bug in a silver platter is unfair.

So my proposal is quite simple:

  1. Patch every bug considered a vulnerability in no more than 60 days.
  2. Keep a permanent reward system (aka bug bounty) open for all supported browsers.

Bug bounties should be open for as long as you care about the related products. If you set a time frame for the bounties, you are promoting bug hunters to sit on their findings until a new bounty is open. Why would you close a program like that? What would be the logic, or who is benefited by setting a time frame around bounties? Attackers.

It is not true that moving bounties around products motivate researchers to switch from an app to the other. Of course there are researchers following the bounties and moving their targets, but we also have a another group of researchers with preferences and favorites who won’t be following the money jumping from Edge to Microsoft Movie Maker. We need to be mature here, think, and do the best in the interest of all. IE and Edge are exposed 24/7 and a simple navigation could be enough to get into users PC.

I really, wholeheartedly hope that somebody at Microsoft thinks about this. We are all against attackers so we need to keep our honesty high, making sure we behave in the best interest of final users who in general don’t have a clue of all these things.

You can find researchers on both sides of the argument: in favor and against full disclosure. I am against it only if the affected company demonstrates that it is acting in the best interest of final users. In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like “responsible disclosure” will ring in my mind when the “responsible patching” ring in their minds. To be clear: I will keep sharing my findings for as long as MSRC keeps acting like an unreachable rock star. How is it possible that Microsoft needs 120 days to patch while Firefox sometimes does it in 1 (yes, ONE)? This is not acceptable anymore. Microsoft can move IE files to the iexplore folder and Edge files to the Edge folder so both programs work stand-alone and we stop with the excuses of OS integration.

Hopefully one day Microsoft will patch in 60 days, or even better, something like the CERT disclosure policy of 45 days. The company has a big opportunity here to make the change.

Finally, my absolute respect to Edge and IE developers. I really think that these guys are creating an amazing browser, but we need a permanent team of attackers helping, firing non-stop at Edge/IE. We need people testing the new features properly, not just fuzzing for memory errors. Edge is already strong in that area, but design bugs are still there.

Edge devs, don’t let bad decisions get in the way of your creation. Edge is beautiful and it deserves proper testing. Also, don’t let your older baby IE die insecure. Protect it if you want the respect the community and final users. Keep protecting it until the user base equals zero.

Thank you for reading until this point and have a nice day!