On Patching Security Bugs

Hello fellow bug hunter!

I want to share with you my thoughts on a slight change that the folks at Microsoft could embrace to make security better. This change, in my opinion, will make the security process more transparent for all, attracting bug hunters and making the lives of the bad guys more miserable, or at least less profitable.

Personally, I think Microsoft is full of smart people with good intentions, but I disagree in many cases with their current way of treating security bugs so I expect a change, like the other big ones took long ago. Let’s see something concrete:

  1. To patch vulnerabilities in 60 days or less, like the CERT disclosure policy of 45 days.
  2. To keep a permanent reward system (aka bug bounty) open for their supported browsers.

That is fair for today’s standards and it’s even less that what others are doing in urgent cases. How is it possible that Microsoft needs 120 days while Firefox can do it in a day and Chrome, same thing!

Firefox – […] should update automatically over the next 24 hours […]

Chrome – […] if we find an important security bug, we push out a fix within 24 hours—no update from you required.

Come on, Microsoft. I’m not the only one who wants that. As for today the request “Allow Edge to be updated on its own” has 1715 votes, and Thurrott has been talking about it more than once. Also, you are in the news all the time for being a slow patcher.

The saga shows that Microsoft’s progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.

Why don’t you set fast-patching as a priority?

And regarding bounties, both Google Chrome and Mozilla Firefox have clear rules about what’s a bug and what’s not, to the point that Google publishes exactly what’s the reward on each bug type (see Chrome and Firefox rewards). But I’m not speaking of the exact amount of money that these companies pay because that should be determined by the companies themselves. I don’t expect anyone to match the value of others, but I do expect everyone to agree on what’s a bug, what’s not, and a quick-transparent patching process.


Good changes

On August 4, 2016, Microsoft included design bugs in their Edge bounty [extended until June 30, 2017] (by design bugs I mean SOP bypasses, UXSS, referrer spoofing, etc). The list is clearly incomplete but it’s a good start, however, Internet Explorer is still excluded. In other words, a researcher who finds a way to grab your Paypal credentials on IE will be rewarded with a “thanks, we will try to patch in 120 days but if you speak publicly about it we will not credit you” while the same thing on Edge is rewarded with money.

I completely understand the business logic here: Microsoft wants to get rid of IE and move that user base to Edge, but I disagree because we are leaving behind too many people, a user base five times bigger than Edge.

Make no mistake, I applaud that decision because they are moving in the right direction: a faster and more secure browser. However, we can’t leave IE behind unless the user base decreases to almost zero. We need to protect those users even more because evidence shows that they are being attacked again and again, and abused with all type of design bugs like fingerprinting the PC and delivering the bad bits only to unsavvy users.


Browser Market Share 2016 Q3

Desktop Browser Market Share

Source: netmarketshare.com

Even if I agree with the idea of moving users away from IE, the current market share (Q3 2016) shows that we should continue taking care of them during the transition. Attackers do not waste their opportunities and as long as there are vulnerable users they will be attacked with no mercy. Attackers can fingerprint IE users pretty well in order target their victims with precision. And this is something that we also need to consider: when we know a bug is being exploited in the wild, we should patch it ASAP with no excuses. Of course I understand Microsoft patching mechanism can’t be immediate today, but at least we should make sure that it is prioritized correctly and patched fast.

Today standards are higher than the ones from the previous decade. We are now concerned about privacy like never before and just being able to fingerprint the user is considered bad, and browser makers try to avoid that at all costs. Microsoft, please do the same!

We need to attract honest-decent-bug hunters and give them motivation to research and report properly. This is what other companies promote and I firmly believe Microsoft should join them. Why not? If we want to move IE users to Edge, why not being respectful and really support them during the transition? The engine that runs IE, Trident, is still used by several desktop applications and leaving that engine behind means leaving those applications behind. Windows users with desktop Skype are essentially running an IE.


Patching Time and Bounties

Another important thing is to patch during in a max 60 day period. Microsoft says they do it in 90/120 and maybe that’s what they try to achieve, but the reality is different and more than once researchers complain because Microsoft seems to be sitting on the bugs for more than what’s advertised.

Bug bounties should be open for as long as you care about the related products. If you set a time frame for the bounties, you are promoting bug hunters to sit on their findings until a new bounty is open. Why would you close a program like that? What would be the logic, or who is benefited by setting a time frame around bounties? Attackers.

It is not true that moving bounties around products motivate researchers to switch from an app to the other. Of course there are researchers following the bounties and moving their targets, but we also have a another group of researchers with preferences and favorites who won’t be following the money jumping from Edge to Microsoft Movie Maker. We need to be mature here, think, and do the best in the interest of all. IE and Edge are exposed 24/7 and a simple navigation could be enough to get into users PC.

I really, wholeheartedly hope that somebody at Microsoft thinks about this. We are all against attackers so we need to keep our honesty high, making sure we behave in the best interest of final users who in general don’t have a clue of all these things.

You can find researchers on both sides of the argument: in favor and against full disclosure. I am against it only if the affected company demonstrates that it is acting in the best interest of final users. In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like responsible disclosure will ring in my mind if responsible patching rings in Redmond. I will keep sharing my findings until something changes.




My absolute respect to Edge and IE developers. I really think they are creating an amazing browser, but we need a permanent team of attackers helping, firing non-stop at Edge/IE. People testing the new features properly, not just fuzzing for memory errors. Edge is already strong in that area, but design bugs are still there.


Thank you for reading until this point and have a nice day!