News

Of Money, Information, and Bugs

• By Mike Gunderloy
• November 11, 2003

You probably saw the news last week: Microsoft has announced a new Anti-Virus Reward Program. They've put $5 million of their own money into the program (for a bit of perspective, it took Microsoft a bit under five hours to earn $5 million in fiscal year 2003), and started off with $250,000 rewards for the writers of the Blaster and SoBig worms. They promise to spend money on future malicious code incidents as well.

Microsoft seems to be playing here to the common image of the malicious code author as a barely pubescent denizen of the late-night IRC chat rooms, unable to resist bragging to his friends after bringing the Internet to the brink of disaster. There's pretty good evidence, though, that this stereotype is just too simple. Both SoBig and the more recent MiMail, for example, were likely launched by sophisticated spam rings (the former to provide open relays, the latter to attack some prominent anti-spam sites). There may not be honor among thieves, but if the malicious code was created by a small group for profit it seems less likely that they'll crack and turn one another in for the money.

But let's take the most optimistic case: by spending $5 million, Microsoft takes 20 virus writers off the street and puts them behind bars. What effect will this have on the creation of malicious code that takes advantage of the problems in Microsoft's operating systems, browsers, and e-mail clients? Next to none.

The nearly insurmountable problem for Microsoft is that it's simply very, very easy to write viruses these days. Poke around the seamier bits of the Internet for a while, and you'll find almost completely automated virus construction kits. For that matter, if you were following the BugTraq or NTBugTraq mailing lists last week, you would have seen the details of a new attack on Internet Explorer that can run an arbitrary executable on your system if you just happen to visit the wrong Web page. There are thousands and thousands of developers out there with the technical knowhow to turn readily-available information into nasty code. Do you want to bet that none of them will do so in the privacy of their own computers, just for grins? Bounties won't stop those people.

The sad thing? Some of the vulnerabilities exploited in this latest demonstration are nearly two years old, and were reported to Microsoft long ago. Microsoft has complained in the past about the full disclosure of security holes on public mailing lists (security researchers call it "full disclosure"; Microsoft calls it "information anarchy"), but sometimes it seems like the company doesn't have any real interest in even trying to fix known holes until they get exploited on a wide scale.

Meanwhile, the much-ballyhooed "Trustworthy Computing" push doesn't seem to be resulting in bulletproof code. There are already over a dozen security patches for Windows Server 2003 - presumably many in code that went through the "intensive review" that Microsoft Senior VP Craig Mundie promised in February, 2002. And it was two weeks to the day after the Office System 2003 launch that Microsoft released the first critical update for the new suite (though, to be fair, it's just a data-loss problem, not a security issue).

Of course, it's easy to second-guess from outside the process. And I've seen how software is developed at Microsoft (as a subcontractor), and I fully appreciate the complexity of patching an application like Internet Explorer. Still, I can't help wondering what would happen if Microsoft would set aside another five hours' income and pay out $250,000 bounties to their own developers. They could hand out the money any time one of their own software engineers identified and fixed a remotely-exploitable security bug before it became public knowledge. After all, that's the developer pool that Microsoft has the best chance of influencing: their own employees, not their shadowy opponents on the Internet.

............

For more reviews and opinions from Mike Gunderloy, click here.