Of Money, Information, and Bugs
You probably saw the news last week: Microsoft has announced a new Anti-Virus
Reward Program. They've put $5 million of their own money into the program
(for a bit of perspective, it took Microsoft a bit under five hours to earn
$5 million in fiscal year 2003), and started off with $250,000 rewards for the
writers of the Blaster and SoBig worms. They promise to spend money on future
malicious code incidents as well.
Microsoft seems to be playing here to the common image of the malicious code
author as a barely pubescent denizen of the late-night IRC chat rooms, unable to resist
bragging to his friends after bringing the Internet to the brink of disaster.
There's pretty good evidence, though, that this stereotype is just too simple.
Both SoBig and the more recent MiMail, for example, were likely launched by
sophisticated spam rings (the former to provide open relays, the latter to
attack some prominent anti-spam sites). There may not be honor among thieves,
but if the malicious code was created by a small group for profit it seems less
likely that they'll crack and turn one another in for the money.
But let's take the most optimistic case: by spending $5 million, Microsoft
takes 20 virus writers off the street and puts them behind bars. What effect
will this have on the creation of malicious code that takes advantage of the
problems in Microsoft's operating systems, browsers, and e-mail clients? Next to
The nearly insurmountable problem for Microsoft is that it's simply very,
very easy to write viruses these days. Poke around the seamier bits of the
Internet for a while, and you'll find almost completely automated virus
construction kits. For that matter, if you were following the BugTraq or
NTBugTraq mailing lists last week, you would have seen the details of a new
attack on Internet Explorer that can run an arbitrary executable on your system
if you just happen to visit the wrong Web page. There are thousands and
thousands of developers out there with the technical knowhow to turn
readily-available information into nasty code. Do you want to bet that none
of them will do so in the privacy of their own computers, just for grins?
Bounties won't stop those people.
The sad thing? Some of the vulnerabilities exploited in this latest
demonstration are nearly two years old, and were reported to Microsoft long ago.
Microsoft has complained
in the past about the full disclosure of security holes on public mailing lists
(security researchers call it "full disclosure"; Microsoft calls it "information
anarchy"), but sometimes it seems like the company doesn't have any real
interest in even trying to fix known holes until they get exploited on a
Meanwhile, the much-ballyhooed "Trustworthy Computing" push doesn't seem to
be resulting in bulletproof code. There are already over a dozen security
patches for Windows Server 2003 - presumably many in code that went through the
"intensive review" that Microsoft Senior VP Craig Mundie promised in February, 2002. And it
was two weeks to the day after the Office System 2003 launch that Microsoft
released the first
critical update for the new suite (though, to be fair, it's just a data-loss
problem, not a security issue).
Of course, it's easy to second-guess from outside the process. And I've seen
how software is developed at Microsoft (as a subcontractor), and I fully
appreciate the complexity of patching an application like Internet Explorer.
Still, I can't help wondering what would happen if Microsoft would set aside
another five hours' income and pay out $250,000 bounties to their own
developers. They could hand out the money any time one of their own software
engineers identified and fixed a remotely-exploitable security bug before
it became public knowledge. After all, that's the developer pool that Microsoft
has the best chance of influencing: their own employees, not their shadowy
opponents on the Internet.
For more reviews and opinions from Mike Gunderloy, click here.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.