Microsoft Vista Vulnerability Ranking
Posted by Gunter Ollmann on March 19, 2007 at 1:29 PM EDT.

Over the weekend I noticed an interesting article the ComputerWorld site with the awe inspiring title “Microsoft security guru wants Vista bugs rated less serious” covering comments made by Microsoft’s Michael Howard (a senior security program manager in their security engineering group). 

The discussion revolves around depreciating the ranking applied to Microsoft vulnerabilities that affect Microsoft Vista.  Now, don’t get me wrong, I have a lot of respect for Michael as well as the Microsoft MSRC – they have a tough enough job already.  But, quite frankly, it doesn’t matter to me - and it shouldn’t really matter to any customers of Microsoft - what evaluation of vulnerability ranking they apply to a security patch.

Why not?  Two reasons
(1)  As with any vulnerability disclosure, at this point in history, it’s in the vulnerable vendor’s interest to downplay the vulnerability,
(2) Risk rankings of a security patch appear to reflect the most severe ranking of the vulnerabilities that are being publicly disclosed (and credited to external discoverers).

Vendors Vulnerability Rating
Given the competitive nature of the software business (don’t you just love those Apple ads?), vendors will always seek to minimize any perceived weaknesses.  People love to count vulnerabilities and study them for trends (I know I do), so minimizing the relative risk ranking of a particular vulnerability can help to some extent.

I trust the security experts at Microsoft to study, understand and fix the vulnerabilities that get uncovered in their software.  I also trust them to get out a stable security patch in a timely manner.  However, I ‘expect’ to see some kind of spin to minimize the perceived threat of the vulnerability.

That said, I also ‘expect’ the discoverer to overestimate the threat the vulnerability represents.  In fact, perhaps someday in the future someone will have the opportunity to do an analytical study on what the average difference is between Vendor and Discoverer risk rankings?

A step in the right direction for all concerned would be to wholeheartedly adopt the Common Vulnerability Scoring System (CVSS) – at least it helps set a common level for evaluating the vulnerability that can be evaluated by any security team.

Some of the talk has been about the extra security advancements that Vista has that help mitigate possible threats. Mitigation steps are of course very important in understanding the level of risk a vulnerability can represent to a business, however they should be applied in the calculation of risk as opposed to the ranking of the vulnerability itself.  Why? Well, I’d kind of hoped the industry had moved on from the 1990’s “I have a firewall, I’m safe” approach to security.

Risk Based on Public Disclosure
This probably scares me the most.  What I’ve observed in the past is that security patches tend to only have a ranking equivalent to the maximum ranking of a vulnerability that was discovered by a (vocal) third-party.  Since it's almost never the case that only one vulnerability gets fixed in a Microsoft security patch, what happens if the patch contains fixes for 12 vulnerabilities, with only one of them discovered by a third-party, and that one was a denial of service (DoS)?  Most likely the security patch would be ranked as a DoS – regardless of whether any of the remaining 11 vulnerabilities internally discovered were more severe or critical.

Granted, there have been cases when Microsoft have released critical patches for vulnerabilities that were discovered internally – and that’s great – but (until someone proves to me otherwise) I don’ trust them to tell me the nature of all the things covered in a security patch.

Now the part that really scares me – in this world of increasingly rapid patch reverse engineering and application/usage in malware as well as the growth industry of “Managed Exploit Service” providers – is that businesses are making decisions that directly affect their patching cycles based upon these patch ratings supplied by Microsoft.  Therefore, underestimating the ranking of a vulnerability and excluding all those “internal finds”, can ultimately affect the security of Microsoft’s customers – including me.

Who do I Trust?
To be perfectly honest, the people I trust to make an evaluation of the risk a particular Microsoft (or any other vendor) vulnerability are the people I work with day-in, day-out, sitting on the 5th floor here in Atlanta.  Their full-time job is to impartially assess and evaluate every vulnerability disclosure, and to look beyond the text contained in both the vendors and discoverers advisories.

As time goes by and we see the period between vulnerability patch release and exploit release decrease even more, it’s going to be even more critical that we understand the makeup of each patch a vendor releases and look beyond the things they credit a third-party with.

    Copyright 2001-2007 © Gunter Ollmann