
Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them - rasterizer
http://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml
======
dguido
FFS people, this is called MAPP and the program has been public and a huge
security success for the last few years. Microsoft advises lots of security
companies about patches slightly before they are issued. That way, everyone
has options on day 1 and people aren't scrambling for additional mitigations
every Patch Tuesday.

If you want to be outraged, check out all the Chinese companies on the list of
partners!

[https://www.microsoft.com/security/msrc/collaboration/mapp.a...](https://www.microsoft.com/security/msrc/collaboration/mapp.aspx)

~~~
Breakthrough
Funny you mention this, because I don't see _US Government_ , _Department of
Defense_ , or the _Natural Security Agency_ on that list (not that I expected
to find them there in the first place). Also, last I checked, the purpose of
MAPP wasn't to allow MAPP-partners the ability " _to exploit vulnerabilities
in software sold to foreign governments_ "... And indeed, that would only
compound the problem (have a look at the last question on the MAPP Application
Request: "Do you sell or create products used to attack or weaken the security
posture of networks or applications?").

> _If you want to be outraged, check out all the Chinese companies on the list
> of partners!_

Wow, really? :|

I might be outraged if I saw _Government of China_ on that list, but the
majority of Chinese companies on that list are large telecommunications
companies (like _Huawei_ ) or Chinese-based antivirus companies. And even
then, Chinese-based companies only make up a fraction of the (unsettlingly
large) list.

~~~
throwaway2048
its important to note, the government of china has a controlling stake in a
large number of those companies.

~~~
fragmede
I feel it's equally important to note, we don't know which companies on that
list are a front for the CIA.

------
nullandnull
This has been going on for years. It's a program that Microsoft created for
passing along 0days to AV Vendors and companies so they could create detection
mechanisms for it.

[http://www.microsoft.com/security/msrc/collaboration/mapp.as...](http://www.microsoft.com/security/msrc/collaboration/mapp.aspx#)

~~~
giardini
Nonetheless, it's significance increases in the light of the current NSA
revelations.

After all, previously one could justify Microsoft's actions by claiming they
were notifying the NSA of flaws in Windows so that the NSA could patch their
systems ASAP. Now we would likely infer a more sinister justification.

~~~
danielweber
_in the light of the current NSA revelations_

"It fits the narrative, so it must be true." HN is getting into the same
Ouroboros that Dan Rather found himself in.

------
trotsky
Early access to the knowledge of vulnerabilities is just good customer service
when you're talking about your biggest customer who is also very security
conscious. It allows them to protect themselves. The fact that the same
knowledge can facilitate developing of offensive payloads is unfortuneately
unavoidable - but that doesn't mean that's the purpose of the program or that
it should preclude any early sharing at all.

Most of the time (with other vendors, say cisco) these early warnings include
general descriptions of the problem and remediation steps - but not explicit
descriptions or code patches. While that can be enough to point someone on the
right track and develop an exploit for it (depending on a ton of unknown
factors), I'd say that 99% of the time the exploit doesn't actually get
written until the author can get their hands on the actual patch, so they can
see exactly what code was changed. Many of these vuln disclosures are
enormously generic in scope. think "a parsing vulnerability in an xml format"
and remediation - don't allow connections to xxx port or turn off major
software component y.

It wouldn't surprise me if the us government gets pre-public access to
inofrmation that makes it easy to weaponize 0-days (what the hell is the zero
day initiative, anyway?) but you'll have to do a hell of a lot more digging
and analysis before you could convince me that this is one of them.

~~~
liotier
> Early access to the knowledge of vulnerabilities is just good customer
> service

Customers who don't have early access might object, especially if they are
foreign governments who might sometimes have competitive issues with the USA -
which includes pretty much everyone.

------
marshray
I learned a thing or two about this in 2009-2010 when I uncovered a critical
SSL/TLS bug CVE-2009-3555. The fix for this bug would require a change to the
TLS protocol itself (RFC 5746) which would take months in the best case, so my
boss and I set upon a disclosure plan. (This was long before we ended up
employed at MS.)

Microsoft, like many other vendors, would need to patch. They were the most
responsive, a bit aggressive even, vendors about wanting to get the full
details of the bug as soon as possible.

We also disclosed the US Government. We did this as part of the planned
disclose process to vendors as well as customers and other stakeholders. I
felt it was important that there were customers in the process in order to
motivate the vendors a bit and so _we_ weren't the only ones taking heat from
the vendors. The US Government probably had more affected systems than anybody
and it could even be a nat security issue, so we disclosed them.

I think it worked. Some of the other (non MS) vendors heard about it via their
Federal business and were a little annoyed at us. The US Government really
wants to keep their own systems patched.

I never did hear of the bug being used in anger (not that I would have), but
among the major vendors (Linux distros included), Microsoft was the _first_ to
engineer and release a patch and push it down the update channel.

We presented the full story (in our Hardy Boys sweaters) here:
[https://www.youtube.com/watch?v=U_L9WGGEUlU](https://www.youtube.com/watch?v=U_L9WGGEUlU)

~~~
yuhong
I remember TLS extensions support being backported to XP just to implement
this. I wonder if it was backported to Win2000 too for Custom Support
customers. It is funny that the patch was released August 2010, just after
Win2000 went out of support.

------
ChikkaChiChi
While I am completely against PRISM and what has occurred, I might be more
against the necro-stories that are surfacing trying to paint the complicit
companies in a more harsh light.

Stop muddying the waters and let's focus on fixing today.

------
pdubs
I can't fault MSFT for this at all.

"Hey your systems have been vulnerable for a week; here's the patch!" just
doesn't fly too well with _major_ customers with very real needs for security.

I personally don't mind them being used in real targeted surveillance either.
That surveillance is going to happen anyway.

~~~
HarryHirsch
> I personally don't mind them being used in real targeted surveillance
> either.

You hear this and then, on this website, people get all incensed when China
sponsors industrial espionage against US companies. What I'm saying that moral
consistency is _required_ , it makes people predictable.

~~~
Uchikoma
Otto!

~~~
Uchikoma
Obviously not a lot of people know Harry Hirsch here. And down vote my
expression of joy.

------
colonelxc
This article is just a regurgitation of a part of a bloomberg article[0] that
is already on the front page[1].

[0] [http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html)

[1]
[https://news.ycombinator.com/item?id=5878365](https://news.ycombinator.com/item?id=5878365)

------
mtgx
Is this why Microsoft called the Google engineer, who uncovered one of these
bugs, "irresponsible"? Because they couldn't give it to NSA anymore? If they
are doing this, at least they should shut up, and let the engineers who
uncover them help the _public_.

~~~
iamshs
There are other researchers too, who disclose bugs to Microsoft without
spewing unnecessary vitriol? And he was being irresponsible. Microsoft's
security division has been proactive earlier, regarding zero-days [1].

Also at this stage, no company is helping the public. Even Google. Every step
of my digital life is mined through US corporations, and Gmail, Google
analytics and Facebook have a major chunk of my private life between them. So
let's focus on every company, without furthering one single company or
defending another.

[1] :
[https://www.computerworld.com/s/article/9239064/Microsoft_ru...](https://www.computerworld.com/s/article/9239064/Microsoft_rushes_IE8_zero_day_fix_into_next_week_s_Patch_Tuesday)

------
klt0825
Exploits or vulnerabilities? If they are handing out fully built exploits, I
have a problem with it. If they are just vulns then yeah, it is probably MAPP
which isn't news really.

~~~
adrr
If they are handling out exploits, MSFt management is pretty bad incompetent.
This would negatively affect their sales to foreign companies and sovereign
nations. US government may not hack us companies but there does look like
there some evidence they hack foreign countries and governments. And MSFT is
handing over keys to the US government.

~~~
venomsnake
Depend on the timing - if NSA gets info less than a patch tuesday before me it
is no big deal. If it is more than it is huge and will hurt them in the long
run.

------
tpurves
And you were wondering how the spooks that targeted the Iranian nuclear
facilities were somehow able to get their hands on no less than 4 different
zero-day exploits.

~~~
danielweber
So MSFT was holding off on the fixes for as long as it took USG to weaponize
them?

Those are the _worst_ bugs for USG to weaponize. First, Microsoft is going to
patch them soon. Second, there is now a paper trail from Microsoft talking to
the US about the bug.

 _LATE EDIT_ : in fact, if the person in charge of Stuxnet also saw the
exploit they were already using come across the wire from Microsoft, he would
likely order it pulled from Stuxnet. They want total deniability.

------
JulianMorrison
The government would probably like to avoid having its servers rooted. Seems
sensible.

~~~
wavefunction
Some rules for some, other rules for others.

~~~
danielweber
You know you can get the source code to Windows? You have to be a very large
customer and have data protection measures in place.

 _Postgres_ worked with Heroku to test one of its security patches before
releasing it to the public, and no one blabbed. You can probably find a way to
get on Microsoft's early-bird notification program, too, if you are an
extremely large customer and can assure them that you won't leak the data out.

~~~
kryten
Having been on the end of 'shared source', you don't get all of it. Certain
critical bits are missing.

The closest you can get to them is the leaked NT4 and 2000 source back in the
early 00's.

------
jpalomaki
I can imagine news like this leads to security researches giving lot less time
for companies to fix the vulnerabilities.

As it was reported in Hacker news some time ago, Google decided that seven
days should be enough for actively exploited vulnerabilities.
[http://googleonlinesecurity.blogspot.ch/2013/05/disclosure-t...](http://googleonlinesecurity.blogspot.ch/2013/05/disclosure-
timeline-for-vulnerabilities.html)

------
gregparadee
Wait, so there is a problem with MS helping out our government protect its
secrets? I agree, PRISIM was bad an invasion of privacy but people need to
realize that government agencies have more secrets and do more then spy on us.
I wouldn't want China, Russia or some other foreign country getting its hands
on the locations of weapons, R&D, or our defense plans because of a exploit in
a MS program.

Hackers will always be faster to take advantage of loopholes then companies or
the government are at patching them. Do people really see the problem with MS
doing this?

------
kryten
Wonderful.

That helps me sell Debian + PostgreSQL over Windows + SQL Server.

~~~
acdha
Have you told them about the SSH key fiasco? I've been running Debian/Ubuntu
servers since the late 90s but I wouldn't make those kinds of claims about
anything you haven't personally audited – and it's certainly not like it'd be
impossible for an attacker with nation-state level resources to compromise an
OSS project as well.

~~~
kryten
Oh I agree, but when discovered we don't have to wait for a government to do
its dirty work before the mere mortals are allowed the patch. Patched, poked
in the repository and job done.

The temporal window of attack is pretty low. Take a look at Microsoft when
CVE's are issued versus when the KB article with hotfix is announced and it
hits windows update. Not a good story.

Regarding the key fiasco, we used puttygen for key generation.

------
option_greek
I wonder if they selectively push any 'special updates' through windows update
to 'foreign' systems.

------
nano111
100% security is impossible and that's the way they like it

------
blahbl4hblah
This is hyperbole. Most large software companies report vulnerabilities to
CERT and DHS so that they can start patching critical infrastructure sooner
rather than later.

------
salimmadjd
Back in 2001/2002 I argued with friends that Microsoft must have made a deal
with the government in its antitrust case [1]

Basically divulging or intentionally leaving holes or backdoors in the system
accessible to the government in exchange for practically dropping their
antitrust case.

[1]-[https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...](https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corporation#Settlement)

~~~
UnoriginalGuy
That's nice. That isn't what the article is about nor has there been any
intentional holes or backdoors found in Windows.

