Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them (opens in new tab)

Funny you mention this, because I don't see US Government, Department of Defense, or the Natural Security Agency on that list (not that I expected to find them there in the first place). Also, last I checked, the purpose of MAPP wasn't to allow MAPP-partners the ability "to exploit vulnerabilities in software sold to foreign governments"... And indeed, that would only compound the problem (have a look at the last question on the MAPP Application Request: "Do you sell or create products used to attack or weaken the security posture of networks or applications?").

> If you want to be outraged, check out all the Chinese companies on the list of partners!

Wow, really? :|

I might be outraged if I saw Government of China on that list, but the majority of Chinese companies on that list are large telecommunications companies (like Huawei) or Chinese-based antivirus companies. And even then, Chinese-based companies only make up a fraction of the (unsettlingly large) list.

This is already being spun on some media as if MS intentionally delays fixing bugs to let the government take advantage of exploits.

http://news.yahoo.com/microsoft-waits-fix-software-bugs-nsa-...

This program may have been publicly ongoing, but it is no less scandalous. Do you really believe that this early access to information will not be used for offensive ends ? How is that respectful of Microsoft's other customers, such as other governments ?

Nonetheless, it's significance increases in the light of the current NSA revelations.

After all, previously one could justify Microsoft's actions by claiming they were notifying the NSA of flaws in Windows so that the NSA could patch their systems ASAP. Now we would likely infer a more sinister justification.

The difference is AV vendors use it for defensive purposes while the USG uses it for offensive (read: destructive) purposes.

Not all members of this program receive vulnerabilities at the same time.

> I personally don't mind them being used in real targeted surveillance either.

You hear this and then, on this website, people get all incensed when China sponsors industrial espionage against US companies. What I'm saying that moral consistency is required, it makes people predictable.

> "major customers with very real needs for security"

Major customers with very real needs for security probably aren't running Windows... Even if they are, they should be sandboxed in such a way as to reduce potential damages from a 0-day.

I'd argue it doesn't really matter, as I assume the US government is fully capable of creating a fully-built exploit out of a major software company's early disclosure of a vulnerability... And yes, I also assume they are using it to their full potential for surveillance (or put another way, unless someone told them explicitly not to, why wouldn't they?). And indeed, this is what the article itself hints at: this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.

I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.

Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).

[1] http://www.microsoft.com/security/msrc/collaboration/mapp/cr...

Why the distinction?

Security researchers are in high demand right now and with good reason - a competent security researcher can write an exploit given a limited amount of information, and I find it unlikely MS themselves necessarily has exploit code for all situations.

A competent security researcher should be able to go from this diff: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g... to full exploit code in a day. An afternoon, even.

I bring this up because there's nothing particularly magical about writing exploits, even if it isn't a skill a ordinary programmer possess. If the vulnerability has already been found, so whether or not this is simply MAPP/CIPP or something more nefarious, your distinction seems a bit academic.

If they are handling out exploits, MSFt management is pretty bad incompetent. This would negatively affect their sales to foreign companies and sovereign nations. US government may not hack us companies but there does look like there some evidence they hack foreign countries and governments. And MSFT is handing over keys to the US government.

Some rules for some, other rules for others.

Perhaps move away from MSFT products then. :)

Jokes aside, maybe they also consider the opportunity of using this for offensive purposes a big enough benefit.

Have you told them about the SSH key fiasco? I've been running Debian/Ubuntu servers since the late 90s but I wouldn't make those kinds of claims about anything you haven't personally audited – and it's certainly not like it'd be impossible for an attacker with nation-state level resources to compromise an OSS project as well.

> Early access to the knowledge of vulnerabilities is just good customer service

Customers who don't have early access might object, especially if they are foreign governments who might sometimes have competitive issues with the USA - which includes pretty much everyone.

I remember TLS extensions support being backported to XP just to implement this. I wonder if it was backported to Win2000 too for Custom Support customers. It is funny that the patch was released August 2010, just after Win2000 went out of support.

There are other researchers too, who disclose bugs to Microsoft without spewing unnecessary vitriol? And he was being irresponsible. Microsoft's security division has been proactive earlier, regarding zero-days [1].

Also at this stage, no company is helping the public. Even Google. Every step of my digital life is mined through US corporations, and Gmail, Google analytics and Facebook have a major chunk of my private life between them. So let's focus on every company, without furthering one single company or defending another.

[1] : https://www.computerworld.com/s/article/9239064/Microsoft_ru...

So MSFT was holding off on the fixes for as long as it took USG to weaponize them?

Those are the worst bugs for USG to weaponize. First, Microsoft is going to patch them soon. Second, there is now a paper trail from Microsoft talking to the US about the bug.

LATE EDIT: in fact, if the person in charge of Stuxnet also saw the exploit they were already using come across the wire from Microsoft, he would likely order it pulled from Stuxnet. They want total deniability.

That's nice. That isn't what the article is about nor has there been any intentional holes or backdoors found in Windows.