Short answer – No.
Long answer:
David Litchfield suggests that I think there is something nefarious going on between Microsoft and bugfinders. I wouldn’t go that far. Microsoft is too smart for that and it doesn’t serve their purpose. In any case, I do think that they genuinely want to reduce the number of bugs in their products (heck, we hear about how great they are at this every quarter).
I need to clarify my perspective on some of the other things David says:
Litchfield: what happened to the flaws that the researchers found but kept quiet?
Lindstrom: I don’t think bugfinders contracted by Microsoft are finding new vulns and not telling anyone (or only telling Microsoft). I think they already believe they’ve inspected the code well enough and are less interested in finding more. And I think they are aware that finding too many bugs after they’ve done the contracted work would make them look bad.
Litchfield: "If the latter, then why haven’t they been found
by other good researchers who baulk at the very idea of working for
Microsoft and would love to see nothing more than Microsoft being
embarrased or by made a name for themselves by getting out an advisory
or two or sold them to Verisign or Tippingpoint’s ZDI?"
Lindstrom: It is not clear to me how many "other good researchers" are out there focusing on Microsoft products (the app layer appears to be where it is at these days), nor is it clear to me that anyone cares that much about embarrassing MS anymore (witness this entire thread where some prominent former critics are now advocates). And things change in the world such that there is more money to be made in the undercover world – monetizing vulns appears to be worthwhile these days, so bugs found are more likely to be kept secret.
Litchfield: if the public vuln count was up, even
marginally, you could bet that everyone would be screaming from the
rooftops that SDL was a failure. Given that most people (even Pete and
Ryan) think SDL was a success, why is it so hard to believe the opposite?
Lindstrom: It’s hard to believe the opposite because there are a number of variables that could also explain a low number of vulnerabilities…. and a high number of vulnerabilities would have the opposite set of variables that I consider less plausible.
Hey Pete,
“It is not clear to me how many ‘other good researchers’ are out there focusing on Microsoft products…”
As I’m sure you know, there are companies out there with strong researchers like eEye whose very business model is in finding and publishing MS flaws. One easy way for companies like eEye to boost sales of their product would be to release in-depth threat reports about MS patches as when they come out divulging all the gory details of silently fixed flaws. But no-one does do this on an industrial scale which leads me to believe there’s nothing there to report… Then again, perhaps I’m wrong and they’ve just not thought of doing this.
Cheers,
David
@David -
Great point. Thanks for the comment.
Pete