What if Microsoft behaved like the Coalition Provisional Authority?

 So I’m listening to NPR this morning and I ran into this short article on Morning Edition:

The Coalition Provisional Authority in Iraq provides information on electricity production and reconstruction projects, but not on security. The coalition Web site declares, "For security reasons, there are no security reports."

The actual web page can be found here.

Could you imagine if Microsoft (or Suse, or Debian, or any other operating system vendor) attempted to do the same thing with security bugs?

“For Security reasons, we can’t provide any information about security bugs in our products.”

The industry wouldn’t stand for it (heck, I wouldn’t stand for it (as if my opinion counts J)).  They’d rightly want to know what we were covering up.

This is not to say that Microsoft or the others couldn’t be justified in making such a claim – since most (if not all) the security bug exploits that are found in the wild are released after the vendor announces the security hole (18 months for ms-blaster, 1 week for the last couple of security holes).  This isn’t done because the hackers want to be nice and let the vendors involved get a patch out.  Instead, a fairly strong claim could be made that the hackers figured out the exploit from information in the vendors’ security release.  So if the vendor didn’t release information about the security holes, the hackers couldn’t/wouldn’t reverse engineer the holes, and thus there would be fewer exploits in the wild.

There have been very few examples of a zero-day exploit actually discovered – in a quick Google search, I found only one or two legitimate 0-day exploits out there (no, I’m not posting them), most of the exploits found in the wild are 7-day or 14-day exploits, which tends to justify the argument above – if software vendors didn’t disclose their vulnerabilities, then the hackers would have less to work with.

Fortunately, the various powers that be have decided that full disclosure’s the way to go – at least for computer security.  Now, if the CPA would only consider doing the same…


Btw, in case it’s not obvious: This posting is provided "AS IS" with no warranties, and confers no rights. All opinions enclosed are the opinions of the poster and are not those of his employer.