Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them

FFS people, this is called MAPP and the program has been public and a huge security success for the last few years. Microsoft advises lots of security companies about patches slightly before they are issued. That way, everyone has options on day 1 and people aren&#x27;t scrambling for additional mitigations every Patch Tuesday.<p>If you want to be outraged, check out all the Chinese companies on the list of partners!<p><a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;msrc&#x2F;collaboration&#x2F;mapp.aspx" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;msrc&#x2F;collaboration&#x2F;mapp.a...</a>

This has been going on for years. It&#x27;s a program that Microsoft created for passing along 0days to AV Vendors and companies so they could create detection mechanisms for it.<p><a href="http:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;msrc&#x2F;collaboration&#x2F;mapp.aspx#" rel="nofollow">http:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;msrc&#x2F;collaboration&#x2F;mapp.as...</a>

Early access to the knowledge of vulnerabilities is just good customer service when you&#x27;re talking about your biggest customer who is also very security conscious. It allows them to protect themselves. The fact that the same knowledge can facilitate developing of offensive payloads is unfortuneately unavoidable - but that doesn&#x27;t mean that&#x27;s the purpose of the program or that it should preclude any early sharing at all.<p>Most of the time (with other vendors, say cisco) these early warnings include general descriptions of the problem and remediation steps - but not explicit descriptions or code patches. While that can be enough to point someone on the right track and develop an exploit for it (depending on a ton of unknown factors), I&#x27;d say that 99% of the time the exploit doesn&#x27;t actually get written until the author can get their hands on the actual patch, so they can see exactly what code was changed. Many of these vuln disclosures are enormously generic in scope. think &quot;a parsing vulnerability in an xml format&quot; and remediation - don&#x27;t allow connections to xxx port or turn off major software component y.<p>It wouldn&#x27;t surprise me if the us government gets pre-public access to inofrmation that makes it easy to weaponize 0-days (what the hell is the zero day initiative, anyway?) but you&#x27;ll have to do a hell of a lot more digging and analysis before you could convince me that this is one of them.

I learned a thing or two about this in 2009-2010 when I uncovered a critical SSL&#x2F;TLS bug CVE-2009-3555. The fix for this bug would require a change to the TLS protocol itself (RFC 5746) which would take months in the best case, so my boss and I set upon a disclosure plan. (This was long before we ended up employed at MS.)<p>Microsoft, like many other vendors, would need to patch. They were the most responsive, a bit aggressive even, vendors about wanting to get the full details of the bug as soon as possible.<p>We also disclosed the US Government. We did this as part of the planned disclose process to vendors as well as customers and other stakeholders. I felt it was important that there were customers in the process in order to motivate the vendors a bit and so <i>we</i> weren&#x27;t the only ones taking heat from the vendors. The US Government probably had more affected systems than anybody and it could even be a nat security issue, so we disclosed them.<p>I think it worked. Some of the other (non MS) vendors heard about it via their Federal business and were a little annoyed at us. The US Government really wants to keep their own systems patched.<p>I never did hear of the bug being used in anger (not that I would have), but among the major vendors (Linux distros included), Microsoft was the <i>first</i> to engineer and release a patch and push it down the update channel.<p>We presented the full story (in our Hardy Boys sweaters) here: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=U_L9WGGEUlU" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=U_L9WGGEUlU</a>

While I am completely against PRISM and what has occurred, I might be more against the necro-stories that are surfacing trying to paint the complicit companies in a more harsh light.<p>Stop muddying the waters and let&#x27;s focus on fixing today.

I can&#x27;t fault MSFT for this at all.<p>&quot;Hey your systems have been vulnerable for a week; here&#x27;s the patch!&quot; just doesn&#x27;t fly too well with <i>major</i> customers with very real needs for security.<p>I personally don&#x27;t mind them being used in real targeted surveillance either. That surveillance is going to happen anyway.

This article is just a regurgitation of a part of a bloomberg article[0] that is already on the front page[1].<p>[0] <a href="http:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;2013-06-14&#x2F;u-s-agencies-said-to-swap-data-with-thousands-of-firms.html" rel="nofollow">http:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;2013-06-14&#x2F;u-s-agencies-said-t...</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5878365" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5878365</a>

Is this why Microsoft called the Google engineer, who uncovered one of these bugs, &quot;irresponsible&quot;? Because they couldn&#x27;t give it to NSA anymore? If they are doing this, at least they should shut up, and let the engineers who uncover them help the <i>public</i>.

Exploits or vulnerabilities? If they are handing out fully built exploits, I have a problem with it. If they are just vulns then yeah, it is probably MAPP which isn&#x27;t news really.

And you were wondering how the spooks that targeted the Iranian nuclear facilities were somehow able to get their hands on no less than 4 different zero-day exploits.

The government would probably like to avoid having its servers rooted. Seems sensible.

I can imagine news like this leads to security researches giving lot less time for companies to fix the vulnerabilities.<p>As it was reported in Hacker news some time ago, Google decided that seven days should be enough for actively exploited vulnerabilities. <a href="http:&#x2F;&#x2F;googleonlinesecurity.blogspot.ch&#x2F;2013&#x2F;05&#x2F;disclosure-timeline-for-vulnerabilities.html" rel="nofollow">http:&#x2F;&#x2F;googleonlinesecurity.blogspot.ch&#x2F;2013&#x2F;05&#x2F;disclosure-t...</a>

Wait, so there is a problem with MS helping out our government protect its secrets? I agree, PRISIM was bad an invasion of privacy but people need to realize that government agencies have more secrets and do more then spy on us. I wouldn&#x27;t want China, Russia or some other foreign country getting its hands on the locations of weapons, R&amp;D, or our defense plans because of a exploit in a MS program.<p>Hackers will always be faster to take advantage of loopholes then companies or the government are at patching them. Do people really see the problem with MS doing this?

Wonderful.<p>That helps me sell Debian + PostgreSQL over Windows + SQL Server.

I wonder if they selectively push any &#x27;special updates&#x27; through windows update to &#x27;foreign&#x27; systems.

100% security is impossible and that&#x27;s the way they like it

This is hyperbole. Most large software companies report vulnerabilities to CERT and DHS so that they can start patching critical infrastructure sooner rather than later.

Back in 2001&#x2F;2002 I argued with friends that Microsoft must have made a deal with the government in its antitrust case [1]<p>Basically divulging or intentionally leaving holes or backdoors in the system accessible to the government in exchange for practically dropping their antitrust case.<p>[1]-<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;United_States_v._Microsoft_Corporation#Settlement" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;United_States_v._Microsoft_Cor...</a>