[This was originally published on the OSVDB blog.]
I had planned on writing about this weeks ago but got swamped with that pesky day job along with the steady stream of new vulnerabilities released daily. That steady stream that absolutely will not get better with vendors taking a new approach to dealing with them. Fortunately for me, John Dvorak wrote an article and voiced some of my opinion as well. This comes some three years after Richard Forno wrote a related piece.
http://www.pcmag.com/print_article2/0,1217,a=162175,00.asp
The Microsoft Protection Racket
By John C. DvorakDoes Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute
an incredible conflict of interest? Why improve the base code when you can sell “protection”? Is Frank Nitti the new CEO?So what is actually going on here? I think there were some bottom-line questions that must have been brought up internally. Obviously someone at Microsoft looked at the expense of “patch Tuesday” and asked, “Is there any way we can make some money with all these patches?” The answer was “Yeah, let’s stop doing them and sell ‘protection’ instead.” Bravo! And now the company has a new revenue stream.
What Dvorak doesn’t mention that is just as important, is that Microsoft is not the only one doing this. A colleague recently pointed out that Symantec is offering IDS/IPS solutions for their own software. So instead of truly patching a vulnerability, they can quickly write a rule/filter to stop attacks against a specific/known attack. While this is often effective, history shows us that such solutions often fall victim to being bypassed with crafted requests, altering exploit code or using various evasion techniques.
SYM05-011 – August 12, 2005
VERITAS Backup Exec for Windows Servers, VERITAS Backup Exec for NetWare Servers, and NetBackup for NetWare Media Server Option Remote Agent Authentication VulnerabilityRevision History
8/12/2005 – Revision One – updated details, affected products and response information.
8/12/2005 – Revision Two – Adding Tech Support links to currently available product updates as tested and posted for download by Symantec engineers. Link to IDS/IPS signatures for Symantec Security products.
8/13/2005 – Revision Three – Added Tech Support link to additional product updates. All supported affected products have updates available now.
8/14/2005 – Revision Four – Added links to IDS/IPS signatures for additional security products. All relevant Symantec Security products have signatures available now.
Again, what is the motivation/incentive for a vendor to patch a vulnerability, when they can just as easily ignore it, and spend time developing a profitable workaround or additional product?