Daily Exploit Releases Irk Both Vendors and Crooks 165
conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
Lack of security sells PCs and crappy software. (Score:3, Insightful)
Reporting directly to vendors (Score:5, Insightful)
From the looks of it, most if not all of those were reported months before they were published.
Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.
If you annoy both groups (Score:5, Insightful)
Give reasonable deadlines then go public (Score:3, Insightful)
1) warn the vendor ASAP
2) warn the security community within a week, immediately if the vendor has no objections
3) as soon as there is an exploit that represents a real threat:
a) give all details to the security community
b) give a workaround, like "disable such and such service," to the general public.
It "irks" them? (Score:2, Insightful)
So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?
While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. Producing better software is far more important.
Re:In releated news... (Score:3, Insightful)
(Not to put a downer on your funny post but...)
(Of course, just as in Oakland... we get bored of seeing a bunch of dead people every night on the news, and we get bored of seeing the latest exploit, and once the cops - and the vendors - figure out that after a certain point, we stop giving a shit, nothing gets done :)
Re:In releated news... (Score:5, Insightful)
Re:Too bad these WERE reported to mickeysoft (Score:5, Insightful)
The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.
To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?
These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.
At which point, what good does keeping silent do?
Re:Too bad these WERE reported to mickeysoft (Score:5, Insightful)
I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.
I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.
Clearly they are in a position to make it, because they have the information on the vulnerability :)
Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.
Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?
Re:Too bad these WERE reported to mickeysoft (Score:5, Insightful)
I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.
Re:Or (Score:5, Insightful)
If a remote user can make your software do something it's not supposed to do, that's a security problem.
Re:Too bad these WERE reported to mickeysoft (Score:3, Insightful)
Ok, then.
Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an O/S at all - little more than a kernel and a few utilities.
Linux is definitely imperfect. Slowlaris isn't all that wonderful. In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.
I choose Linux for my development because
A) distributing patches is damned easy (yum update)
B) I don't have to go to the facility to apply them,
C) It's very reliable - 99.94% uptime on a single machine!
D) It's very cheap - no licensing worries.
E) Security record is decent overall.
Re:Too bad these WERE reported to mickeysoft (Score:5, Insightful)
And when there is a fire, how irresponsible is it to not yell fire?
Re:Been a long time (Score:3, Insightful)
in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.
New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somewhat forgivable. Even though a Linux machine may be an outstanding way to replace a cranky Windows server, ANY malfunction is evidence "This Linux stuff sucks!" even though worse might be tolerated from the accustomed Windows solutions.
I've been the advocate for many such Linux deployments. Being the advocate, I make it my personal and professional business that the solutions I advance work. I've pulled a few overtimes here and there sorting issues out. It's what you have to do when it is YOUR big idea being tried out and that big idea bucks prejudices.
If you've been a long while from Linux, then you are correct to hang back. Find a little time to get to know your shit again so that if you ever DO propose a Linux trial that you can do the groundwork to really make it perform.
Maybe MS needs some humility. (Score:3, Insightful)
Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)
I think the software vendors are forgetting something: giving them an advance warning of the pending release of a vulnerability is a professional courtesy.
If they don't do anything, particularly if they don't ask politely that the release of the vulnerability be delayed, then they really have no business bitching when they see it over their coffee while reading the Wall Street Journal some morning.
I think reporting vulnerabilities to vendors is the right thing to do, but if the vendors piss all over people who are trying to do them a favor, then the hell with them. It's unfortunate that their customers end up getting hurt because of their lack of any sort of humility or willingness to communicate, but that's what you get when you do business with people like that.
If I was advising Microsoft, or any other large vendor -- or if I was a major customer of theirs, large enough that I could give input on their internal policy -- I'd tell them that every time a serious vulnerability was reported, they should assign an analyst to it personally; not only to verify the possible implications of the threat, but also to act as a one-to-one point of contact with the discoverer, to build a relationship with them and hopefully get them to agree to hold off on disclosure until the problem can be fixed. (I'd also expect them to throw wads of cash at anyone with a possible 0-day, and troll the black-hat IRC channels just like the mafia does, buying them up.)
It's ridiculous to expect people who are inherently doing the vendors and their customers a favor to simply sit on their hands when there's no active dialogue between them and the vendor on what progress is being made -- particularly when being the first to report a vulnerability can be a career-making move for some people.
Re:Too bad these WERE reported to mickeysoft (Score:4, Insightful)
Isn't that why the black hats are pissed too?
The odds aren't "good" - they're 100%.
Re:Too bad these WERE reported to mickeysoft (Score:3, Insightful)
Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.
News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked regardless of whether or not the auditors told anyone.
This is nothing less than a free speech issue.
Re:Too bad these WERE reported to mickeysoft (Score:4, Insightful)
Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.