Daily Exploit Releases Irk Both Vendors and Crooks 165
conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
Only one OS? (Score:1, Interesting)
Or do some vendors not have enough to mention?
Or do other vendors actually fix them in a timely fashion?
Re:Give reasonable deadlines then go public (Score:3, Interesting)
First, this process does not protect the user, it is merely a PR thing for the vendor. While I feel for the vendor, wish to give them adequate time to correct the problem, history tells us that this sympathy backfires. Here is the normal drill. If a venerability gets reported, but there is no exploit "in the wild", then the venerability gets less priority. This is fine because the exploitable code needs to fixed first. But then later on the bug that was ignored does have an exploit. Well then that bug is put to the top of this list, and even though it may have knonw for ages, the vendor gets ages more to fix it. All the while the user is at uneccesary risk.
As a customer the product cycle should take my convenience into account, at least as far as I willing to pay for it. And since MS has margins approaching 40%,and Apple has margins over 20%, I certainly think we are paying enough to both companies not to have to inconvenience ourselves because they can't get to work.
Here is the second thing. The issue either has an exploit or it doesn't. If it has an exploit, then the customer deserves to know so they can protect against it, and often that requires some level of detail. If it makes the problem public, then that is a good thing because then the scrip kiddeies will exploit it, and it will be more of a problem, so then it will be fixed. Instead of having months of small problems, we will simply have a short time of big problems. If the bug has no exploit, then nothing is lost. However, knowing the bug is known does put pressure on the vendor to fix the issue.
As i say, delaying publication is merely to protect the vendor, and does nothing to help the customer. As has been mentioned here often, a properly secured and updated system in any OS is relatively safe. But if we are going to blame the users, then the users must know what the exploits are than we need to defend against. If the exploits are secret, then we are back to the situation where the vendors are withholding material information, and they become liable. It is a very similar situation to the pinto.
Re:Too bad these WERE reported to mickeysoft (Score:2, Interesting)
First, lets assume he is reporting these to Microsoft in a responsible way...
With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?
Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.
So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.
If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.
This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...
Sure we all agree that MS should sometimes push up exploit fixes, but we also see others on here complain too much about MS addressing updates and fixes too rapidly if they break applications.
So I am left a bit conflicted over this..
Sure I can use another OS or another Browser, but there is a large base of 'consumers' that do use MS OSes and Browsers and they will be the least likely to even 'hear' of the exploit or protect themselves, instead this information will be gobbled up by the people that want to do harm to them and in the end the consumers get screwed.
Also of note, it isn't only MS this person has released information about when the vendor hasn't meet his timeline demands, and what are his standards based on what formula for what level of exploit and what level of code that would need to be fixed?
Does projects like Firefox and the Safari team have the resources to meet his timelines? How about distributions that spin off of other technologies that only have a small amount of people to work on them?
What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?
Looking for honest debate because, I'm very curious to others views on this.
(Side Note) I also have been in a position much like this myself, finding holes that don't seem to be addressed on a timeline I would have liked...
Re:Or (Score:3, Interesting)
Re:Reporting directly to vendors (Score:5, Interesting)
This is not an even slightly similar situation to your example.
If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.
Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.
Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.
Still, it makes dramatically more sense than the bullshit you spouted.
Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.
Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.
Re:Reporting directly to vendors (Score:5, Interesting)
Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:
1. Somebody finds a vulnerability and makes it public
2. I block SSH port immediately
3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception
4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.
5. Test patch (obviously)
6. Remove SSH port block
7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)
Now your version:
1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month
2. Since I don't know anything, I can't take any action
3. Two weeks later, some jerk roots the box
4. Yay, now I have to take the box offine, examine it, restore from backups.
5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!
6. Bring box back online, without being really sure I won't get rooted again
7. If I'm lucky, some time later, the vendor's patch arrives.
Re:Reporting directly to vendors (Score:4, Interesting)
Three months is too long.
Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.
Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.
Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.
So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.
Re:Too bad these WERE reported to mickeysoft (Score:5, Interesting)
I think it goes further than you took it, though:
Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.
And telling all the ushers to stand in the way, too.
And he's lit up a big fat cigar to cloak the smoke as best as possible.
And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking
Re:No! Don't tell anyone!!! (Score:1, Interesting)
Impact:
======
NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft Office GIF filter, which could allow attackers to run arbitrary code via a carefully crafted GIF image.
Vendor Status
==============
2005.05.27 Informed the vendor
2005.06.02 Vendor confirmed the vulnerability
2006.07.11 Microsoft has released a security bulletin (MS06-039) and related
patches.
Over one YEAR !!
don't tell anyone
Re:Reporting directly to vendors (Score:3, Interesting)
Excellent description of the problem, but I don't see why so many people shout about "MS shouldn't be allowed to get away with this". Yes, yes they should...because you bought their products, you agreed to the stuff that said "We might support you if we want". You agreed to it, they can do it. It doesn't really matter if you didn't read the fine print, you still agreed. The same goes for every other closed proprietary line of stuff people buy. Trust me, their lawyers are WAY smarter than their sense of morality is strong.
It amuses me that the big software houses just don't get that. That they shout and scream and stomp their feet "You can't tell our customers we screwed them!" "You can't tell them we lied to them about what we offer!" Rather than spending the money to fix the problem, they spend a fortune in legal battles trying to silence the critics, so they don't have to spend the money fixing stuff. In the mean time the OSS world just goes "DOH!" and fixes it. Realistically, if this was pointed out to shareholders...things might change. "Look, rather than actually fixing the problems that are causing them to do worse, they want to try to hide them...but these service based companies over here...based on a new business model, just fix the problem, notifiy their customers, and continue to move in the right direction without wasting money on unneccessary legal battles"