Please create an account to participate in the Slashdot moderation system


Forgot your password?

Daily Exploit Releases Irk Both Vendors and Crooks 165

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
This discussion has been archived. No new comments can be posted.

Daily Exploit Releases Irk Both Vendors and Crooks

Comments Filter:
  • by a_greer2005 ( 863926 ) on Friday July 14, 2006 @06:46PM (#15722223)
    Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...
  • by dtfinch ( 661405 ) * on Friday July 14, 2006 @06:47PM (#15722228) Journal
    "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

    From the looks of it, most if not all of those were reported months before they were published.

    Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.
  • by Anonymous Coward on Friday July 14, 2006 @06:50PM (#15722251) must be doing something right.
  • by davidwr ( 791652 ) on Friday July 14, 2006 @06:50PM (#15722253) Homepage Journal
    Best practices in my not-so-humble-opinion:

    1) warn the vendor ASAP
    2) warn the security community within a week, immediately if the vendor has no objections
    3) as soon as there is an exploit that represents a real threat:
      a) give all details to the security community
      b) give a workaround, like "disable such and such service," to the general public.
  • It "irks" them? (Score:2, Insightful)

    by andytrevino ( 943397 ) on Friday July 14, 2006 @06:56PM (#15722281) Homepage

    So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?

    While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. Producing better software is far more important.

  • by Tackhead ( 54550 ) on Friday July 14, 2006 @06:57PM (#15722290)
    > I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

    (Not to put a downer on your funny post but...)'s more like "So I'm going to report every murder on the TV news, for everyone to see, until people get so fed up with seeing it every night, that they pressure the Oakland Police (who, just as Microsoft has a legal monopoly on its own source code, have the legal monopoly on the use of force in Oakland) to get off their asses and start doing something to stop it."

    (Of course, just as in Oakland... we get bored of seeing a bunch of dead people every night on the news, and we get bored of seeing the latest exploit, and once the cops - and the vendors - figure out that after a certain point, we stop giving a shit, nothing gets done :)

  • by Odin_Tiger ( 585113 ) on Friday July 14, 2006 @07:16PM (#15722384) Journal
    This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."
  • by Anonymous Coward on Friday July 14, 2006 @07:19PM (#15722389)
    This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

    The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

    To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

    These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

    At which point, what good does keeping silent do?
  • If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

    I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

    I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

    What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

    Clearly they are in a position to make it, because they have the information on the vulnerability :)

    Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

    Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

  • by Trepalium ( 109107 ) on Friday July 14, 2006 @07:27PM (#15722417)
    Let me play devil's advocate on this one.

    With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?
    And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?
    So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.
    Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

    I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

  • Re:Or (Score:5, Insightful)

    by jrockway ( 229604 ) * <> on Friday July 14, 2006 @07:54PM (#15722540) Homepage Journal
    Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

    If a remote user can make your software do something it's not supposed to do, that's a security problem.
  • by mcrbids ( 148650 ) on Friday July 14, 2006 @07:56PM (#15722554) Journal
    Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

    Ok, then.

    Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an O/S at all - little more than a kernel and a few utilities.

    Linux is definitely imperfect. Slowlaris isn't all that wonderful. In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.

    I choose Linux for my development because

    A) distributing patches is damned easy (yum update)

    B) I don't have to go to the facility to apply them,

    C) It's very reliable - 99.94% uptime on a single machine!

    D) It's very cheap - no licensing worries.

    E) Security record is decent overall.
  • by More Trouble ( 211162 ) on Friday July 14, 2006 @09:23PM (#15722871)
    This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

    And when there is a fire, how irresponsible is it to not yell fire?
  • by frogstar_robot ( 926792 ) <> on Friday July 14, 2006 @10:25PM (#15723056)

    in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

    New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somewhat forgivable. Even though a Linux machine may be an outstanding way to replace a cranky Windows server, ANY malfunction is evidence "This Linux stuff sucks!" even though worse might be tolerated from the accustomed Windows solutions.

    I've been the advocate for many such Linux deployments. Being the advocate, I make it my personal and professional business that the solutions I advance work. I've pulled a few overtimes here and there sorting issues out. It's what you have to do when it is YOUR big idea being tried out and that big idea bucks prejudices.

    If you've been a long while from Linux, then you are correct to hang back. Find a little time to get to know your shit again so that if you ever DO propose a Linux trial that you can do the groundwork to really make it perform.

  • Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

    Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)

    I think the software vendors are forgetting something: giving them an advance warning of the pending release of a vulnerability is a professional courtesy.

    If they don't do anything, particularly if they don't ask politely that the release of the vulnerability be delayed, then they really have no business bitching when they see it over their coffee while reading the Wall Street Journal some morning.

    I think reporting vulnerabilities to vendors is the right thing to do, but if the vendors piss all over people who are trying to do them a favor, then the hell with them. It's unfortunate that their customers end up getting hurt because of their lack of any sort of humility or willingness to communicate, but that's what you get when you do business with people like that.

    If I was advising Microsoft, or any other large vendor -- or if I was a major customer of theirs, large enough that I could give input on their internal policy -- I'd tell them that every time a serious vulnerability was reported, they should assign an analyst to it personally; not only to verify the possible implications of the threat, but also to act as a one-to-one point of contact with the discoverer, to build a relationship with them and hopefully get them to agree to hold off on disclosure until the problem can be fixed. (I'd also expect them to throw wads of cash at anyone with a possible 0-day, and troll the black-hat IRC channels just like the mafia does, buying them up.)

    It's ridiculous to expect people who are inherently doing the vendors and their customers a favor to simply sit on their hands when there's no active dialogue between them and the vendor on what progress is being made -- particularly when being the first to report a vulnerability can be a career-making move for some people.
  • by schon ( 31600 ) on Friday July 14, 2006 @10:54PM (#15723140)
    Odds are good that if he's found a hole, others have as well, and are misusing it.

    Isn't that why the black hats are pissed too?

    The odds aren't "good" - they're 100%.
  • by Schraegstrichpunkt ( 931443 ) on Saturday July 15, 2006 @01:08AM (#15723554) Homepage
    With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

    Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.

    News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked regardless of whether or not the auditors told anyone.

    This is nothing less than a free speech issue.

  • by Schraegstrichpunkt ( 931443 ) on Saturday July 15, 2006 @01:16AM (#15723574) Homepage

    Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray