Microsoft Blames the Messengers

Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."

Right

[IsleOfView]

Much better that the "black-hats" "secretly" circulate the information.
</sarcasm>

If the security experts didn't find and pubilsh the holes, good luck on Microsoft making the fixes a "priority".

history

[Telastyn]

Yes, just like keeping Cryptography code secret improves the algorithm. I agree that the company should be notified before the flaw is announced, but seriously, the entire point of a security response center is to inform users as to vulnerabilities...

Re:We've seen what they propose

[uhmmmm]

Perhaps out of courtesy the security community could give the company with the bug a week's notice.

From the bugtraq FAQ (securityfocus.com):

0.1.8 What is the proper protocol to report a security vulnerability?

A sensible protocol to follow while reporting a security vulnerability is as follows:

1. Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
2. If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
3. If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.

When is it advisable to post to the list without contacting the vendor?

1. When the product is no longer actively supported.
2. When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good.

Re:They Have a Point

[blakestah]

What gains are there to be had by having the source displayed all over the web?

1) The source display should allow any administrator to verify if he is vulnerable, and, after patching, that he is no longer vulnerable.

2) The source code should demonstrate the exact nature of the problem for the coders who wish to fix it. They would otherwise need to write their own exploit to test their fixes.

3) The source code should apply pressure to the software maker. It is akin to being flogged in public. The whole world knows you are vulnerable, and you ought to fix it.

4) The source code of the exploit should make the exploit obvious but not damage the system.

Source code exploits will ALWAYS be published in places where some crackers can get them. The challenge is designing an updating system that allows all users to apply patches in a timely fashion. I think Debian is actually closest on this one.

Microsoft is really going to get nowhere on this one. I've read accounts of people who send exploits to Microsoft in secrecy, and then HAVE to publish the code so that Microsoft is forced to fix the problem. If it doesn't impact Microsoft's marketing, Microsoft doesn't care.

The other issue that relates to this one is secure as possible by default. This principle applies to all Internet usage of computers. Yet Microsoft blatantly violated it in the following: Office Macros, email attachments, NT/Windows 2000 Server config (running IIS by default), Hotmail...

Re:RTFA

[0xA]

For the closed-source world, I believe that it is better that if you discover an exploit, to send full details to the vendor ASAP, and to release a general statement of a potental vunerability in the software to the general public, but with just info for the end-user to determine severity and criticalness of the bug.

Speaking as an IIS admin, I get really pissed when I can't find sample code for an exploit. I need to be able to test my systems against a newly published exploit. If I don't have a way to do this all I can do is apply the hotfix and hope it works. What if I want to set up some stateful inspection on my firewall just in case, how do I test that? Without sample code I have no way to really know if I am vulnerable or not. IMHO not testing these things would be a pretty irresposible aproach to managing a datacenter.

Re:RTFA

[Todd+Knarr]

Except that that was tried. What happened was that the vendors responded with "We can't reproduce that, you must be mistaken, there's no hole in our product.". After a while, the security community came to the conclusion that the only way to get vendors to wake up and actually fix their products was to release enough details that, if there was any question whether the hole existed, the skeptic could recreate the exploit and try it and see for himself. Which leaves the vendor with no way to spin the story, which is what Microsoft's really pissed off about.

This guy thinks admins are idiots

[ikekrull]

'An adminstrator doesn't need to understand the problem in order to fix it'

This is pure bullshit. It is *extremely* important to understand how these worms and viruses work in order to respond effectively to such threats.

If I, as a programmer, was writing a web application in C that could potentially be remotely exploited via buffer overflow, such information is *absolutely fucking critical* to me, so that i can write safe code.

M$ seem to suffer from the delusion that they are the only people in the world actually writing computer programs.

This unbelievable arrogance is getting pretty tired, and i imagine that we'll be seeing some pretty big anti-M$ stances being taken by previously devout believers in the near future.

If you can't put up, M$, then for christs sake shut up.