Slashdot Mirror
Microsoft Blames the Messengers
Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."
If you don't tell anyone that the construction company used shoddy materials, then no one will figure out how to make the building collapse!
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Of course, MS just wants to skirt responsibility for negligance on their part.
"You spoony bard!" -Tellah
The people who wrote them have been rightly condemned as criminals.
...and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
...information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
Ok, I'm going to be snide, the author points to the exploitation tools, but one could also argue that windows (don't laff) "security model", closed source apps, IIS are the *initial* tools of exploitation. Lest I forget, Integration, legislation, co-opting, barriers to entry keep other (maybe better, maybe worse) products from hitting the market and (say it with me) promoting competition.
It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them.
Why? No one believed that certain (ford/chevy?) trucks would blow up like a bomb when hit from the side...what did they do? Yep, they *Proved IT*, by staging a scenario.
And, not to pick nits or be too smarmy, but "we" are trying to protect users. The fact that PHB's, average users don't *listen* after the 3rd, forth, fifth time of being hacked, wormed, virused, or trojaned via outlook, IIS, IE seem to be nicely sidestepped.
Uh, yes it does...by choosing the most secure of the bunch! No platform is perfect, but if you choose the one with the best track record, gee, you get...surprise, surprise...less of a chance of being exploited. Once bitten, twice shy... but, then again, see my above paragraph with users/phb's.
Ok, I'll ignore the buzzword bingo opportunity, and point out that the author does "get it" a little, that the vulnerabilities mentioned had been patched weeks/months ahead of time.
Ok, cool, Correct me if I a wrong, but I recall seeing a recent article that Microsoft said it needs to "Prioritize" its patches, because, heh, it is confusing!!!
The thing to be rememberd in reading this article the dangerous assumption is this:
If an exploit is found and is dangerous "the security community" *needs* these to tear into and discover how to fight whatever threatens the systems in question.
I'd rather have a fulling working exploit in the hands of a "white hat" than a "black hat".
Don't forget, please, that most of the worms propagated as the result of *malicous* intent and were discovered, stopped, slowed by people with *clear/clean* intent.
That fact seem to be missing.
Moose.
If I am right, I am right...but if I am wrong, show me I a wrong.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
I love this analogy. It actually works.
No, actually it doesnt.
An asprin only relieves the symptom, not the cause. If you get a headache from hitting your head against the wall, an asprin won't stop you from continuing to hit your head against the wall, all it will do is let you do it longer.
Perhaps he can answer this though: without exploit code, how do we know the problem is really fixed? Twice to my knowedge MS has released patches that didn't fix the hole they claimed. Publicly available exploits are a failsafe, they provide an independant means of verifying that the hole is actually closed.
I found this story talking about serious security problem in Novell Groupwise. But they say it is better if they do not tell you what the problem is. But apply the patch NOW
Really? Is that why their service packs keep breaking your machine instead of fixing it? NT4 Service Pack 2 was widely known as "service pack of death". HP refused to support their own machines running NT4 with service pack 4 (while at the same time advertizing "the unstoppable windows nt"). Service pack 6 broke Lotus and was quickly replaced by service pack 6a. They are also known to release patches that undo previous patches. And that's just the stuff I can think of off the top of my head.
Furthermore, Microsoft patches frequently break third party software. Is it because they don't test or is it intentional? Hmmm.....
___
If you think big enough, you'll never have to do it.
Culp says...
.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their .NET initiative. Disabling these APIs would cripple .NET. Therefore, Microsoft did not fix IIS until they could re-think the design of .NET.
.NET will reinforce his point. Given their track record, I expect .NET to be Microsoft's magnum opus of security deficiency.
.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about .NET is easier.
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's
Culp states that vulnerabilities are here to stay. Most likely,
At this late stage, re-designing
Enjoy! Jon
www.microsoft.com/security is too hard to find?
When a vulnerability shows up on http://securityfocus.com or the like, specifying a vulnerability in a Microsoft product, e.g. "A special crafted URL will overwrite your files" and then there is no information on what the special crafted URL look like, and there is no fix available from Microsoft or others, do you feel more secure?
Perhaps you could block the request in your packet-filtering system, or at least log it, but without knowing what to look for... what do you do?
And, knowning that experienced black-hat crackers also reads securityfocus and sites like this, they don't need anything more than this information (there is a buffer overflow in IIS... ) and then they have a target for what to do the next couple of hours. It's a competition you know. The best crack wins. Giving away exploits doesn't give much credit to the cracker copying it, but the first one to discover a "new" one, gets a lot of attention...
We need to understand the psychology of what makes a crack worthwile, a published exploit every script kiddie can duplicate, but also can the sysadmins countermeasure this fast (provided that they read the right forums as all sysadms should!)
But a hint of a possibility in a not published exploit gives the black-hats something to compeete for, who is the first one to make the best crack? And the poor end-user is not even knowing what to look for...
Second. published exploits are easy to scan for... known, but not published exploits will fluctuate in their signature.
E.g. special HTTP GET request to look for in the logs... you just scan your logs for exactly the string published in the exploit. (or put it in your packet-filter) a not published exploit will result in several different cracks, using the same vulnerability, but probably vary a bit in the exploit methodology, making it harder to scan for.
Would you dare to use your car if the factory sent you a note that "it has a fault", but not providing any details of the fault? It could be anything...