Slashdot Mirror
Microsoft Blames the Messengers
Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."
They're trying to say "stop finding holes faster than we can make...err...fix them". My my what a cheap political backstab.
I am !amused.
Much better that the "black-hats" "secretly" circulate the information.
</sarcasm>
If the security experts didn't find and pubilsh the holes, good luck on Microsoft making the fixes a "priority".
Yes, just like keeping Cryptography code secret improves the algorithm. I agree that the company should be notified before the flaw is announced, but seriously, the entire point of a security response center is to inform users as to vulnerabilities...
If you don't tell anyone that the construction company used shoddy materials, then no one will figure out how to make the building collapse!
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Because, if the security hole didn't exist in the first place, then Microsoft wouldn't have to worry about all this bad press starting to cost them business; and more importantly mindshare.
there are no stupid questions, but there are a lot of inquisitive idiots
It's high time we stopped teaching Chemistry and Biology! People are spreading information that essentially maps out exactly how the human body works, which allows for all sorts of chemical and biological weapons! And explosives, too!
In other news, Master Lock wants to release a new model made out of twine and butter. They ask the community to avoid discussing the security of the lock, since they anticipate it getting deployed widely, and once the ButterLock is being used to secure mission-critical systems, it will be extremely important to keep its flaws a secret.
--
Mod up a post Rob doesn't like and you'll never mod again
By putting out solid information, people who find these exploits are doing two things: Giving the programmers specific information with which to fix the problems, and giving script kiddies some really damn good instructions for hacking into a box.
The system relies on the reaction time of the programmers.. can they supply a patch before the crackers supply an exploit?
Those of us in the *nix world seem to do pretty good.. for all sorts of reasons you don't need to go into here. Windows? Heh.. it can take months for something to get patched up. No wonder he's mad that these 'blueprints' are being provided. It's simply an extension of the security through obscurity mode of thought.
it's high time that computer users insisted that the security community live up to its obligation to protect them
I'm not sure whether anyone, other than law-enforcement agents, is obligated to protect computer users, but if anyone is, surely the people who produce the software are more obligated to prevent or solve these problems than are those who merely report on them.
Is this, along with the U.S. government's warning to news agencies to be careful what they broadcast, a sign of a new trend?
I thought most security exploits that get released by the major groups are usually passed through MS first and allow them time to provide a patch before issuing the details of the exploit. So why are they so upset? Its not MS nor the security experts who are at fault for not patching machines. At least by publishing them they are provided an incentive to staying on top of security holes, instead of simply allowing them to remain secret. I mean none of the major exploits lately (code red, nimda, etc.) have used unpublished exploits. So this shows a failing in MS's procedures for keeping admins informed and a failing in the admins for keeping on top of their networks. Its such a non-issue, I think MS just wants to preempt law suits or some other such silliness.
Of course, MS just wants to skirt responsibility for negligance on their part.
"You spoony bard!" -Tellah
Hmm, this has always seemed to be a hot discussion...I'm all for full disclosure, but is it really necessary for people to include exploit code?
One argument is that it can help people to test their systems for vulnerabilities, bit I think that exploit code is not strictly necessary for this. People who really need it to test systems are in a position where they should have the capability or the resources to generate a "test script" for themselves, once given an accurate description of the vulnerability.
Making code exploits freely available possibly creates more opportunity for the low-life script kiddies who often don't appreciate exactly what they are doing, or the mechanics of the exploits that they are using. Why should we make it easy for those guys?
My opinion on this element of full disclosure is still not complete though, and I am fully prepared to be convinced... :)
-- Pete.
Monochrome - Probably the UK's largest internet BBS
... and just write pseudocode or a very detailed step-by-step description of what their code does. In the end script kiddies will have to learn to write their own leet tools, and may later on branch these skills into other areas.
:)
If security experts took the time to make exploit code an exercise for the reader, we might someday end up with skript kiddies who can even write their own hardware drivers for Linux. They might even learn to write and discover new exploits for Windows without the help of security experts.
Microsoft got it on the nose this time
"Look at me, I invented the stove!" -- Ben Franklin
doing a quick search on bugtraq, I see a lot of linux exploit code too. Hmm... let's blame the linux exploit code for the net-stopping worms like... ummm... and also the.. ahhh... well, you know. No Microsoft, making exploit code widely available does make make your product less secure. You do.
There is no reasonable defense against an idiot with an agenda
:wq
sigh. OK, let's try this again: BECAUSE OTHERWISE PEOPLE WON'T TAKE YOU SERIOUSLY. Now let's review: how many people patched eEye's .IDA exploit when it came out and did not include an exploit? Not bloody many. How many patched it after Code Red made it abundantly clear that this was a very exploitable vulnerability? Hundreds of thousands more. The obvious truth here is that full disclosure and the inclusion of exploit scripts opens people's eyes to the fact that people are going to use this hole to break into YOUR system.
By not giving exploit scripts you allow sysadmins to become lazy. They figure "Nah, i'll just wait until an exploit comes out before i patch it", while the underground hax0r scene is already searching out your box.
What makes you think that not having it displayed all over the web will make it any less available to to the people who want to do harm?
Black hats are going to get ahold of the exploit, even if the source code to it is not published on incidents.org or bugtraq. All that not publishing it there does is provide a false sense of security.
Publishing the details in a high-visibility location does several things:
The script kiddiez are going to get these exploits when they download them from their favourite r00t kit location. Lets not pretend that not publishing the same exploits to the general public really makes things much safer.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
"Yes," said kingdom spokesman Jim Dilldunnam, "the Emperor is aware of his nudity. But His Majesty's nakedness would not be a problem for the uneducated masses if you irresponsible media types would just cease telling them about it."
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
From the bugtraq FAQ (securityfocus.com):
0.1.8 What is the proper protocol to report a security vulnerability?
A sensible protocol to follow while reporting a security vulnerability is as follows:
When is it advisable to post to the list without contacting the vendor?
Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security...and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.
All three goals? There's some on this later - but assuming that he's right with the rest of the entire essay, you'd expect there to be some pressure to address the vulnerabilities, would there not? He even goes further, saying that pulished exploits are antithetical to getting patches out. Brilliant logic.
Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.
I love this analogy. It actually works. For example - if I knew that the cause of my headaches was an allergy to certain foods, I could avoid those foods, and not have to take aspirin. If I know how an exploit works, I can prevent it with my own tools - firewall, etc. and not have to worry too much about the dubious patches.
Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities.
Here he's not talking about e-mail "viruses", but worms. Specifically, worms targetting systems people did not know they had on their system. There was plenty of buzz about Code Red before most people had it, and the patch was applied to thousands of computers as people got worried. I'm not an advocate of having people upgrade through fear, but this still disproves his point.
Now - here's his reason for published exploits to take pressure off of vendors to publish fixes :
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
Crap...I'm trying to find a problem with the logic, but I can't actually understand the argument - anyone? What other ways are there for vendors to protect their customers than put out fixes?
Anyway, that said, I'd just like to express my condolences to the author. Did you see his title? "Manager of Microsoft Security Response Center" Poor guy is probably blamed for half the bugs in code he's never heard of. Can blame him for venting a little. I just wouldn't have done it as publicly.
Last post!
The people who wrote them have been rightly condemned as criminals.
...and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
...information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
Ok, I'm going to be snide, the author points to the exploitation tools, but one could also argue that windows (don't laff) "security model", closed source apps, IIS are the *initial* tools of exploitation. Lest I forget, Integration, legislation, co-opting, barriers to entry keep other (maybe better, maybe worse) products from hitting the market and (say it with me) promoting competition.
It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them.
Why? No one believed that certain (ford/chevy?) trucks would blow up like a bomb when hit from the side...what did they do? Yep, they *Proved IT*, by staging a scenario.
And, not to pick nits or be too smarmy, but "we" are trying to protect users. The fact that PHB's, average users don't *listen* after the 3rd, forth, fifth time of being hacked, wormed, virused, or trojaned via outlook, IIS, IE seem to be nicely sidestepped.
Uh, yes it does...by choosing the most secure of the bunch! No platform is perfect, but if you choose the one with the best track record, gee, you get...surprise, surprise...less of a chance of being exploited. Once bitten, twice shy... but, then again, see my above paragraph with users/phb's.
Ok, I'll ignore the buzzword bingo opportunity, and point out that the author does "get it" a little, that the vulnerabilities mentioned had been patched weeks/months ahead of time.
Ok, cool, Correct me if I a wrong, but I recall seeing a recent article that Microsoft said it needs to "Prioritize" its patches, because, heh, it is confusing!!!
The thing to be rememberd in reading this article the dangerous assumption is this:
If an exploit is found and is dangerous "the security community" *needs* these to tear into and discover how to fight whatever threatens the systems in question.
I'd rather have a fulling working exploit in the hands of a "white hat" than a "black hat".
Don't forget, please, that most of the worms propagated as the result of *malicous* intent and were discovered, stopped, slowed by people with *clear/clean* intent.
That fact seem to be missing.
Moose.
If I am right, I am right...but if I am wrong, show me I a wrong.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
What gains are there to be had by having the source displayed all over the web?
1) The source display should allow any administrator to verify if he is vulnerable, and, after patching, that he is no longer vulnerable.
2) The source code should demonstrate the exact nature of the problem for the coders who wish to fix it. They would otherwise need to write their own exploit to test their fixes.
3) The source code should apply pressure to the software maker. It is akin to being flogged in public. The whole world knows you are vulnerable, and you ought to fix it.
4) The source code of the exploit should make the exploit obvious but not damage the system.
Source code exploits will ALWAYS be published in places where some crackers can get them. The challenge is designing an updating system that allows all users to apply patches in a timely fashion. I think Debian is actually closest on this one.
Microsoft is really going to get nowhere on this one. I've read accounts of people who send exploits to Microsoft in secrecy, and then HAVE to publish the code so that Microsoft is forced to fix the problem. If it doesn't impact Microsoft's marketing, Microsoft doesn't care.
The other issue that relates to this one is secure as possible by default. This principle applies to all Internet usage of computers. Yet Microsoft blatantly violated it in the following: Office Macros, email attachments, NT/Windows 2000 Server config (running IIS by default), Hotmail...
Speaking as an IIS admin, I get really pissed when I can't find sample code for an exploit. I need to be able to test my systems against a newly published exploit. If I don't have a way to do this all I can do is apply the hotfix and hope it works. What if I want to set up some stateful inspection on my firewall just in case, how do I test that? Without sample code I have no way to really know if I am vulnerable or not. IMHO not testing these things would be a pretty irresposible aproach to managing a datacenter.
Except that that was tried. What happened was that the vendors responded with "We can't reproduce that, you must be mistaken, there's no hole in our product.". After a while, the security community came to the conclusion that the only way to get vendors to wake up and actually fix their products was to release enough details that, if there was any question whether the hole existed, the skeptic could recreate the exploit and try it and see for himself. Which leaves the vendor with no way to spin the story, which is what Microsoft's really pissed off about.
but is an exploit REALLY necessary?
It's very useful. For example, you can scan your network for machines running given servers, then launch exploits agains all those that are running, as a double check to find unpatched srervers. Since MS installs servers by default on damn near everything*, without advising the installer, this is the ONLY to be sure your not running unpatched servers. My organization found numerous vulnerable machines this way, even though we thought we had this nailed down.
*(example: Visio 2000 installs MSDE, a form of SQL server, vunerable. CiscoWorks 4.2 (getting old, now) installs IIS vulnerable.)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Real admins will tell you that you shouldn't go throwing patches on production machines until they've been tested, either by you on a redundant machine or by the community at large.
Exploit code and exact details let you rig together protection with a firewall, or turning off an optional service, until you feel that a suitable patch is available.
'An adminstrator doesn't need to understand the problem in order to fix it'
This is pure bullshit. It is *extremely* important to understand how these worms and viruses work in order to respond effectively to such threats.
If I, as a programmer, was writing a web application in C that could potentially be remotely exploited via buffer overflow, such information is *absolutely fucking critical* to me, so that i can write safe code.
M$ seem to suffer from the delusion that they are the only people in the world actually writing computer programs.
This unbelievable arrogance is getting pretty tired, and i imagine that we'll be seeing some pretty big anti-M$ stances being taken by previously devout believers in the near future.
If you can't put up, M$, then for christs sake shut up.
I gots ta ding a ding dang my dang a long ling long
I have about 50 Microsoft NT servers from 3.50 thru Windows 2000 REGISTERED with Microsoft. They have my name, my address, my e-mail address, my telephone number.
Never once did they contact me or send me a CD with security patches on it. Never did they send me an email to go to a website to download a fix.
I was told, when I registered my product, that they would keep me informed. They have failed to do so.
The recent exploits of IIS were from known problems that had previous patches. Many users did not patch their system. They did not know that they had to patch their system. Despite Microsoft knowing who the users of NT IIS were, they did not attempt to contact those users and let them know that patches were available.
Not only that, until recently Microsoft made it very difficult to find security patches. Their website is large and complex, and items change location all the time. In the past five years finding patches for security fixes of NT systems has gone from extremely easy, to nearly impossible, to finally getting organized and easier again.
Why is it, that after the outbreak of Code Red, it took days before information was available from a link on Microsoft's main page? Because it is bad marketing. Instead I have to go deeper to find that information. There isn't even a generic link for security from the main page.
When you do get to their security page, you are told that Microsoft is doing the radical step of giving Security Tool Kits away for FREE!!! Amazing, you bloody well better give it to me for free. It's your buggy code that had the problem in the first place. I'm a registered user, I haven't received a kit yet.
Microsoft is finally starting to take some initiative with this security thing. But, they shouldn't run around pointing fingers at anyone other than themselves
In my most recent finds, not made public yet, there are a number of gross privacy bugs in some pretty major websites ( similar to the hotmail problems, but with banking, news and ecommerce sites ).. Well, besides the difficulty in even finding someone in their organization to tell about the problem, once told they ususally do nothing. So, the question I have is what do I do now? Leave your banking site wide open, or make the exploit public to get something done?
-- these are only opinions and they might not be mine.
That isn't the attitude I'd want someone providing my software to take.
Education is a better safeguard of liberty than a standing army.
Edward Everett (1794 - 1865)
Culp says...
.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their .NET initiative. Disabling these APIs would cripple .NET. Therefore, Microsoft did not fix IIS until they could re-think the design of .NET.
.NET will reinforce his point. Given their track record, I expect .NET to be Microsoft's magnum opus of security deficiency.
.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about .NET is easier.
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's
Culp states that vulnerabilities are here to stay. Most likely,
At this late stage, re-designing
Enjoy! Jon