Controversy Surrounds Huge IE Hole

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

Proposition, new topic: Windows Bugs

[pheph]

Wouldn't it be great to seperate Microsoft Bugs from, well, the rest of them? I'm sure some people, especially those on slashdot would choose to see the "Microsoft Bugs" topic on the front page based on if they:

a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)

Bugtraq, not bugtrack, and other squibbling.

[signine]

BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).

On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.

It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.

Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.

In short, BugTraq good, security good, black hats bad.

Re:Of course it was irresponsible

[timothy_m_smith]

What if we changed the scenario a little bit. Imagine that 50% of the world is using Mozilla on Linux (or even that there is a large body of non-technical using Open Source Software). Say that a bug was revealed that allowed a website to maliciously delete data from a user's Linux/Mozilla installation. In the Open Source world, this bug would probably be patched very quickly, probably more quickly than MS would. However, keep in mind that you average non-technical user is not going to be checking for frequent patches. When someone (who should be more responsible) releases code to exploit that hole, you have potential average users who may be losing very valuable data. Are these users getting what they deserve? The point is that no one should be helping the script kiddies screw up other people's machines. If you believe in that then you're not a productive part of the technology community.

Re:Of course it was irresponsible

[JabberWokky]

keep in mind that you average non-technical user is not going to be checking for frequent patches.

Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.

And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.

--
Evan

Re:Of course it was irresponsible

[bergeron76]

But this begs the question: Can MSFT be held responsible (in spite of the EULA) in a situation like this where a user "removed IE" (remember the US DOJ ruling, they have to provide the option) and didn't use Outlook or Outlook express, if they were to get infected? I only use Mozilla for email and browsing, but it occurred to me that IE is so "entrenched" in the core Windows code that even if it's its removed do they remove the dangerous parts or just the UI? Mozilla is my default browser, yet when I click on a link from Y! messenger, it spawns IE.

Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?

Wouldn't negligence in this regard supercede the EULA and make MSFT liable?

Any legal beagles out there have any insight? (IANAL)