Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeymonkeys Discover Undisclosed Vulnerability

Posted by CmdrTaco on from the bug-hunting-is-dangerous-work dept.

spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "

10 of 140 comments (clear)

  1. This is a good thing by nuclearpenguins · · Score: 2, Insightful

    Don't you want people to find and fix the vulnerabilities in the OS before it goes public? Or will this just turn into another Slashdot anti-MS circle jerk?

    --
    Anonymous Coward: "This is slashdot. Accuracy is second class citizen here, unlike King Bias."
  2. Re:It just occurred to me. by johnjaydk · · Score: 5, Insightful
    Why not build a virtual machine into the browser itself? Sort of a special purpose virtual machine that has just enough of an OS to run the browser.

    You mean like Java ?

    MS has already killed that idea because it commoditized the desktop and broke their API lock-in.

    --
    TCAP-Abort
  3. Oh for pete's sake by Hyksos · · Score: 4, Insightful

    Breaking news: Microsoft has found a security hole all by itself :P

  4. Re:Is it me... by shotfeel · · Score: 3, Insightful

    If you read TFA, they explain it. Yes, they based the name on honeypot, but a honeypot just sits there waiting to be attacked.

    A honeymonkey goes swinging around the net looking for someone to attack it.

    Now if MS would compile a database of offending sites and allow me to use it as a blacklist for my browser, that'd be even better. Unfortunately they'd probably only make it available for IE.

  5. Security Risk by CSHARP123 · · Score: 3, Insightful

    This is good. This should have been done by MS a long time ago and this should be an ongoing process. Everyone knows no OS is bullet proof on security terms. Better late than never.

  6. Re:Another one? by LO0G · · Score: 2, Insightful

    Ummm...

    So let's say that Microsoft tests Windows Vista in this way.

    What information do they learn? Remember - the bad guys don't have access to Windows Vista, so they can't know about exploits in the new code in Windows Vista.

    It's a chicken and egg problem - the bad guys can't know about 0day Windows Vista exploits because they don't have access to Windows Vista to exploit it.

    If they find exploits in Windows Vista, it's because they're also in XP. If they're in XP, they can simply test with XP.

    A honeymonkey does absolutely no good BEFORE the OS is released.

  7. What Makes Reading /. Hard Some Times ... by hagrin · · Score: 5, Insightful

    ... are reader responses to an article like this. Some people just refuse to see the trees I guess.

    If an indepedent, third party security company were performing these web site audits, the company wouldn't be admonished, but readers would still attack the "unfinished product" which was Windows XP unpatched. However, how can you fault a company that is trying to correct tens of years of security ignorance with new pro-active efforts?

    MSFT is basically performing external penetration testing of their software while security teams are writing vulnerability scanners and focusing on individual aspects of an application's design. In fact, one could argue that this is one of the more effective ways of performing security testing since exploits in the wild can exist in the wild for months before any security company diagnoses the vulnerability and this method will identify areas of the Internet that seem to disseminate these exploits between web sites.

    If you want to comment on the lack of security focus in the past, definitely. Are they playing a major game of catch up? Definitely. Should IE be so tightly meshed with the OS? Of course not. But can some of you just grow up and get past the MSFT bias and stop doing childish crap like making fun of the "honeymonkey" term or accusing workers of just sitting in the room not doing anything?

    --
    Hagrin.com
  8. zero day exploit?! by jurv!s · · Score: 3, Insightful
    Microsoft's "monkeys" find first zero-day exploit

    How can you call it a zero-day exploit with a straight face when you found it in the wild??

    --
    sigs are for fools and trolls. no signature is *always* appropriate. you should turn them off in your preferences.
  9. Honeymonkey by amcdiarmid · · Score: 2, Insightful

    I assume that they are combining web-monkey with Honeypot. (not that they are somking anything.)

    Seriously, MS has set up a bunch of machines that actively surf the web trolling for vulnerabilities. I guess it's the "If we can't code securely, at least we can find the holes to plug." theory. Considering IE, it's not a bad idea.

    It would be nice if they shared the exploits with everyone, at least once a patch exists, though.

    OK, good job Microsoft: Now if you could implement a "least privileges" model by default....

  10. Wha? by identity0 · · Score: 2, Insightful

    In his book "In the beginning was the command line", Neal Stephenson wrote that some newspaper articles would be indecipherable to someone who had lived in a cave for the past 50 years, because it talks about "software", "operating systems", and "windows vs. apples".

    Now I am trying to figure out what someone who has lived in a cave since the Eisenhower era would make of this headline, "Honeymonkeys Discover Undisclosed Vulnerability".

    "Honey... monkey? Vulnerability? Undisclosed? uuuuh?" *HEAD EXPLODES*

    (Full text of In the Beginning... is on Stephenson's site)