Honeymonkeys Discover Undisclosed Vulnerability

spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "

It just occurred to me.

[mikeophile]

The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries.

Why not build a virtual machine into the browser itself?

Sort of a special purpose virtual machine that has
just enough of an OS to run the browser.

If Microsoft refuses to remove IE from Windows, at least IE could be isolated from the rest of the operating system.

Re:It just occurred to me.

[NutscrapeSucks]

> You mean like Java ?

No, he doesn't know it, but he's talking about OS-level Mandatory Access Controls. More like Trusted Solaris.

Windows Vista will supposedly have this.

It was public. They learned it from a hacker

So what they did, was perhaps not in your best interest.

Re:This is a good thing

Is it a good thing that this vulnerability was found? Yup, positively!

But as the HM project detected this vulnerability because it was being actively exploited by the bad-guys, *and* this vuln. was previously unknown, this is in fact a zero-day exploit.

These are bad things in anybodies OS.

Is it me...

[OwlWhacker]

or are Microsoft's buzzwords getting way too 'weird'?

Obviously Microsoft copied the idea from the aptly named Honeypot.

Honeypot makes sense.

Why ever would anybody in their right mind come up with something as lame as 'Honeymonkey'?

Is it because Microsoft is 'getting old'? It's like the old guy saying "In my day, we used to say 'Whizzo!' when something was really neat", and the teenager laughs, and comments that it doesn't sound half as good as 'cool'.

Coincidence?

[Jump]

It strikes me odd, that this important security patch arrived *after* the genuine advantage update. After the genuine advantage update all our windows computers stopped making automatic updates and therefore the genuine advantage was not patched as quickly as possible. Manual interaction was required to accept the 'genuine advantage' update. I wonder how many users out there stopped watching their automatic update function to work correctly. What is the advantage of having automatic updates if you have to monitor them? What is advantage is meant in 'genuine advantage'? And why do they now publish this information, when many people out there will not have applied the patch simply because they believe they still have automatic updates running?

Re:This is a good thing

[shotfeel]

Now if they'd go one step farther and compile a database of sites that "attacked" and allowed access to it for use as a blacklist. We've got spiders walking all over the net compiling all kinds of databases, I'm surprised nobody's done one like that before.

Re:Another one?

[Sierpinski]

I was referring to the concept of testing such applications BEFORE releasing them to the public. How many years have there been updates for Windows? If I remember correctly Windows 2000 went through 5 service packs, totalling hundreds of patches. (I should know, I had to download them constantly.)

As part of the software development lifecycle, there is a part normally called something like Testing/Debugging. I'm suggesting that maybe they should spend some more time in that stage, rather than using the majority of their paying users as beta testers. Most other companies release beta products for free, then charge for the actual "finished" product. Microsoft releases these applications/operating systems to the public (for a cost) and has them beta test.

Flamebait the original comment all you want, but the point still stands. Microsoft has repeatedly charged for a "new product" (new OS version) when it seems that if they did it right for once, they wouldn't need to come up with another version every 2-3 years, charging everyone each time. (And don't even get me started on the subject of not allowing an OS "upgrade" from a 'Full version' CD. I ran into this with Windows 98SE and ended up having to scrub my installation because my more expensive Full Version cd wouldn't upgrade my old Windows version.)

Re:More Misdirection from the Masters

[Amoeba]

Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.

You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.

Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.

[1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.

Sorting Wheat from Chaff

[SkiifGeek]

I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).

Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary. I also recall a post on a mailing list that suggested that exploits were already circulating, but I can not track down a citation for that. I really would not call it a 0-day (which is probably semantics), but at least their project picked it up within two weeks of the POC being published.

To Microsoft's credit, they do publicly acknowledge SEC-Consult as being responsible for discovery of the initial flaws, on the patch information page.

Sticking with M05-38, the image handling errors which were fixed are another example where Microsoft ignored public disclosure, especially when the disclosure sparked a level of interest on the Full-Disclosure mailing list.

With respect to pen-testing, my approach has always been to obtain a copy of the target software, and to test locally, before heading out for the client systems. Although not automated like the Honeymonkeys, it achieves a similar purpose. I also think that the monkey component of the honeymonkey might refer to the crazed monkey(?) testing tool in the original Macs, which performed random input (mouse movement, clicks, keys (I think)) as part of testing for unexpected application behaviour.