Honeymonkeys Discover Undisclosed Vulnerability

spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "

It just occurred to me.

[mikeophile]

The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries.

Why not build a virtual machine into the browser itself?

Sort of a special purpose virtual machine that has
just enough of an OS to run the browser.

If Microsoft refuses to remove IE from Windows, at least IE could be isolated from the rest of the operating system.

Coincidence?

[Jump]

It strikes me odd, that this important security patch arrived *after* the genuine advantage update. After the genuine advantage update all our windows computers stopped making automatic updates and therefore the genuine advantage was not patched as quickly as possible. Manual interaction was required to accept the 'genuine advantage' update. I wonder how many users out there stopped watching their automatic update function to work correctly. What is the advantage of having automatic updates if you have to monitor them? What is advantage is meant in 'genuine advantage'? And why do they now publish this information, when many people out there will not have applied the patch simply because they believe they still have automatic updates running?

Re:This is a good thing

[shotfeel]

Now if they'd go one step farther and compile a database of sites that "attacked" and allowed access to it for use as a blacklist. We've got spiders walking all over the net compiling all kinds of databases, I'm surprised nobody's done one like that before.

Re:More Misdirection from the Masters

[Amoeba]

Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.

You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.

Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.

[1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.