Slashdot Mirror
Honeymonkeys Discover Undisclosed Vulnerability
spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "
I have no idea what Honeymonkey is, what Windows is, or even who Microsoft are.
BUT....Damn "Honeymonkey" is such a cool codename. I'm going to name my firstborn after it!
Aha, the new MS OS development team has been revealed: an infinite number of honeymonkeys at an infinite number of typewriters...
Explains a lot...
Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.
I don't think I have a stronger word than DUH!
You mean like Java ?
MS has already killed that idea because it commoditized the desktop and broke their API lock-in.
TCAP-Abort
Breaking news: Microsoft has found a security hole all by itself :P
So Microsoft has a room full of computers that do nothing but automatically surf the "questionable" parts of the web? Anybody wanna guess how many hours a day that room is packed with employees just sitting in front of a computer "doing nothing"?
I can't believe that people are lapping this up.
The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).
While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.
It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.
InfoSec that matters, when it counts.
... are reader responses to an article like this. Some people just refuse to see the trees I guess.
If an indepedent, third party security company were performing these web site audits, the company wouldn't be admonished, but readers would still attack the "unfinished product" which was Windows XP unpatched. However, how can you fault a company that is trying to correct tens of years of security ignorance with new pro-active efforts?
MSFT is basically performing external penetration testing of their software while security teams are writing vulnerability scanners and focusing on individual aspects of an application's design. In fact, one could argue that this is one of the more effective ways of performing security testing since exploits in the wild can exist in the wild for months before any security company diagnoses the vulnerability and this method will identify areas of the Internet that seem to disseminate these exploits between web sites.
If you want to comment on the lack of security focus in the past, definitely. Are they playing a major game of catch up? Definitely. Should IE be so tightly meshed with the OS? Of course not. But can some of you just grow up and get past the MSFT bias and stop doing childish crap like making fun of the "honeymonkey" term or accusing workers of just sitting in the room not doing anything?
Hagrin.com