Slashdot Mirror
Daily Exploit Releases Irk Both Vendors and Crooks
conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
For those of you who like to read articles starting with Page 1.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
A direct quote from the IE team over at Microsoft: "Don't tell anyone about all our holes! Then we won't have to fix them."
(end of post)
Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:
Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
From the looks of it, most if not all of those were reported months before they were published.
Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.
Will he release vulnerabilites from several vendors?
Or do some vendors not have enough to mention?
Or do other vendors actually fix them in a timely fashion?
I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Here's the link to the list of Moore's browser exploits, the ones that the article is talking about.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
...you must be doing something right.
Best practices in my not-so-humble-opinion:
1) warn the vendor ASAP
2) warn the security community within a week, immediately if the vendor has no objections
3) as soon as there is an exploit that represents a real threat:
a) give all details to the security community
b) give a workaround, like "disable such and such service," to the general public.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Hopefully Microsoft switched to Patch-Tuesday once a month, otherwise
it would have become "Reboot-Every-Day-in-July" nightmare.
--
So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?
While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. Producing better software is far more important.
So, is the proper way to move people from Windows to Linux is to destroy the ability to use Windows as a computing platform?
There's no reason that the bad guys cannot find the same flaws he is finding and exploit them.
Unless the bad guys do something massively stupid, how would the researcher know that the bad guys were exploiting it?
Instead, I'd prefer a 90 day countdown. This provides the incentive for the companies to patch their products.
Otherwise, an exploit can exist for years without anyone but the bad guys knowing it.
I used to be a linux fan. never really stopped, but life didn't let me pursue it for a while. now i'm admin of a linux-based phone switch (eOn's equeue) and these alerts suddenly concern me. fact is, i don't even have root. it's menu-based, you can get a shell but su doesn't work. the eOn techs are the ones responsible for root tasks, and i'm not sure they're going to handle this promptly.
in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.
We had to take the time to patch XP, test those, then move them over to Vista, test those...
Vista is now scheduled to be released to OEMs in the second quarter. No, we won't say what year...
If you're pissing off everybody you're probably doing something right.
Go to vendor, vendor gets a court order against you so you can't sayanything, then doesn't fix the hole.
Or, vendors sues you for trying to 'extort' them.
no, these large companies have made their beds, now they can sleep in them.
Tell everyone you can loud and clear about any exploit.
The Kruger Dunning explains most post on
http://browserfun.blogspot.com/
Clearly "in everyone's best interest" means "in Microsoft's interest." See, if 90% of the vulnerabilities found are part of Microsoft products, and they don't have time to patch them before they get exploited, then too many people will get burned for using the insecure software with the vulnerabilities. This in turn will pull those same users to the places that they find less threatening to their well being.
The only way I can see something like public disclosure helping Microsoft would be to find vulnerabilities in the competition and disclose THEM publicly, all in order to discredit said competition. The hard part with that way of doing things involves the fact that the competition will probably have the code fixed within hours or days (without creating more vulnerabilities) compared to Microsoft's own lengthy patch procedure.
Headline says: Daily Exploit Releases Irk Both Vendors and Crooks
Considering that Microsoft is the only Vendor complaining, and considering they've had months to fix all of these and didn't, the headline should be:
Daily Exploit Releases Irk Crooks
Viper is the preferred editor of the Emacs operating system.
Reading http://browserfun.blogspot.com/, it looks like he submitted these on March 6. He is publically reporting them in July. That's three months.
Microsoft has had 3 months notification that they need to fix a list of bugs which are findable with publically available tools, and some of which are being actively exploited by the blackhat community.
Without this publicity, the blackhat community would continue exploiting machines indefinitely. With it there is at least a fighting chance that Microsoft will fix their bugs and force the blackhat community to look for some new bugs and write new tools. I have a hard time thinking of this public disclosure as anything but beneficial.
As for the open source bugs, there is no way to report bugs to those projects without making them public. However their development is fast enough, and they are small enough targets, that I don't see these releases as being a problem for them.
Nothing beats security through obscurity!
Entropy just isn't what it used to be.
Call me nuts, but Microsoft isn't going to be intimidated by one guy, no matter who he is. If MS even notices this guy, they'll just send their lawyers after him, and he'll regret being such a smary ass reeeel fast.
I would rather know that my [insert product here] has problems then not, regardless of whether the manufacturer is ready willing and/or able to deal with it. It gives me the option to deal with it as well. Keeping me ignorant is not keeping me safe. Manufacturing has it's problems no matter what the field and bad things are bound to happen so blame is irrelevant to me. The issue is whether the product I am using is safe for my particular use. The manufacturer does not know the use I've put thier product to (am i playing WoW or running an air traffic control system?) so they are in no way informed enough to make the decision as to whether it is safe for me to use or not. It is my decision in the end and I appreciate having enough information to make that decision. Keep the expoits in the open. If the manufacturer does not have enough brains cells to fix it perhaps I have enough to determine whether to continue to use it or not.
but he appears to be the only one enjoying it
Add at least me in there as well.
Blackhats have been doing this and other work like it for years. The current state of security is defined better by ignorance than by safety. Patching is a workaround, not a solution. To use an analogy: Patching means we built more hospitals in response to car crashes, instead of inventing air bags.
I'll enjoy the show. It's a very good demonstration that "oh, we'll fix whatever comes along as soon as we learn about it" is not a viable method in security. It's making closing the barn door after the horse has left a standard business procedure. I've been waiting for just such a "one exploit every day" event for a long time now, and I'll enjoy it a lot. If anything, I hope they can keep it up for more than one month. After this, everyone hopefully realizes that patching isn't enough and you can't fix up the plane after takeoff, in mid-flight.
Windos is the worst offender, by far. But as Hughes said at HAL2001: "My spaceship will surely not be running Linux." - we're still very far away from reliable and secure software, and these two aspects are closer together than most people realize.
Assorted stuff I do sometimes: Lemuria.org
Even the Firefox exploit(s?) don't work.
I'm also a pen-tester and Metasploit saves an awful lot of arguing with idiots. "you say there's an obscure heap overflow in our domain controller, but why should we care?" Metasploit's point-and-exploit UI makes even the most irritatingly cretinous manager shut the fuck up.
Thanks, H D!
Microsoft is in a tough position. The Windows line has matured to the point that it does most everything people need it to do. Heck, on an article posted just a little while ago here, people are jumping on MS for not supporting Win98 any more...which came out how long ago???
The thing is, Windows 98 still does just about everything the average joe needs it to do, after all these years. What makes people upgrade is getting a new computer that comes with a new operating system and/or trying to get better security.
Now, if Microsoft actually put out a stable and secure operating system, how much money would it cost them from the people who decide to stick with what they have because it does everything they need it to do???
And the real kicker is, now that they have improved the security of their software, at least a little since the Win98 days, now we are looking at expiring licenses, forced upgrades...and DRM. Why? Because when the OS is mature and nobody is upgrading, that is where the money will be.
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
Microsoft knows exactly what everyone's best interest is, right?
No...in this case Microsoft only knows what is in their own best interest.
He should be posting at www.hackaday.com , they haven't had luck posting every day.
Comment removed based on user account deletion
Software risk is not determined by the amount of vulnerabilities found in a product in the past, but how the vendor deals with the vulnerabilities and how the vendor moves forward with being proactive about vulnerabilities in the future, such as developer education, code reviews, etc.
Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.
Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)
I think the software vendors are forgetting something: giving them an advance warning of the pending release of a vulnerability is a professional courtesy.
If they don't do anything, particularly if they don't ask politely that the release of the vulnerability be delayed, then they really have no business bitching when they see it over their coffee while reading the Wall Street Journal some morning.
I think reporting vulnerabilities to vendors is the right thing to do, but if the vendors piss all over people who are trying to do them a favor, then the hell with them. It's unfortunate that their customers end up getting hurt because of their lack of any sort of humility or willingness to communicate, but that's what you get when you do business with people like that.
If I was advising Microsoft, or any other large vendor -- or if I was a major customer of theirs, large enough that I could give input on their internal policy -- I'd tell them that every time a serious vulnerability was reported, they should assign an analyst to it personally; not only to verify the possible implications of the threat, but also to act as a one-to-one point of contact with the discoverer, to build a relationship with them and hopefully get them to agree to hold off on disclosure until the problem can be fixed. (I'd also expect them to throw wads of cash at anyone with a possible 0-day, and troll the black-hat IRC channels just like the mafia does, buying them up.)
It's ridiculous to expect people who are inherently doing the vendors and their customers a favor to simply sit on their hands when there's no active dialogue between them and the vendor on what progress is being made -- particularly when being the first to report a vulnerability can be a career-making move for some people.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Why isn't there a SUPERPLUSGOOD for clean, crisp comments this one vadim_t posted. That pair of examples could summarize the best of all the best comments on this thread.
But, yeh, if it IS provable that the guy indeed notified ms, then, with their EIGHT BILLION or more per year in R&D or whatEVER the hell it is they throw around that money on, they OUGHT to be forced to keep pace. If Open Source can do it with pennies and sweat, then ms should NOT be allowed to let its customers be shafted.
Letting ms take its sweet time to issue fixes and patches is like watching a stream of front-end shovel-equipped highway cleaner trucks whiz by a set of 18-wheeler wheels and tires on the road with the lugs FACING UP. (I happened to run one over and because my U-Haul was overweight, the lugs hit the truck's transmission oil drain pan. Fortunately for me said the U-Haul guys, as had I NOT hit that wheel in the Sacto area and IF I tried to wend my way up the mountains going into Oregon, I'd have lost power on the incline and the gas-powered truck would likely have sputtered and rolled backwards with my car in tow, spilling all my goods, clogging up the lanes and would likely have gotten me billed for a whole truck lost as well as the clean up for snarling traffic for dozens if not over 100 miles. SO, in MY analogy, losing $1400 for repair and getting a DIESEL truck in exchange saved my ass BIG time. YOUR MILEAGE may vary with my analogy...)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
MS's Timeline is a MOOT POINT when the blackhats already have these!!
The ONLY thing that allowing MS to supress general knowledge does is keep consumers of realizing just how bad the problems with thier software really are.
Do you think that MS would accept responsibility for the losses caused by a vuln. that they knew about but hadent fixed yet?
We all know they WONT.
I'd rather that this sort of news scares people away from IE & OE that will minimize the damage (to those that switch) no matter what MS thinks is an accaptable timeline.
...it seems like a Win-Win situation for the consumer... it must be wrong.
nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties.
I applaud this patriot. He's identifying breaches in our national security infrastructure which is being exploited by malevolent international organizations. This is a demonstrably greater threat to our national security (recent state department break-ins) than our porous southern border or our domestical phone call traffic.
Microsoft's foot-dragging on repairing these weaknesses is endangering our national security. Imagine if Congress wasn't having to approve hundreds of BILLIONS of dollars each year to fight a physical war in a country that hasn't attacked the United States. Just a small fraction of that money could be directed to develop a secure operating system that would be deployed to all US government offices. I mention the war budget because it dwarfs the financial holdings of even Microsoft, which suggests it would be feasible to replace Microsoft with a government-produced secure OS. Unfortunately, the development would probably still be offshored, which would result in all kinds of quality control issues and we'd still end up with something as insecure as Windows.
Seth
$5 / month hosted VPS on linux = awesome!
While reading the posts I took a look at that blog he has going.
If you look on the right, at the bottom, there is a header called "Archives." Under this header there is only one entry: July 2006.
Mere speculation, but perhaps July isn't all he's packing.
I use Firefox and SessionSaver. On the very rare occassion it does crash, I lose nothing.
I haven't used IE in over a year except in IE-tab under Firefox, and Opera's layout and former ad bundling put me off.
I've gotten spyware on machines using IE after a fresh install, just using IE to get drivers and updates (and Firefox).
I've never had an infection due to a Firefox flaw or failure. Though I also use SpywareBlaster, SpyBot S&D, and Antivir. I assume these help.
I never use IE or Outlook and I've been years without any malware.
Tachyon
So often we hear about worms that attack the net via vulnerabilities that have been around for months, and everyone screams at the vendor for being slow to patch.
I've seen this suggested before and it's a simple idea. Give them three weeks. Send it to the bat-phone or whatever the vendor has. Three weeks later, post it somewhere nice and public - a forum for the discussion of existing unpatched vulnerabilities. Post it regardless of whether or not a patch is available.
If the vendors cry, tell them if they patched in a reasonably fast timeframe this would be a non-issue.
I don't see the problem with this. They are businesses, they react only to money. If taking 2 mos avg to release a patch starts costing them money due to bad press and pissed off owned customers, they will change their behavior. Costing them money is the only way to force them into action. They will whine and cry and snivel and litigate to prevent you from doing this, but in the end they aren't going slow for your good, they're slow for their bank book.
I work for the Department of Redundancy Department.
Do you hate corporations so much that you need to make sure they make as little money as possible?
The corps that are still in business and not 'bookcooking' are essentially doing fine. Whatever costs they have that they won't eat and/or write off on their taxes take the form of higher prices.
Case in point
When Coca-Cola first came out, you could get a small glass of it for a nickel if I'm not mistaken. Now, one costs $1.00 from a vending machine (granted its likely 20z). Why the ridiculous price increase?
Advertising and competition.
People come up with products and services.
If word of mouth isn't enough, they use admen to get their message out -- big money!
Somebody sees the ad and 'builds a better mousetrap' - competition.
So the original maker has to spend more money to improve his product/service and andvertise it as 'new and improved'.
And the vicious cycle goes on and on.
The average consumer loses due to higher prices.
Without mass market advertising, prices would be a lot lower.
And as the late commedian Bill Hicks once said:
Quit putting a godamm dollar sign on every fucking thing on this planet!
Did they had advertisng in public bathrooms before he died? If so, his quote sums up vividly the problem with mass media advertising.