Daily Exploit Releases Irk Both Vendors and Crooks

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Or

[gowen]

For those of you who like to read articles starting with Page 1.

Re:Or

For those of you who like to read articles in 1 single page instead of multiple pages to maximise advertising revenu.

Re:Or

[Dlugar]

Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

<shameless plug>Not if you use Opera!</shameless plug>

Too bad these WERE reported to mickeysoft

[drinkypoo]

'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

The Exploits Themselves

[FsG]

Here's the link to the list of Moore's browser exploits, the ones that the article is talking about.

My answer

Reading http://browserfun.blogspot.com/, it looks like he submitted these on March 6. He is publically reporting them in July. That's three months.

Microsoft has had 3 months notification that they need to fix a list of bugs which are findable with publically available tools, and some of which are being actively exploited by the blackhat community.

Without this publicity, the blackhat community would continue exploiting machines indefinitely. With it there is at least a fighting chance that Microsoft will fix their bugs and force the blackhat community to look for some new bugs and write new tools. I have a hard time thinking of this public disclosure as anything but beneficial.

As for the open source bugs, there is no way to report bugs to those projects without making them public. However their development is fast enough, and they are small enough targets, that I don't see these releases as being a problem for them.

Re:No! Don't tell anyone!!!

[makomk]

Nah man, that's the answer to almost everything on the MPlayer mailing list. Nowadays, it's "Fixed in Subversion _ages_ ago."

Not anymore - they finally did a release about a month ago. (A year between releases is far too long in the open-source world - Gentoo gave up and started using their own CVS snapshots of mplayer...)