Slashdot Mirror

← Back to Stories (view on slashdot.org)

Daily Exploit Releases Irk Both Vendors and Crooks

Posted by ryuzaki0 on from the can't-please-anyone dept.

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

3 of 165 comments (clear)

  1. Re:Reporting directly to vendors by drinkypoo · · Score: 5, Interesting
    You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

    This is not an even slightly similar situation to your example.

    If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.

    Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.

    Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.

    Still, it makes dramatically more sense than the bullshit you spouted.

    Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.

    Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:Reporting directly to vendors by vadim_t · · Score: 4, Interesting

    You know, I'm really tired of stupid analogies on slashdot.

    Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:
    1. Somebody finds a vulnerability and makes it public
    2. I block SSH port immediately
    3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception
    4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.
    5. Test patch (obviously)
    6. Remove SSH port block
    7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)

    Now your version:
    1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month
    2. Since I don't know anything, I can't take any action
    3. Two weeks later, some jerk roots the box
    4. Yay, now I have to take the box offine, examine it, restore from backups.
    5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!
    6. Bring box back online, without being really sure I won't get rooted again
    7. If I'm lucky, some time later, the vendor's patch arrives.

  3. Re:Too bad these WERE reported to mickeysoft by Entropy · · Score: 4, Interesting
    The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware.


    I think it goes further than you took it, though:

    Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.

    And telling all the ushers to stand in the way, too.

    And he's lit up a big fat cigar to cloak the smoke as best as possible.

    And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking ..
    --
    The sea changes color, but the sea does not change.