Slashdot Mirror

← Back to Stories (view on slashdot.org)

Daily Exploit Releases Irk Both Vendors and Crooks

Posted by ryuzaki0 on from the can't-please-anyone dept.

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

39 of 165 comments (clear)

  1. Or by gowen · · Score: 3, Informative

    For those of you who like to read articles starting with Page 1.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:Or by Anonymous Coward · · Score: 5, Informative


      For those of you who like to read articles in 1 single page instead of multiple pages to maximise advertising revenu.

    2. Re:Or by n0-0p · · Score: 2, Interesting

      Wow, talk about some FUD. Of the 14 vulns so far 10 are NULL pointer dereferences. HD must be really desperate for publicity if he's trying to pump these up as legitimate security vulns. I mean, you can argue that a server crash is a DoS, but crashing a browser? Get real.

    3. Re:Or by Anonymous Coward · · Score: 5, Funny

      for those of you who like to read nothing.

    4. Re:Or by jrockway · · Score: 5, Insightful

      Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

      If a remote user can make your software do something it's not supposed to do, that's a security problem.

      --
      My other car is first.
    5. Re:Or by mobby_6kl · · Score: 4, Funny

      I'm intrigued by your ideas and would like to subscribe to your newsletter.

    6. Re:Or by Dlugar · · Score: 4, Informative
      Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.


      <shameless plug>Not if you use Opera!</shameless plug>
      --
      Computer Go: Writing Software to Play the Ancient Game of Go
  2. No! Don't tell anyone!!! by dubmun · · Score: 5, Funny

    A direct quote from the IE team over at Microsoft: "Don't tell anyone about all our holes! Then we won't have to fix them."

    --
    (end of post)
    1. Re:No! Don't tell anyone!!! by Kesch · · Score: 5, Funny

      Here are the responses from the different browsers after recieving vulnerability reports:

      Firefox: Fixed!
      Opera: Fixed in 9.0
      IE: ...(4 months later) DUDE!? Why you have to go tattle on us!?

      --
      If this signature is witty enough, maybe somebody will like me.
    2. Re:No! Don't tell anyone!!! by makomk · · Score: 2, Informative

      Nah man, that's the answer to almost everything on the MPlayer mailing list. Nowadays, it's "Fixed in Subversion _ages_ ago."

      Not anymore - they finally did a release about a month ago. (A year between releases is far too long in the open-source world - Gentoo gave up and started using their own CVS snapshots of mplayer...)

  3. Too bad these WERE reported to mickeysoft by drinkypoo · · Score: 5, Informative
    'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

    Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

    CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

    Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Too bad these WERE reported to mickeysoft by TheNetAvenger · · Score: 2, Interesting

      Ok, this does seem strange, but brings more questions for myself...

      First, lets assume he is reporting these to Microsoft in a responsible way...

      With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

      Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

      So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.

      If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

      This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

      Sure we all agree that MS should sometimes push up exploit fixes, but we also see others on here complain too much about MS addressing updates and fixes too rapidly if they break applications.

      So I am left a bit conflicted over this..

      Sure I can use another OS or another Browser, but there is a large base of 'consumers' that do use MS OSes and Browsers and they will be the least likely to even 'hear' of the exploit or protect themselves, instead this information will be gobbled up by the people that want to do harm to them and in the end the consumers get screwed.

      Also of note, it isn't only MS this person has released information about when the vendor hasn't meet his timeline demands, and what are his standards based on what formula for what level of exploit and what level of code that would need to be fixed?

      Does projects like Firefox and the Safari team have the resources to meet his timelines? How about distributions that spin off of other technologies that only have a small amount of people to work on them?

      What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

      Looking for honest debate because, I'm very curious to others views on this.

      (Side Note) I also have been in a position much like this myself, finding holes that don't seem to be addressed on a timeline I would have liked...

    2. Re:Too bad these WERE reported to mickeysoft by Anonymous Coward · · Score: 5, Insightful
      This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

      The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

      To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

      These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

      At which point, what good does keeping silent do?
    3. Re:Too bad these WERE reported to mickeysoft by drinkypoo · · Score: 5, Insightful
      If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

      I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

      I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

      What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

      Clearly they are in a position to make it, because they have the information on the vulnerability :)

      Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

      Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Too bad these WERE reported to mickeysoft by Trepalium · · Score: 5, Insightful
      Let me play devil's advocate on this one.

      With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?
      And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?
      So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.
      Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

      I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

      --
      I used up all my sick days, so I'm calling in dead.
    5. Re:Too bad these WERE reported to mickeysoft by mcrbids · · Score: 2, Insightful

      Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

      Ok, then.

      Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an O/S at all - little more than a kernel and a few utilities.

      Linux is definitely imperfect. Slowlaris isn't all that wonderful. In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.

      I choose Linux for my development because

      A) distributing patches is damned easy (yum update)

      B) I don't have to go to the facility to apply them,

      C) It's very reliable - 99.94% uptime on a single machine!

      D) It's very cheap - no licensing worries.

      E) Security record is decent overall.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    6. Re:Too bad these WERE reported to mickeysoft by Entropy · · Score: 4, Interesting
      The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware.


      I think it goes further than you took it, though:

      Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.

      And telling all the ushers to stand in the way, too.

      And he's lit up a big fat cigar to cloak the smoke as best as possible.

      And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking ..
      --
      The sea changes color, but the sea does not change.
    7. Re:Too bad these WERE reported to mickeysoft by More+Trouble · · Score: 5, Insightful

      This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

      And when there is a fire, how irresponsible is it to not yell fire?

    8. Re:Too bad these WERE reported to mickeysoft by schon · · Score: 3, Insightful

      Odds are good that if he's found a hole, others have as well, and are misusing it.

      Isn't that why the black hats are pissed too?

      The odds aren't "good" - they're 100%.

    9. Re:Too bad these WERE reported to mickeysoft by Ohreally_factor · · Score: 2, Funny

      That sounds almost like my scheme of using a magnifying glass to warn insects of the dangers from the sun's rays.

      --
      It's not offtopic, dumbass. It's orthogonal.
    10. Re:Too bad these WERE reported to mickeysoft by Schraegstrichpunkt · · Score: 2, Insightful
      With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

      Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.

      News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked regardless of whether or not the auditors told anyone.

      This is nothing less than a free speech issue.

      --
      http://outcampaign.org/
    11. Re:Too bad these WERE reported to mickeysoft by Schraegstrichpunkt · · Score: 3, Insightful

      Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.

      --
      http://outcampaign.org/
  4. Lack of security sells PCs and crappy software. by a_greer2005 · · Score: 2, Insightful

    Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...

  5. Reporting directly to vendors by dtfinch · · Score: 5, Insightful

    "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

    From the looks of it, most if not all of those were reported months before they were published.

    Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.

    1. Re:Reporting directly to vendors by drinkypoo · · Score: 5, Interesting
      You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

      This is not an even slightly similar situation to your example.

      If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.

      Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.

      Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.

      Still, it makes dramatically more sense than the bullshit you spouted.

      Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.

      Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Reporting directly to vendors by vadim_t · · Score: 4, Interesting

      You know, I'm really tired of stupid analogies on slashdot.

      Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:
      1. Somebody finds a vulnerability and makes it public
      2. I block SSH port immediately
      3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception
      4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.
      5. Test patch (obviously)
      6. Remove SSH port block
      7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)

      Now your version:
      1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month
      2. Since I don't know anything, I can't take any action
      3. Two weeks later, some jerk roots the box
      4. Yay, now I have to take the box offine, examine it, restore from backups.
      5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!
      6. Bring box back online, without being really sure I won't get rooted again
      7. If I'm lucky, some time later, the vendor's patch arrives.

    3. Re:Reporting directly to vendors by CherniyVolk · · Score: 3, Interesting


      Three months is too long.

      Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.

      Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.

      Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.

      So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.

    4. Re:Reporting directly to vendors by db32 · · Score: 2, Interesting

      First of all, its more like holding a chalupa upside down on a hot day while your friend holds a icecream cone upside down on a hot day...don't you think you should tell your friend "Hey, upside down icecream has a heat vulnerability"

      Excellent description of the problem, but I don't see why so many people shout about "MS shouldn't be allowed to get away with this". Yes, yes they should...because you bought their products, you agreed to the stuff that said "We might support you if we want". You agreed to it, they can do it. It doesn't really matter if you didn't read the fine print, you still agreed. The same goes for every other closed proprietary line of stuff people buy. Trust me, their lawyers are WAY smarter than their sense of morality is strong.

      It amuses me that the big software houses just don't get that. That they shout and scream and stomp their feet "You can't tell our customers we screwed them!" "You can't tell them we lied to them about what we offer!" Rather than spending the money to fix the problem, they spend a fortune in legal battles trying to silence the critics, so they don't have to spend the money fixing stuff. In the mean time the OSS world just goes "DOH!" and fixes it. Realistically, if this was pointed out to shareholders...things might change. "Look, rather than actually fixing the problems that are causing them to do worse, they want to try to hide them...but these service based companies over here...based on a new business model, just fix the problem, notifiy their customers, and continue to move in the right direction without wasting money on unneccessary legal battles"

      --
      The only change I can believe in is what I find in my couch cushions.
  6. In releated news... by Kenja · · Score: 2, Funny

    I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:In releated news... by Tackhead · · Score: 2, Insightful
      > I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

      (Not to put a downer on your funny post but...)

      ...it's more like "So I'm going to report every murder on the TV news, for everyone to see, until people get so fed up with seeing it every night, that they pressure the Oakland Police (who, just as Microsoft has a legal monopoly on its own source code, have the legal monopoly on the use of force in Oakland) to get off their asses and start doing something to stop it."

      (Of course, just as in Oakland... we get bored of seeing a bunch of dead people every night on the news, and we get bored of seeing the latest exploit, and once the cops - and the vendors - figure out that after a certain point, we stop giving a shit, nothing gets done :)

    2. Re:In releated news... by Odin_Tiger · · Score: 4, Insightful

      This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."

      --
      Unpleasantries.
  7. The Exploits Themselves by FsG · · Score: 4, Informative

    Here's the link to the list of Moore's browser exploits, the ones that the article is talking about.

    --
    I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
  8. If you annoy both groups by Anonymous Coward · · Score: 5, Insightful

    ...you must be doing something right.

  9. Give reasonable deadlines then go public by davidwr · · Score: 2, Insightful

    Best practices in my not-so-humble-opinion:

    1) warn the vendor ASAP
    2) warn the security community within a week, immediately if the vendor has no objections
    3) as soon as there is an exploit that represents a real threat:
      a) give all details to the security community
      b) give a workaround, like "disable such and such service," to the general public.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Give reasonable deadlines then go public by fermion · · Score: 2, Interesting
      This is the vendor party line, and this is why I disagree with it.

      First, this process does not protect the user, it is merely a PR thing for the vendor. While I feel for the vendor, wish to give them adequate time to correct the problem, history tells us that this sympathy backfires. Here is the normal drill. If a venerability gets reported, but there is no exploit "in the wild", then the venerability gets less priority. This is fine because the exploitable code needs to fixed first. But then later on the bug that was ignored does have an exploit. Well then that bug is put to the top of this list, and even though it may have knonw for ages, the vendor gets ages more to fix it. All the while the user is at uneccesary risk.

      As a customer the product cycle should take my convenience into account, at least as far as I willing to pay for it. And since MS has margins approaching 40%,and Apple has margins over 20%, I certainly think we are paying enough to both companies not to have to inconvenience ourselves because they can't get to work.

      Here is the second thing. The issue either has an exploit or it doesn't. If it has an exploit, then the customer deserves to know so they can protect against it, and often that requires some level of detail. If it makes the problem public, then that is a good thing because then the scrip kiddeies will exploit it, and it will be more of a problem, so then it will be fixed. Instead of having months of small problems, we will simply have a short time of big problems. If the bug has no exploit, then nothing is lost. However, knowing the bug is known does put pressure on the vendor to fix the issue.

      As i say, delaying publication is merely to protect the vendor, and does nothing to help the customer. As has been mentioned here often, a properly secured and updated system in any OS is relatively safe. But if we are going to blame the users, then the users must know what the exploits are than we need to defend against. If the exploits are secret, then we are back to the situation where the vendors are withholding material information, and they become liable. It is a very similar situation to the pinto.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  10. It "irks" them? by andytrevino · · Score: 2, Insightful

    So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?

    While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. Producing better software is far more important.

  11. Dep't of Redundancy Dept by PavementPizza · · Score: 4, Funny

    Headline says: Daily Exploit Releases Irk Both Vendors and Crooks

    Considering that Microsoft is the only Vendor complaining, and considering they've had months to fix all of these and didn't, the headline should be:

    Daily Exploit Releases Irk Crooks

    --
    Viper is the preferred editor of the Emacs operating system.
  12. Re:Been a long time by frogstar_robot · · Score: 2, Insightful

    in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

    New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somewhat forgivable. Even though a Linux machine may be an outstanding way to replace a cranky Windows server, ANY malfunction is evidence "This Linux stuff sucks!" even though worse might be tolerated from the accustomed Windows solutions.

    I've been the advocate for many such Linux deployments. Being the advocate, I make it my personal and professional business that the solutions I advance work. I've pulled a few overtimes here and there sorting issues out. It's what you have to do when it is YOUR big idea being tried out and that big idea bucks prejudices.

    If you've been a long while from Linux, then you are correct to hang back. Find a little time to get to know your shit again so that if you ever DO propose a Linux trial that you can do the groundwork to really make it perform.

  13. Maybe MS needs some humility. by Kadin2048 · · Score: 2, Insightful

    Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

    Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)

    I think the software vendors are forgetting something: giving them an advance warning of the pending release of a vulnerability is a professional courtesy.

    If they don't do anything, particularly if they don't ask politely that the release of the vulnerability be delayed, then they really have no business bitching when they see it over their coffee while reading the Wall Street Journal some morning.

    I think reporting vulnerabilities to vendors is the right thing to do, but if the vendors piss all over people who are trying to do them a favor, then the hell with them. It's unfortunate that their customers end up getting hurt because of their lack of any sort of humility or willingness to communicate, but that's what you get when you do business with people like that.

    If I was advising Microsoft, or any other large vendor -- or if I was a major customer of theirs, large enough that I could give input on their internal policy -- I'd tell them that every time a serious vulnerability was reported, they should assign an analyst to it personally; not only to verify the possible implications of the threat, but also to act as a one-to-one point of contact with the discoverer, to build a relationship with them and hopefully get them to agree to hold off on disclosure until the problem can be fixed. (I'd also expect them to throw wads of cash at anyone with a possible 0-day, and troll the black-hat IRC channels just like the mafia does, buying them up.)

    It's ridiculous to expect people who are inherently doing the vendors and their customers a favor to simply sit on their hands when there's no active dialogue between them and the vendor on what progress is being made -- particularly when being the first to report a vulnerability can be a career-making move for some people.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."