Daily Exploit Releases Irk Both Vendors and Crooks

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Or

[gowen]

For those of you who like to read articles starting with Page 1.

Re:Or

For those of you who like to read articles in 1 single page instead of multiple pages to maximise advertising revenu.

Re:Or

for those of you who like to read nothing.

Re:Or

[jrockway]

Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

If a remote user can make your software do something it's not supposed to do, that's a security problem.

Re:Or

[mobby_6kl]

I'm intrigued by your ideas and would like to subscribe to your newsletter.

Re:Or

[Dlugar]

Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

<shameless plug>Not if you use Opera!</shameless plug>

No! Don't tell anyone!!!

[dubmun]

A direct quote from the IE team over at Microsoft: "Don't tell anyone about all our holes! Then we won't have to fix them."

Re:No! Don't tell anyone!!!

[Kesch]

Here are the responses from the different browsers after recieving vulnerability reports:

Firefox: Fixed!
Opera: Fixed in 9.0
IE: ...(4 months later) DUDE!? Why you have to go tattle on us!?

Too bad these WERE reported to mickeysoft

[drinkypoo]

'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

Re:Too bad these WERE reported to mickeysoft

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

At which point, what good does keeping silent do?

Re:Too bad these WERE reported to mickeysoft

[drinkypoo]

If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

Clearly they are in a position to make it, because they have the information on the vulnerability :)

Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

Re:Too bad these WERE reported to mickeysoft

[Trepalium]

Let me play devil's advocate on this one.

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?

So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.

Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

Re:Too bad these WERE reported to mickeysoft

[Entropy]

The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware.

I think it goes further than you took it, though:

Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.

And telling all the ushers to stand in the way, too.

And he's lit up a big fat cigar to cloak the smoke as best as possible.

And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking ..

Re:Too bad these WERE reported to mickeysoft

[More+Trouble]

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

And when there is a fire, how irresponsible is it to not yell fire?

Re:Too bad these WERE reported to mickeysoft

[schon]

Odds are good that if he's found a hole, others have as well, and are misusing it.

Isn't that why the black hats are pissed too?

The odds aren't "good" - they're 100%.

Re:Too bad these WERE reported to mickeysoft

[Schraegstrichpunkt]

Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.

Reporting directly to vendors

[dtfinch]

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

From the looks of it, most if not all of those were reported months before they were published.

Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.

Re:Reporting directly to vendors

[drinkypoo]

You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

This is not an even slightly similar situation to your example.

If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.

Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.

Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.

Still, it makes dramatically more sense than the bullshit you spouted.

Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.

Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.

Re:Reporting directly to vendors

[vadim_t]

You know, I'm really tired of stupid analogies on slashdot.

Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:
1. Somebody finds a vulnerability and makes it public
2. I block SSH port immediately
3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception
4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.
5. Test patch (obviously)
6. Remove SSH port block
7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)

Now your version:
1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month
2. Since I don't know anything, I can't take any action
3. Two weeks later, some jerk roots the box
4. Yay, now I have to take the box offine, examine it, restore from backups.
5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!
6. Bring box back online, without being really sure I won't get rooted again
7. If I'm lucky, some time later, the vendor's patch arrives.

Re:Reporting directly to vendors

[CherniyVolk]

Three months is too long.

Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.

Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.

Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.

So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.

The Exploits Themselves

[FsG]

Here's the link to the list of Moore's browser exploits, the ones that the article is talking about.

If you annoy both groups

...you must be doing something right.

Re:In releated news...

[Odin_Tiger]

This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."

Dep't of Redundancy Dept

[PavementPizza]

Headline says: Daily Exploit Releases Irk Both Vendors and Crooks

Considering that Microsoft is the only Vendor complaining, and considering they've had months to fix all of these and didn't, the headline should be:

Daily Exploit Releases Irk Crooks