Slashdot Mirror


MS Giving Exploit Writers Clues To Flaws

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

4 of 63 comments (clear)

  1. I can see open vs closed source by Skreech · · Score: 5, Insightful

    I know the ongoing debate about whether open source or closed source has the security advantage when it comes to exploits in code.

    But this is a case where a half-and-half approach is probably the worst of all.

  2. Re:Chaffing by fm6 · · Score: 5, Insightful

    Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. If they had the expertise to do that, they wouldn't have so many security holes in the first place!
  3. Shoot from the hip fixing is not always right by EmbeddedJanitor · · Score: 5, Insightful
    In any reasonably complex hunk of software, the chance of being able to confidently fix a oneliner and release it immediately is pretty low. Most software needs verification/testing of some sorts before a change can be mainstreamed.

    I actually think that MS pushes out some patches too fast. My Windows laptop gets autopatched and the problematic parts of the system (wireless networking in particular) sometimes get screwed up for a while until the next patch set arrives. I don't think that MS is responsible for all the breakage. Often, MS makes a change which can break an existing driver or app. From a user's perspective all that you see is that a MS patch breaks the system.

    --
    Engineering is the art of compromise.
  4. +1 troll to the headline by twifosp · · Score: 5, Insightful
    That headline is utter rubbish and sensationalist. Microsoft is not giving anyone clues to create exploits. The wording makes Microsoft sound intentionally malicious. While Microsoft is pretty god damn malicious, they aren't out there trying to help exploit writers.

    The headline should instead read something like Hackers Create Exploits Using Microsoft Published information. This IS what hackers do after all. They read documentation and manuals. They find out how things work with all the available information. They social engineer. Trying to pin this on Microsoft is childish.