MS Giving Exploit Writers Clues To Flaws
In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."
Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. Make them the most enticing looking (remote code exploit with unvalidated input overflow in ssh). Any given cracker will probably pick the fake and quickly waste gobs of time.
If they wanted to get more diabolical, they could even put some honey pots into the code itself. For example, something that emulates a buffer overflow crash when a certain malfromed word is injected. Or maybe something more tantilizing but useless like a 1 second pause in Internet explorer when a certain tag combination appears followed by a page reload to make them think IE just belched but managed to somehow recover. Hint at this in the pre-pub or leak it on the web (post it in a slashdot comment). they can validate it's existence so they believe the bug really exists too.
Each time they patch the real security hole they can preload ten new honeypots for the next round of spoofing the hackers and eradicate the old ones so it looks like they are patching real bugs and the hackers never catch on.
Why am I posting this under this parent? Well because you could only get away with this in closed source. Open source would make this a give-away.
Some drink at the fountain of knowledge. Others just gargle.
Let us take a look at the recent topic of a Madwifi vulnerability affecting certain wifi users in Linux.
Julien Tinnes reported it at 13:48:00 EST on December 7, 2006.
At 14:17:50 on the same day the patch was available in the main source code repository.
A little while later at 17:08:26 the vulnerability is officially confirmed by Madwifi and advisories had been prepared.
Looking downstream, the response times for an official fixes/advisories by distribution specific security teams were:
Gentoo: December 10
SUSE: Confirmed December 8, Fixed December 11
Ubuntu: January 9
There is certainly some room for improvement here with distribution specific fixes, but that also includes time spent testing the changes to the driver. To be fair to Microsoft (actually, I'm just being overly optimistic), they probably had a patch ready within 30 minutes of the initial vulnerability report as was the case with Madwifi. But instead of giving the customer the option of trying the "beta" patch so they can test it themselves, it is kept private. Days tick by at Microsoft HQ and nothing appears to happen. Eventually, a patch is released on the patch Tuesday of the next month (or the month after that). System administrators get no choice and no chance to test it themselves.