Slashdot Mirror


MS Giving Exploit Writers Clues To Flaws

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

3 of 63 comments (clear)

  1. Chaffing by goombah99 · · Score: 4, Interesting

    Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. Make them the most enticing looking (remote code exploit with unvalidated input overflow in ssh). Any given cracker will probably pick the fake and quickly waste gobs of time.

    If they wanted to get more diabolical, they could even put some honey pots into the code itself. For example, something that emulates a buffer overflow crash when a certain malfromed word is injected. Or maybe something more tantilizing but useless like a 1 second pause in Internet explorer when a certain tag combination appears followed by a page reload to make them think IE just belched but managed to somehow recover. Hint at this in the pre-pub or leak it on the web (post it in a slashdot comment). they can validate it's existence so they believe the bug really exists too.

    Each time they patch the real security hole they can preload ten new honeypots for the next round of spoofing the hackers and eradicate the old ones so it looks like they are patching real bugs and the hackers never catch on.

    Why am I posting this under this parent? Well because you could only get away with this in closed source. Open source would make this a give-away.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Chaffing by Daengbo · · Score: 4, Interesting

      The point about security through obscurity is that it shouldn't be used alone as the only source of protection. Many people change their SSH config off the default port to reduce automated attacks, but they don't leave it there in the most open configuration -- they disable root logins and sometimes require key-based logins instead of password-based ones.

      Having an element or elements in your security setup which are irregular is a good part of a complete security picture, but don't for a moment assume that these will even slow down someone who knows what to do and is determined to get into your network. Only real security measures will do that. If you leave an unsecured FTP server on port 12056 facing the internet, someone will eventually find it and exploit it. If you leave phpmyadmin with no root password hidden in your website somewhere with no outside links, they still might find it, and then you are toast. Obscurity just stops most script kiddies. That's not bad, though, is it?

  2. Compare the facts: open source patching is FAST by Anonymous Coward · · Score: 4, Interesting

    Let us take a look at the recent topic of a Madwifi vulnerability affecting certain wifi users in Linux.

    Julien Tinnes reported it at 13:48:00 EST on December 7, 2006.

    At 14:17:50 on the same day the patch was available in the main source code repository.

    A little while later at 17:08:26 the vulnerability is officially confirmed by Madwifi and advisories had been prepared.

    Looking downstream, the response times for an official fixes/advisories by distribution specific security teams were:
    Gentoo: December 10
    SUSE: Confirmed December 8, Fixed December 11
    Ubuntu: January 9

    There is certainly some room for improvement here with distribution specific fixes, but that also includes time spent testing the changes to the driver. To be fair to Microsoft (actually, I'm just being overly optimistic), they probably had a patch ready within 30 minutes of the initial vulnerability report as was the case with Madwifi. But instead of giving the customer the option of trying the "beta" patch so they can test it themselves, it is kept private. Days tick by at Microsoft HQ and nothing appears to happen. Eventually, a patch is released on the patch Tuesday of the next month (or the month after that). System administrators get no choice and no chance to test it themselves.