Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Giving Exploit Writers Clues To Flaws

Posted by kdawson on from the first-word-sounds-like dept.

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

13 of 63 comments (clear)

  1. I can see open vs closed source by Skreech · · Score: 5, Insightful

    I know the ongoing debate about whether open source or closed source has the security advantage when it comes to exploits in code.

    But this is a case where a half-and-half approach is probably the worst of all.

    1. Re:I can see open vs closed source by kestasjk · · Score: 5, Funny

      Damn Microsoft! We need to know what patches are being applied so we know what may fail. We need full disclosure!

      Damn Microsoft! Their full disclosure is allowing hackers to write exploits; don't tell the hackers how to hack my system!

      Damn Microsoft! They're kinda going half way in a vain attempt to stop people flaming, as if I'm going to stop doing that! Stick with one or the other, we'll flame you whatever you do anyway.

      --
      // MD_Update(&m,buf,j);
  2. Fabulous by SeaFox · · Score: 4, Insightful

    How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits.

    That's great. Now they have an excuse to be incredibly vague about the problem in the advisories. It will be like the Government and National Security Letters.

    "We need you to submit to this, to protect you from hackers. We can't discuss the issue as it's a trade secret and a threat to computing security. This is a critical venerability. But we can't tell your why. Just install this patch when it comes out and you'll be better. Trust us, we know what we're doing."
  3. Re:When in doubt provide more information by Anonymous Coward · · Score: 4, Insightful

    Hackers that RTFM .. now that's funny. Actually, hackers DO RTFM.

    They also know How To Ask Questions The Smart Way.

    Crackers have the upper hand on system administrators, because the focus is very narrow. System administrators have to RTFM and stay up-to-date on everything from why Alice can't print (because her network cable is unplugged) through to debugging the cause of a fatal exception/crash in a plugin they've written for a HTTP daemon. System administrators are very overloaded with work whereas crackers can take it much easier.
  4. Chaffing by goombah99 · · Score: 4, Interesting

    Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. Make them the most enticing looking (remote code exploit with unvalidated input overflow in ssh). Any given cracker will probably pick the fake and quickly waste gobs of time.

    If they wanted to get more diabolical, they could even put some honey pots into the code itself. For example, something that emulates a buffer overflow crash when a certain malfromed word is injected. Or maybe something more tantilizing but useless like a 1 second pause in Internet explorer when a certain tag combination appears followed by a page reload to make them think IE just belched but managed to somehow recover. Hint at this in the pre-pub or leak it on the web (post it in a slashdot comment). they can validate it's existence so they believe the bug really exists too.

    Each time they patch the real security hole they can preload ten new honeypots for the next round of spoofing the hackers and eradicate the old ones so it looks like they are patching real bugs and the hackers never catch on.

    Why am I posting this under this parent? Well because you could only get away with this in closed source. Open source would make this a give-away.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Chaffing by fm6 · · Score: 5, Insightful

      Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. If they had the expertise to do that, they wouldn't have so many security holes in the first place!
    2. Re:Chaffing by AndrewM1 · · Score: 4, Insightful

      The problem with this is the bad press MS would get from announcing 11 exploits for every one they discovered. Those "outside the know" would think MS insecurity had gone up by 11x. MS already has major press issues about their many security exploits, they don't need 11 times that.

      Also, introducing fake honey pots in the code would cause problems. If they announced it and fixed each one, the honey pots would be useless. If they announced it but didn't fix it, they'd look like they didn't care/or it would make it obvious it was a honey pot. If they didn't announce it or fix it, then invariably some security researcher would find it (it has to be discoverable to become a honey pot) and blast MS for the security vulnerability.

    3. Re:Chaffing by Daengbo · · Score: 4, Interesting

      The point about security through obscurity is that it shouldn't be used alone as the only source of protection. Many people change their SSH config off the default port to reduce automated attacks, but they don't leave it there in the most open configuration -- they disable root logins and sometimes require key-based logins instead of password-based ones.

      Having an element or elements in your security setup which are irregular is a good part of a complete security picture, but don't for a moment assume that these will even slow down someone who knows what to do and is determined to get into your network. Only real security measures will do that. If you leave an unsecured FTP server on port 12056 facing the internet, someone will eventually find it and exploit it. If you leave phpmyadmin with no root password hidden in your website somewhere with no outside links, they still might find it, and then you are toast. Obscurity just stops most script kiddies. That's not bad, though, is it?

      --
      Put identity in the browser.
  5. There was already exploit code before the advisory by Anonymous Coward · · Score: 5, Informative

    One could find exploit code to the DNS issue before the advisory was published. MSRC didn't reveal any more information than was already publicly known.

  6. Shoot from the hip fixing is not always right by EmbeddedJanitor · · Score: 5, Insightful
    In any reasonably complex hunk of software, the chance of being able to confidently fix a oneliner and release it immediately is pretty low. Most software needs verification/testing of some sorts before a change can be mainstreamed.

    I actually think that MS pushes out some patches too fast. My Windows laptop gets autopatched and the problematic parts of the system (wireless networking in particular) sometimes get screwed up for a while until the next patch set arrives. I don't think that MS is responsible for all the breakage. Often, MS makes a change which can break an existing driver or app. From a user's perspective all that you see is that a MS patch breaks the system.

    --
    Engineering is the art of compromise.
  7. Compare the facts: open source patching is FAST by Anonymous Coward · · Score: 4, Interesting

    Let us take a look at the recent topic of a Madwifi vulnerability affecting certain wifi users in Linux.

    Julien Tinnes reported it at 13:48:00 EST on December 7, 2006.

    At 14:17:50 on the same day the patch was available in the main source code repository.

    A little while later at 17:08:26 the vulnerability is officially confirmed by Madwifi and advisories had been prepared.

    Looking downstream, the response times for an official fixes/advisories by distribution specific security teams were:
    Gentoo: December 10
    SUSE: Confirmed December 8, Fixed December 11
    Ubuntu: January 9

    There is certainly some room for improvement here with distribution specific fixes, but that also includes time spent testing the changes to the driver. To be fair to Microsoft (actually, I'm just being overly optimistic), they probably had a patch ready within 30 minutes of the initial vulnerability report as was the case with Madwifi. But instead of giving the customer the option of trying the "beta" patch so they can test it themselves, it is kept private. Days tick by at Microsoft HQ and nothing appears to happen. Eventually, a patch is released on the patch Tuesday of the next month (or the month after that). System administrators get no choice and no chance to test it themselves.

  8. +1 troll to the headline by twifosp · · Score: 5, Insightful
    That headline is utter rubbish and sensationalist. Microsoft is not giving anyone clues to create exploits. The wording makes Microsoft sound intentionally malicious. While Microsoft is pretty god damn malicious, they aren't out there trying to help exploit writers.

    The headline should instead read something like Hackers Create Exploits Using Microsoft Published information. This IS what hackers do after all. They read documentation and manuals. They find out how things work with all the available information. They social engineer. Trying to pin this on Microsoft is childish.

  9. Re:Here's an idea that Microsoft hasn't thought of by blowdart · · Score: 4, Insightful

    You realise RPC is, in fact, a UNIX feature? That it's there on your Linux/Sun/BSD/OSX box? That like anything running on a known port it's easily blockable at the firewall? Or via IPSEC if you don't run a firewall? And that the Win2003 firewall will block it by default?

    Well done; next time I develop code I'll make sure I name my services something like "Sooper secure, non-remote admin interface", because we wouldn't want to make the cracker's job easier with a name now would we?