Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Giving Exploit Writers Clues To Flaws

Posted by kdawson on from the first-word-sounds-like dept.

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

6 of 63 comments (clear)

  1. I can see open vs closed source by Skreech · · Score: 5, Insightful

    I know the ongoing debate about whether open source or closed source has the security advantage when it comes to exploits in code.

    But this is a case where a half-and-half approach is probably the worst of all.

    1. Re:I can see open vs closed source by kestasjk · · Score: 5, Funny

      Damn Microsoft! We need to know what patches are being applied so we know what may fail. We need full disclosure!

      Damn Microsoft! Their full disclosure is allowing hackers to write exploits; don't tell the hackers how to hack my system!

      Damn Microsoft! They're kinda going half way in a vain attempt to stop people flaming, as if I'm going to stop doing that! Stick with one or the other, we'll flame you whatever you do anyway.

      --
      // MD_Update(&m,buf,j);
  2. There was already exploit code before the advisory by Anonymous Coward · · Score: 5, Informative

    One could find exploit code to the DNS issue before the advisory was published. MSRC didn't reveal any more information than was already publicly known.

  3. Re:Chaffing by fm6 · · Score: 5, Insightful

    Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real. If they had the expertise to do that, they wouldn't have so many security holes in the first place!
  4. Shoot from the hip fixing is not always right by EmbeddedJanitor · · Score: 5, Insightful
    In any reasonably complex hunk of software, the chance of being able to confidently fix a oneliner and release it immediately is pretty low. Most software needs verification/testing of some sorts before a change can be mainstreamed.

    I actually think that MS pushes out some patches too fast. My Windows laptop gets autopatched and the problematic parts of the system (wireless networking in particular) sometimes get screwed up for a while until the next patch set arrives. I don't think that MS is responsible for all the breakage. Often, MS makes a change which can break an existing driver or app. From a user's perspective all that you see is that a MS patch breaks the system.

    --
    Engineering is the art of compromise.
  5. +1 troll to the headline by twifosp · · Score: 5, Insightful
    That headline is utter rubbish and sensationalist. Microsoft is not giving anyone clues to create exploits. The wording makes Microsoft sound intentionally malicious. While Microsoft is pretty god damn malicious, they aren't out there trying to help exploit writers.

    The headline should instead read something like Hackers Create Exploits Using Microsoft Published information. This IS what hackers do after all. They read documentation and manuals. They find out how things work with all the available information. They social engineer. Trying to pin this on Microsoft is childish.