Microsoft Unveils Open Source Exploit Finder

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

THOUSANDS OF BUGS?

[v1]

Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

Maybe I'm just totally out of touch here, but for my development, finding the bugs is the time consuming part, fixing them usually goes pretty quick. I welcome anything that helps find my bugs, that saves so much time. If your code is so decrepit that this tool is going to find "thousands" of bugs, you need to go back to school for awhile.

Given a tool like that, I'd be running it regularly and not just addressing the "important" bugs. Making that thing pass clean would be one of the steps in my development cycle.

Or maybe he's just speaking more about a common windows programming philosophy? (I certainly hope not)

Enough problems of their own

[kimvette]

This is another form of FUD, IMHO, Why not focus on finding all the exploits in their own software which results in easy installation of rootkits and spyware and other malware in their systems which results in boot times of 5 to 15 minutes, where there can be literally HUNDREDS to THOUSANDS of processes infesting the Windows platform and the Microsoft Office suite?

I have yet to see an exploit in *nix that can't be relatively easily removed. I HAVE seen rooted boxes but they have been installed by determined crackers - on slowlaris and Linux - in those cases the exploit was able to be removed and verifying against known-clean machines has verified they were clean - in an enterprise environment at a state college. Other infections I've seen have been confined to individual user accounts, or to an individual application (apache).

Heck, I've had a machine rooted because I did not want to update OpenSSL on one of my machines a few years ago. I had opened the machine up to the net (it was normally on a clean net but I opened it up and forgot to close the firewall after I finished testing) but even that was easily cleaned, and I verified against a backup that I had successfully cleaned the system. I did reinstall as a safeguard and finally patched OpenSSL. However that was a known-and-patched exploit that I didn't care to upgrade because it was a private machine normally inaccessible from the wild. It was the result of carelessness. I cleaned it in under 15 minutes and could have left it and been safe but I took the opportunity to upgrade to a newer distro release anyhow.

The difference is, so many Windows apps require admin/root access that it is the normal operating mode of Windows, and one application with an exploit (MSIE and IIS in particular) can almost invariably result in the box being rooted, and Windows does not make it easy to clean. Why? Because even "safe mode" can be exploited to run processes at startup. Cleaning up the mess is a tedious process, and while BartPE or WinPE (if you have access to WinPE) do make the job a little easier, it's still a pain in the neck.

Linux exploits usually are the result of one to three things:

1. Carelessness: running an intentionally-or-uninentionally patched box open to the 'net. I've done this before and had to clean up the mess.

2. User running as root - this is a surefire way to get exploited. No mainstream applications not designed for administration tasks require root access, and unlike Vista's UAC, the privilege escalation mechanisms in *nix variants/distros actually do what they are designed without being obnoxious.

3. Sheer determination: the cracker just keeps pounding and pounding on the box using all known exploits and then turns to brute force. Eventually the user will get in unless the firewall detects the attempts because you can't stop determined douchebaggery.

Now, as far as Windows is concerned: there are a quintillion (OK, a slight exaggeration) unpatched known exploits (some of them having been known for 10+ years), probably >99% of users run as Administrator because many applications and even some games require admin access to run, so the boxes are uber-easy to hack.

So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple. It's not about caring about F/OSS, it's not about wanting to contribute, and it certainly is not about being a good netizen. It is entirely self-centered. And, it makes sense for Microsoft since their duopoly is in danger and they know they peaked long ago and the only direction they have to go is down, and they know it.

Wow!

[edivad]

Once again, Microsoft invented the ... drum roll ... wheel!
Fuzzy data injection is used by ages in the security world. By both bad and good guys.
Oh, and the Address Space Layout Randomization thing, Linux had it long before them, so I guess that according to their very same rules, they invested that too.

Re:Libre?

[ClosedSource]

Nobody said that the code was "free as in redefined by GNU".

OSS SHOULD be concerned

[WindBourne]

Right now, Windows really is pure crap. For all the fanbois that defend it, it remains a joke (and the fanbois prove their total ignorance). BUT, the problem remains that IFF Windows ever gets to be more secured than say Linux, mac, or even DOS, then the crackers WILL focus on less secured systems. Basically, this will be a case of not having to run faster than the bear, but simply having to run faster than somebody else. At this time, nearly ALL OTHER OSs are more secure than Windows. Something like this COULD BE A GAME CHANGER.