Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Unveils Open Source Exploit Finder

Posted by Soulskill on from the solutions-looking-for-problems dept.

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

19 of 310 comments (clear)

  1. Bang exploitable by Anonymous Coward · · Score: 1, Funny

    !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer')

    LOL

    Damn you microsoft! For the next few months I won't be able to read the "not" operator without giggling.

    1. Re:Bang exploitable by NeverVotedBush · · Score: 4, Funny

      I think this might explain some of Microsoft's buggy code issues.

      Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.

      No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.

    2. Re:Bang exploitable by Anonymous Coward · · Score: 2, Funny

      Bang Exploitable Crash Analyzer, programmed in C Pound Point Net.

  2. Open Source?! Wait for it... by Macthorpe · · Score: 2, Funny

    'hellfrozeover' tag in 3... 2... 1...

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  3. I'm feeling quite dizzy... by Anonymous Coward · · Score: 4, Funny

    Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)

    1. Re:I'm feeling quite dizzy... by mail2345 · · Score: 2, Funny

      Which just causes the finder to crash.

  4. Things that make you go hmmm... by Anonymous Coward · · Score: 5, Funny

    Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?

  5. It's nice to see... by rlanctot · · Score: 3, Funny

    Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...

    1. Re:It's nice to see... by Quothz · · Score: 3, Funny

      with baited breath...

      Speaking of Microsoft and security, I think you've picked up a worm.

    2. Re:It's nice to see... by TheRaven64 · · Score: 2, Funny

      And the fact that they start the executable name with an exclamation mark shows us why Windows is so buggy; they secretly all use RiscOS internally and only pretend to eat their own dogfood.

      --
      I am TheRaven on Soylent News
  6. Re:auto-hack or brute force? by Anonymous Coward · · Score: 1, Funny

    They also don't say they've run any of it on Microsoft products or standards before...

    Quite a few(think SMB) could have used a bit of fuzz-testing before the ink dried.

  7. pronounced 'bang exploitable crash analyzer' by c.derby · · Score: 2, Funny

    ...or as i prefer to call it, "bang beca."

    --
    -- derby
  8. interesting excerpt from bang source code by Anonymous Coward · · Score: 5, Funny


    int assess_severity( struct* bug )
    {
        string vendor = get_application_vendor( bug );
        if ((vendor == "Google") ||
            (vendor == "Adobe") ||
            (vendor == "Mozilla"))
              return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
        else if (vendor == "Microsoft")
              return TRIVIAL_SECURITY_RISK;
        else
              return MODERATE_SECURITY_RISK;
    }

    1. Re:interesting excerpt from bang source code by mach1980 · · Score: 2, Funny

      The funny thing is that the function is violating at least two MISRA C rules and don't even check for null-pointer argument :)

      Sorry if I come across as an asshole. I'm currently working to raise the code quality at my company and see similar code every day. It gives me the itch...

      --
      Break the sound barrier - bring the noise.
  9. Re:really? by Anonymous Coward · · Score: 2, Funny

    Are you sure, Coward?

    Please, no need for the formality. You can call me Anonymous...

  10. Rules of Open Source club by CarpetShark · · Score: 4, Funny

    1. Fork the project
    2. Change the name

  11. Re:There's already proof that this can't work by Paradise+Pete · · Score: 5, Funny

    And just like anti-virus software, it will lull people into a false sense of security that can easily result in catastrophe

    Exactly. That's why I'm also against railroad crossing gates, smoke detectors, and those silly "Bridge Out" warning signs.

  12. Here is the code by fireman+sam · · Score: 2, Funny

    #include <stdlib.h>
    #include <stdio.h>
    int main(int argc, char *argv[])
    {
    #ifdef WIN32
        fprintf(stderr, "Your system is not secure\n");
    #else
        fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
    #endif

        return 0;
    }

    --
    it is only after a long journey that you know the strength of the horse.
  13. Microsoft Unveils Open Source Exploit Finder? by Jeremiah+Cornelius · · Score: 2, Funny

    What! You mean they Open Sourced Windows!??!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."