MS Asks Google To Delay Fuzzer Tool

← Back to Stories (view on slashdot.org)

MS Asks Google To Delay Fuzzer Tool

Posted by CmdrTaco on Monday January 3, 2011 @04:00AM from the i-need-somebody dept.

eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

34 of 205 comments (clear)

Min score:

Reason:

Sort:

Microsoft losing their edge? by Anonymous Coward · 2011-01-03 04:05 · Score: 3, Insightful

Microsoft is the last among browser makers to react to the vulnerability. Everybody else has released patches to address some, if not all of the holes.
Seems the IE team is so small, they can only do is development on IE9; perhaps there is no other team. Maybe they're all working to make the latest Windows Mobile platform a rousing success.
Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.
1. Re:Microsoft losing their edge? by hedwards · 2011-01-03 04:30 · Score: 2, Interesting
  
  Probably the only way that this will change is if the laws are changed to make them liable for their own incompetence. As it is software developers can release software without the ability to return it for a refund or any particular guarantee that it does what they claim it to do. Meaning that you could very well end up in the situation where you've paid for software that's badly broken and they're not liable, going to give you a refund or fix it.
2. Re:Microsoft losing their edge? by _Sprocket_ · 2011-01-03 04:40 · Score: 3, Interesting
  
  Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.
  There was a point in time (not too long ago by normal standards - ancient history "Internet time") when Microsoft was very slow to respond to any security issue. That was very much in the Bill Gates era. The concept of full disclosure comes from that time. The subject of disclosure has been beat to death around here more than once so we'll avoid going down that path. However, some of the intents of the "full disclosure" concept is to shame the vendor and warn the user. Even "responsible disclosure" rules tend to have some breaking point where the bug gets exposed without vendor consent.
  This is less of a turning point than a reminder of where we've been before.
3. Re:Microsoft losing their edge? by Ustice · 2011-01-03 04:45 · Score: 5, Insightful
  
  Be careful what you wish for. We are more likely to end up with well-meaning legislation that does the opposite, where it punishes those that publish security holes as helping criminals.
  
  --
  One never knows when one might need a rotten tomato... - King's Quest IV: Heir Today, Gone Tomorrow
4. Re:Microsoft losing their edge? by Anonymous Coward · 2011-01-03 04:50 · Score: 4, Insightful
  
  They'd only start slapping a Beta tag on everything like Google does. That would buy them a few years of delays. Then they'd lobby to get the law modified so their liability was limited to the price of the software. Then they'd say the kernel is what costs and the rest is free bundled stuff. At every stage they'll lobby and start lawsuits to delay things. Eventually its 15 years later and you've got some silly obscure law that protects nobody unless they've got the money to fight a massive software company (something the US DoJ doesn't have).
5. Re:Microsoft losing their edge? by mini+me · 2011-01-03 05:03 · Score: 2
  
  That would only serve to drive the cost of software up. Is it not best to allow the free market to work? Those who want the guarantees can pay for it, while those who are willing to take the risk can use the software for less, perhaps even free.
  I am certain that if you passed the appropriate amount of money in Microsoft's direction, they would be more than happy to accept liability for IE. Personally, I do not want to pay for that level of service.
6. Re:Microsoft losing their edge? by Low+Ranked+Craig · 2011-01-03 05:11 · Score: 5, Insightful
  
  Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.
  Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.
  Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.
  
  --
  I still cannot find the droids I am looking for...
7. Re:Microsoft losing their edge? by Gadget_Guy · 2011-01-03 05:14 · Score: 3, Insightful
  
  According to the timeline, Microsoft too has also released patches for some but not all the bugs. This final delay appears to be because they had problems reproducing the crashes, which I think is probably due to the nature of this tool which makes reproducing the exact circumstances difficult. I can sympathise because I have had to find hard to reproduce bugs is the past.
  Still I think that is correct that it should be all made public now, considering that the bad guys have already got the code.
8. Re:Microsoft losing their edge? by John+Hasler · 2011-01-03 05:32 · Score: 2
  
  If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?
  Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
9. Re:Microsoft losing their edge? by msauve · 2011-01-03 05:48 · Score: 2, Interesting
  
  The market disagrees with you, as customers continue to purchase, and MS continues to profit from, their software offerings. Pricing is only relative to the market. From a purely economic perspective, it might be overpriced if by reducing the price they get greater profits from an increase in sales. But, I suspect that MS is pretty sharp about finding the price points which maximize profit.
  
  "I paid over a hundred bucks for XP"
  
  In fact, you disagree with yourself, unless you're claiming that MS somehow forced you to buy it. You had a choice, you chose to pay. If you would have paid "over a hundred bucks"+1, then it was underpriced for you. Ferraris are overpriced for me, but not for the market, since they're still a profitable business.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
10. Re:Microsoft losing their edge? by devent · 2011-01-03 06:39 · Score: 2
  
  What free market? You mean the market where I can go to Mediamarkt and get 99% of the computer, laptop with Windows 7? Or the free market in Saturn where 99% of the computer and laptop are with Windows 7? Or the free market at best buy where 99% of the computer and laptop are with Windows 7? Or maybe the free market with Dell, Hp, Samsung, Lenovo?
  To what market I go if I don't wish to buy a computer or laptop with a more secure system?
  A free market can only work if there are many vendors, which are competing on fair grounds. But there is only one vendor, Microsoft which can and will dictate price.
  
  --
  http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
When by Anonymous Coward · 2011-01-03 04:06 · Score: 3, Funny

When is someone going to DO something about the possibly government sponsored hacking taking place in China? It ought to be brought up at the UN, or trade meetings, or SOMETHING! If the Chinese government won't stop it, we need to cut them off.
1. Re:When by piquadratCH · 2011-01-03 04:48 · Score: 2, Informative
  
  Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.
  If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.
  Let's face it: China got us by the balls, and they are ready to squeeze them.
2. Re:When by jittles · 2011-01-03 05:28 · Score: 3, Informative
  
  I think this would hurt China just as much as it would hurt the US or Europe.
3. Re:When by RoFLKOPTr · 2011-01-03 05:29 · Score: 3, Informative
  
  A trade embargo with China is not a thought to be taken lightly.
  Slavery is not to be taken lightly.
  That right there invalidates all your arguments, because that says you've been absorbing all the stupid propaganda and sensationalism about Chinese working conditions. Just because they don't make $50k a year doesn't mean they are slaves. Most of them are quite happy with their jobs.
  Yeah, 14 Foxconn employees committed suicide in 2010. That's out of 920,000 employees total. So that's about 1.5 suicides out of every 100,000 employees. Wanna guess what the suicide rate in the United States was in 2007? 11.5 out of 100,000. That's EIGHT TIMES the suicide rate at Foxconn. And the suicide rate in all of China was 6.6 in 2008. One could argue that Foxconn, in fact, IMPROVES workers lives. Of course that's not necessarily true, because correlation does not imply causation, but that data is enough to make a big huge news story worthy of being approved by Slashdot's elite editorial team with which to draw a bunch of sheep to hark the benefits of working for Chinese electronics manufacturers.
  Do some of your own research before believing the bullshit and comparing Chinese laborers to slaves.
Security through blissful ignorance... by flyingfsck · 2011-01-03 04:08 · Score: 3, Insightful

MS believes in security through ignorance, since it makes them money. As long as the common users don't know that their machines are infiltrated, stealing their bank information and sending spam, they are happy, since at worst, they will think their machine is worn out and slow and then go out and buy a new one, chock full of new versions of MS software.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
1. Re:Security through blissful ignorance... by mcgrew · 2011-01-03 04:23 · Score: 5, Insightful
  
  From the co,puterworld link:
  
  "I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."
  MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.
  
  --
  Free Martian Whores!
2. Re:Security through blissful ignorance... by v1 · 2011-01-03 04:27 · Score: 2
  
  I think I'd call it more "security by bliss" (from 'ignorance is bliss") Really they're not so much taking advantage of users' ignorance, but rather that they don't care. As long as their computer is functional, most users don't care if their machine is participating in a botnet and DDoS'ing or spamming.
  
  --
  I work for the Department of Redundancy Department.
3. Re:Security through blissful ignorance... by bluefoxlucid · 2011-01-03 04:52 · Score: 4, Insightful
  
  Right, which is why most users are overly concerned about "credit card theft" when most infections are about spamming the shit out of people; and a large number of people who succumb to identity theft are actually taken by malware that installs itself as an "anti-virus" program but secretly records your bank transactions.
  It's like walking through Baltimore City alone at night. As much as people are terrified by it, not everyone is out to kill you; that said, if you walk through Baltimore City alone at night regularly, you'll meet someone who is out to kill you. Paranoia is when you think they're all out to get you; rational sense is when you realize, no, they're not, but there's a significant risk of encountering someone eventually and it only takes one knife to stop your heart.
  
  --
  Support my political activism on Patreon.
4. Re:Security through blissful ignorance... by v1 · 2011-01-03 06:41 · Score: 2
  
  For what your software costs, its performance is abysmal.
  Last I checked, IE was free.
  and horribly overpriced at that!
  
  --
  I work for the Department of Redundancy Department.
Browse at your own risk... by Anonymous Coward · 2011-01-03 04:11 · Score: 5, Insightful

Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:
1) Set up a rogue access point with open access and SSID name similar to the venue..
2) Set up a rogue DNS.
3) Set up a redirect page that installed demo software...
One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.
Adding any apps increasing your exposure.
The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.
1. Re:Browse at your own risk... by Securityemo · 2011-01-03 04:58 · Score: 2
  
  It just makes no sense to me. Sitting with a laptop computer at a public access point and targeting people to spoof/sniff credit card information and credentials seems to have such low throughput to effort when botting at this point in time is almost simpler to execute (like firing an automatic shotgun). The people hanging out at the botting forums I've seen seem like ordinary criminals for the most part, and the barrier to entry nonexistant. Why use a low-risk low-pay method when you could use the no-risk higher-pay method?
  
  --
  Emotions! In your brain!
2. Re:Browse at your own risk... by bluefoxlucid · 2011-01-03 05:20 · Score: 4, Interesting
  
  Sitting in a Starbucks is a low-risk method because it's hard to trace. Hell, you can load automated software onto a hand-held PDA (iPaq? I ran Linux on one...) to do all the raping and infecting. The packets can be tagged with a different MAC address than your real device, making it physically untraceable; it's all in your pocket, and can auto-connect to wifi and do whatever, so picking you out of a crowd is harder than "find the suspicious person" since you just carry it around and don't go out sniping.
  This works for MP3s and child porn and whatever the hell else too, btw. Assuming you know where and what to search (I assume torrents for MP3s, who knows for kiddy porn), you could have an automated program do all the relevant searches and store the results. When you get home, pop the device out and browse through the cached results... pick what you want, and next time you're out it'll find those things and download them.
  For the obvious flaw, you can ban your own Wifi network and your neighbors', or have the program automatically search for certain networks (yours, your neighbors', etc) and decide you're "too close to home" and shut down. You could even have a separate daemon that handles wifi, and when it sees you're "too close to home" it prevents any wifi connections at all.
  There's a lot of "I can have this here with me, but never physically do anything while connected to the network, and never use my own network" that can be done to hide your online presence. The same can be done for chatting on forums, sending e-mail, etc. The only thing you can't hide that way is real-time chat like instant messaging or IRC, because you have to twiddle the device; but for answering a forums post or blogs, you can have a program smart enough to deal with phpBB and V-Bulletin and Wordpress... it could let you record what you want to post, who to reply to, which post ID to reply to, the works... then when you're out somewhere, post.
  Basically you're interacting from an alternate reality, one where you're pulled out of the real world; that interaction is transferred into the real world physically somewhere, but you're not present at that point and there's no cable running from there to here to draw a path to you. You'd have to use an innocuous device (a PDA most likely, bought in cash) and download the software from a MAC-shifted device on a public link to have absolutely zero trail (i.e. no evidence that you're even capable of this), but it'd be doable. Completely. It'd make for some interesting shit... maybe I'll write a sci-fi novella about the idea.
  
  --
  Support my political activism on Patreon.
3. Re:Browse at your own risk... by bluefoxlucid · 2011-01-03 05:49 · Score: 2
  
  Enough forensics will trace the connection back to where it came from, i.e. starbucks. Satellite... good luck getting free satellite, and they can ID the device somehow if you have a log-on (z3r0c00l did this...). I'm talking about something that traces back to a pinhole in reality and then vanishes. Oh shit, the attack came from nowhere; a wizard did it.
  
  --
  Support my political activism on Patreon.
Re:Can't blame him by Securityemo · 2011-01-03 04:17 · Score: 3, Interesting

Yes. There's a list right at the bottom link of other browsers it managed to break, including firefox and opera. It apparently works by stressing the garbage collection mechanisms through creating and destroying DOM objects/references; I don't know what that means really, but he's written a step-by-step of the mechanisms that seems easy enough to follow.

--
Emotions! In your brain!
Re:Can't blame him by intellitech · 2011-01-03 04:18 · Score: 2

Definitely can't blame him. Considering Microsoft's track record for investigating serious security concerns in it's operating system and browser series, and the total number of people using these products across the world, he acted properly.

--
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
MS denied accusations by should_be_linear · 2011-01-03 04:24 · Score: 3, Funny

"We consider all Mr. Zalewski claims invalid. Obviously he didn't contact Security Experts for IE in reality just like you cannot contact Santa".

--
839*929
Re:Article is dupe by Abstrackt · 2011-01-03 04:27 · Score: 3, Informative

It's actually a follow-up. He finally got his response from MS but it was just them asking him to delay releasing the tool indefinitely.

--
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Rather misleading... by MerelyASetback · 2011-01-03 04:29 · Score: 2, Informative

The summary made it sound like IE had 100 vulnerabilities, while the article stated that there was 100 vulnerabilities between 5 browsers ...
Dup, and they didn't ask "Google" anything. by lseltzer · 2011-01-03 04:33 · Score: 2

First, this article is basically a dupe of one from a couple days ago. Second, Zalewski was working on his own and MS asked him, in his personal capacity, not to release the tool. I had all this in my PCMag article referenced in the previous /.
Re:Can't blame him by Dishevel · 2011-01-03 05:41 · Score: 2

A /. reader that dose not have control over their own computer at work. Lols.

--
Why is it so hard to only have politicians for a few years, then have them go away?
MS's edge has always been cash and inertia by HeckRuler · 2011-01-03 05:58 · Score: 2

Microsoft's edge has always been their ability to buy companies' products (and companies themselves) and sell them at profit and the locked-in nature of their clients. They are a business company that deals in technology rather then a technology company doing business.
There are exceptions, like their entry into the gaming arena, but don't forget their primary nature.
which? by HeckRuler · 2011-01-03 06:02 · Score: 2

Dumping the currency, or the embargo? Because the answer is still "yes", either way. Globalization means we're all in this together. You can't hurt the othe without hurting yourself.
And, consequently, if they fuck up with say, a huge housing bubble or some such, it'll mean we have to share the pain.
Re:Any release over a holiday is a dick move! by 99BottlesOfBeerInMyF · 2011-01-03 07:08 · Score: 3, Interesting

According to this dude's timeline [coredump.cx]. He contacted them on December 20th, and got a real reply the next day.
You fail to note that the contact in December was a reminder that he was releasing the tool. He sent them the original crash reports in July and then more detailed info in August. MS security researchers were apparently unable, unwilling, or just too lazy to do the work to replicate the bugs or contact Mr. Zalewski for the next four months until he reminds them twice more in December about the issues.
By December Mr. Zalewski was no longer wiling to give MS extra time, not because he was looking for publicity, but because he had real indications that the exploits were already known to other parties and the situation had become one that needed immediate action on the part of users and sys admins to defend themselves pending a fix from MS. I have to disagree with you about him being a dick. He was very responsible on this one, even when dealing with a vendor that ha an abysmal track record of making timely fixes for periods lasting years, right until there is public disclosure.