Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Asks Google To Delay Fuzzer Tool

Posted by CmdrTaco on from the i-need-somebody dept.

eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

4 of 205 comments (clear)

  1. Browse at your own risk... by Anonymous Coward · · Score: 5, Insightful

    Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:

    1) Set up a rogue access point with open access and SSID name similar to the venue..

    2) Set up a rogue DNS.

    3) Set up a redirect page that installed demo software...

    One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.

    Adding any apps increasing your exposure.

    The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.

  2. Re:Security through blissful ignorance... by mcgrew · · Score: 5, Insightful

    From the co,puterworld link:

    "I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."

    MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.

    --
    Free Martian Whores!
  3. Re:Microsoft losing their edge? by Ustice · · Score: 5, Insightful

    Be careful what you wish for. We are more likely to end up with well-meaning legislation that does the opposite, where it punishes those that publish security holes as helping criminals.

    --
    One never knows when one might need a rotten tomato... - King's Quest IV: Heir Today, Gone Tomorrow
  4. Re:Microsoft losing their edge? by Low+Ranked+Craig · · Score: 5, Insightful

    Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.

    Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.

    Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.

    --
    I still cannot find the droids I am looking for...