Did Microsoft Know About the IE Zero-Day Flaw In Advance?

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

Of course Microsoft knew

[s0446]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

Re:Of course Microsoft knew

Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

Re:Of course Microsoft knew

[Antony+T+Curtis]

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

I'm pretty sure that Google discretely notifies Microsoft of flaws that it is aware of.

Re:Of course Microsoft knew

I'd rather drive around a car that few people know how to break than to drive around a car that everyone knows how to break.

Re:Of course Microsoft knew

[s0446]

And why is that? Google would love to see Microsoft die.

Re:Of course Microsoft knew

I work in the field

Then you should exploit your expertise. Go back and comment on the gummi-cow-feed item.

Ba-dump.

Re:Of course Microsoft knew

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

Your shill status is identifiable from miles away. First user post, first post, and Google bashing (not arguing that google is better but what's the point in this comment). So why do you keep posting? You're not doing a good job. For a person like me who is responsible for decisions about OS installs in hundreds of computers, this type of astrosurfing actually makes me not believe anything good about Microsoft clames, Microsoft advertising, or even Microsoft 3th party "independent" product reviews.

The only possible way I could visualize a scenario in witch astrosurfing is needed is if there weren't actually any truthful "good honest reviews" since this actually mines the credibility of them.

Also, since this spam actually annoys me, I've developed a very bad emotional response to Microsoft, making me want to say: Go the Fuck away.

Re:Of course Microsoft knew

Then please carry on. Noone stops you from killing/hurting yourself... Of course, if something does happen, then rest assured, there will be a Darwin Award on the other side in this case.

Re:Of course Microsoft knew

[CTachyon]

And why is that? Google would love to see Microsoft die.

You don't bring nukes to a knife fight. Sure, you win the knife fight, but now everyone else knows to nuke you first and ask questions later.

Re:Of course Microsoft knew

Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit

If you have knowledge of a critical exploit, and you can't fix it in months, then your software is not suitable for use in a production environment.

It is crucial to let system admins know as soon as you find an exploit, so they can defend themselves. You can't assume that blackhats will not find out, because they will, and you are putting your users at risk with such negligent behavior.

Your post mainly shows that you don't know what you're talking about.

Re:Of course Microsoft knew

-1, Ms. Shill

Re:Of course Microsoft knew

No, MS only claims they've known about the bug for two months, because, as everyone knows, 0-day bugs are way more dangerous than two month old ones. They wouldn't let it happen.

Re:Of course Microsoft knew

[buglista]

This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.

Re:Of course Microsoft knew

[Penguinisto]

Lots of answers:

* If you inform Microsoft of a flaw in IE, then Microsoft in turn notifies you of a flaw in Chrome.
* Chrome's Windows version actually uses a lot of IE components (ICS stands out, if I remember right), so a flaw in IE could potentially affect Chrome, depending on what the flaw is (e.g. an IE flaw that sets a stealth/fake proxy in IE ICS, which in turn affects Chrome...)
* Just because you want your competitors to die or be diminished, doesn't mean you have to be a dick about it. ;)

Re:Of course Microsoft knew

No, it's only bad if the secret is a vital piece of the security of the system. As Bruce Schneier said:

Just because security does not require that something be kept secret, it doesn't mean that it is automatically smart to publicize it.

Re:Of course Microsoft knew

Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

You are also a moron. IE will not kill you (not that I have found yet). Bad breaks will. Terrible comparison.

Re:Of course Microsoft knew

Indeed. In fact, it's not just Microsoft that embargoes details of security flaws for weeks. Take a close look at pretty much any Firefox CVE and you'll notice it was likely created at least a month earlier, sometimes several months earlier. Details of the flaw were not made public until a patch was made public.

For example:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3965

The CVE was created on July 11th, 2012. However, the details of the flaw were not released until August 29th, 2012.

So please, save the "Ethics" arguments when even open source does the exact same thing.

Re:Of course Microsoft knew

That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited.

Wrong in so many ways..
For one, you assume that only one person discovered or knows about the flaw, that same person is a "good" person and not using the flaw to their advantage for hacking/cracking, and the only other people they told about it was MS.

There are way too many software flaws and good and bad people are doing research to find and use them for your assumptions to considered good for everyone and every situation.

FOAD SHILL.

     

Re:Of course Microsoft knew

[sjames]

They could have slipped the patch in on any patch Tuesday without tipping their hand (it wouldn't be the first time a security fix was slipped in).

Re:Of course Microsoft knew

[sjames]

Would you rather drive a car that some people know an easy way to break in to or would you prefer that one fine Tuesday the dealer quietly offers you free fix?

Re:Of course Microsoft knew

[man_of_mr_e]

Perhaps you would like to explain why Mozilla regularly embargoes details of critical security bugs for months as well then?

The answer is that it's irresponsible to release details of a bug when no patch yet exists.

Re:Of course Microsoft knew

[dcollins117]

You are also a moron. IE will not kill you (not that I have found yet). Bad breaks will. Terrible comparison.

Bad brakes can kill you. That would be a bad break. Terrible spelling.

Re:Of course Microsoft knew

This is a pretty silly rationale, because either way you see people who don't update vulnerable, but by not releasing you also leave people that would have updated vulnerable to a flaw as well in the misguided hope that nobody else will figure it out.

Re:Of course Microsoft knew

[X0563511]

There's no need for the CVE or whatever to be so explicit as to say "HACKERS GO HERE."

Hell most of the MS security patches say something entirely useless like "a security flaw has been identified in Windows that may...."

Re:Of course Microsoft knew

[man_of_mr_e]

Everyone embargoes security bug details. Everyone. Mozilla, Red Hat, Canonical, Google... Everyone does it. And many times critical bugs are embargoed for several weeks, sometimes even 6 or more months.

Re:Of course Microsoft knew

[Desler]

Well a bad break in your neck might kill you.

Re:Of course Microsoft knew

Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

You are also a moron. IE will not kill you (not that I have found yet). Bad breaks will. Terrible comparison.

Have you worked in the fields? Because if something goes wrong because malware is running wild thanks to such an perfect exploit, then no matter what "IT'S YOUR HEAD. WE MIGHT NOT KNOW WHAT WE ARE DOING, BUT YOU GET PAID FOR THAT". So please tell me again, why is this a terrible comparision?

Re:Of course Microsoft knew

This is only a hypothetical, but there could also be other implications - we all know that some of the more recent network intrusions used Windows 0-days. We also know that el Goog has some communication with agencies such as the NSA...and perhaps I missed an open source article about MS as well. I would assume MS would at least consider holding back public release or the fix of a Windows based 0-day (offensive and defensive related reasons) if a certain government agency requested a short and reasonable delay.

[sarcasm]Not that MS should even think about considering government requests when it comes to actions which may imperil shareholders. Patriotism takes a backseat to Capitalism, amirite?[/sarcasm]

Re:Of course Microsoft knew

[abigsmurf]

2 months? Aircraft can go for YEARS still using parts known to be a risk. Grounding aircraft is extremely expensive, it only happens in extremely serious cases (usually where an issue has been identified as causing a crash). Otherwise the fixes can wait until the next piece of scheduled maintenance on the aircraft or even it's next major refit. Sometimes they decide not to bother.

The Concorde crash springs to mind. They'd been warned for a long time that the fuel tanks lacked shielding and were at risk yet didn't address it on the plane that crashed.

Re:Of course Microsoft knew

Alright, then please prove it. If you fail to produce any reasonable response (note: if you need more time, then let us know) within 2 days then this is nothing more than just empty words and we will hunt and mod you down! Note: If you are able to provide a reasonable source, you'll get of course "+1".

Re:Of course Microsoft knew

Tavis Ormandy, CVE 2010-1885.

Discretely notified indeed.

(wow, that was two years ago? Feels like just yesterday...)

Re:Of course Microsoft knew

Details, yes, are often embargoed until after a patch is released. Notification that the bug/exploit exists within a particular system, however, is generally shared with the public by such companies as Mozilla, Red Hat, Canonical, and Google... you are completely wrong about that. An admin need not know the specifics of the exploit to inform users to restrict all IE activity to local intranet servers until further notice, or to justify forcing said countermeasure in highly-secure environments. Microsoft is quite simply on the wrong side of logic here.

And here I thought they had gotten better in recent years. Shame...

Re:Of course Microsoft knew

And, of course, you might want to check your own code. For example, the HTTPS certificate chaning vunerablilty where the SSL certificate chaining did check that signatures were correct on the certificates, but did not actually check the signing certificate was trusted by its signer for signing certificates. I could get a legit SSL certificate for any domain (easy enough) and then use that certificate to sign another fake "amazon.com" certificate.

From memory, KDE / Konqurer (the KDE web browser) and Internet Explorer were vunerable to this, among many other browsers - completely different code-bases, nothing (code wise) in common, but both shared the same fault.

Re:Of course Microsoft knew

2 months? Aircraft can go for YEARS still using parts known to be a risk. Grounding aircraft is extremely expensive, it only happens in extremely serious cases (usually where an issue has been identified as causing a crash). Otherwise the fixes can wait until the next piece of scheduled maintenance on the aircraft or even it's next major refit. Sometimes they decide not to bother.

  The Concorde crash springs to mind. They'd been warned for a long time that the fuel tanks lacked shielding and were at risk yet didn't address it on the plane that crashed.

Quite right! And we talking here about a "zero-day" flaw... which really is: "as worse as it can get".
SysAdmins usually bare the full force of these issues, that is until there's some sort of a (hot-)fix.

Re:Of course Microsoft knew

[icebike]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way. .

The summary makes it seem like Microsoft did something underhanded by attributing the bug report to a source that pre-dates the publishing by Eric Romang.
All this says is TippingPoint Zero Day Initiative acted responsibly, and Romang didn't.

As for how long it took, one can't make any judgement with no idea of the scope of the problem, or the testing they had to do in order to make sure the fix was proper, and didn't hurt anything else, and worked on every variety of their platform, the number of parts of the system needing the patch, etc.

Nor can we be positive that temporary measures may have been put in place until a formal patch was found, (such as a signature added to Security Essentials and shared with other security companies).

The last thing you want to do is announce you have a patch coming before you really have a patch in hand.

Re:Of course Microsoft knew

[man_of_mr_e]

Wrong. Mozilla, Red Hat, Canonical and Google embargo the details, including the existence of, critical security bugs until a patch is available... UNLESS the exploit is publicly known already.

It's very easy to prove. Just find any critical security flaw in the CVE database and look at the date the CVE was created. Then look at the date of the official announcement, it's quite frequently weeks to months in between.

Re:Of course Microsoft knew

[fustakrakich]

Aircraft can go for YEARS still using parts known to be a risk.

Four to be exact. I'm sure a cost/benefit agreement was reached. Brings little comfort to the passengers.

As for the Concorde, about as freaky as accidents get. More than one airliner has been brought down by a popped tire.

Re:Of course Microsoft knew

[man_of_mr_e]

Prove what, specifically? If you're going to be a dick, you should be specific about it. But here's a recent example.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3965

The CVE was created on July 11th, 2012. However, the existence of the flaw were not announced until August 29th, 2012.

There are many many more, and I will leave it as an exercise for anyone that wants more proof. Just look at the date the CVE was created (the assigned date) and look at the date of the announcement.

Re:Of course Microsoft knew

No, they don't. I routinely get updates from Red Hat about security flaws for which there is no fix, which allows us to mitigate risk in our highly-secured environment. HP does the same, and has even been known to develop on-the-spot fixes for some high-profile customers. Mozilla and Canonical both make good efforts at being transparent, though they have been shown to have some problems in that department from time to time. Google, like any corporation, wants to protect its image, but it has never sat on a glaring rights-elevation bug for six months, as you claimed, and as Microsoft has been known to do.

You are not speaking the truth, sir.

Re:Of course Microsoft knew

[icebike]

Wrong in so many ways..
For one, you assume that only one person discovered or knows about the flaw, that same person is a "good" person and not using the flaw to their advantage for hacking/cracking, and the only other people they told about it was MS.

And you assume announcing a flaw well before you have a fix in hand won't send two thousand hackers rushing in to try to exploit it.
Or maybe you think all hackers are honorable and wouldn't try to exploit something they read about but for which there is no current fix?

Do you even read the shit you post?

Re:Of course Microsoft knew

[icebike]

And they may have done just that, by slipping in a signature into the millions of machines running Microsoft Security Essentials, looking for the droppings of the exploit even when they haven't found the actual hole.

They may have known it wasn't being widely exploited (Eric Romang didn't discover it till Sept 17), just because they were not getting hits in MSE, and had time to seek a complete patch.

Re:Of course Microsoft knew

[man_of_mr_e]

Yes, Red Hat will announce bugs with no patch *IF* the flaw is already publicly being exploited. Just like Microsoft.

Are those critical flaws that give remote or local privilege escalations? Let's take an example. I looked for important security flaws and found this one.

Notice the date on the announcement, it specifically says the word "Public" date. That date is 2012-01-18, however the CVE it references was created on December 7th, 2011.

So here's a critical privilege escalation bug, that was kept secret for almost 6 weeks.

The public announcement was

Re:Of course Microsoft knew

[man_of_mr_e]

Hmm.. not sure why the link was not there..

https://access.redhat.com/security/cve/CVE-2012-0056

Re:Of course Microsoft knew

[sjames]

Checking for the signature of an actual attack is not at all the same as shipping a patch to PREVENT that attack from succeeding AT ALL.

Re:Of course Microsoft knew

[DarkOx]

I used to run a large network

Things have changed and are changing rapidly. Dev opps means that on a well run large network (at least one under central control, like a corporate one) it should be possible to put a patch on 200 servers, and probably 80%+ of those desktops in as much time. Actually you should be do the deployment work in about the 4-6 hours it takes to test patch, and patch process on the representative test machines, the rest of the 48 hours should be waiting for clients to check in and servers to hit reboot schedules.

Re:Of course Microsoft knew

Prove what, specifically? If you're going to be a dick, you should be specific about it. But here's a recent example.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3965

The CVE was created on July 11th, 2012.

Didn't you said: "Mozilla, Red Hat, Canonical, Google..." ?
So, if you comment should hold any value, then where's one from Red Hat, Canonical and of course Google?
(I don't care about the "Everyone does it". Since that's really tough to prove... or do you know of any CVE that
has been neglected for any stuff that comes standard with OpenBSD default installation?)

Re:Of course Microsoft knew

Sadly, even if the pilots had *immediately* noticed and correctly diagnosed the issue which led to the crash of the Concorde (which is physically impossible given what happened), it was too late for any difference to be made for that particular airliner. They were already past the point of no return (not enough room left to brake and come to a full stop), and the airframe didn't survive long enough to get turned around and land.

All because of a small piece of debris, unnoticed on the runway, fallen off a flight which had used that runway earlier.

Re:Of course Microsoft knew

[icebike]

Checking for the signature of an actual attack is not at all the same as shipping a patch to PREVENT that attack from succeeding AT ALL.

Exactly. But it does provide a measurement of how fast (it at all) the exploit is spreading, and prevents the currently known payloads from being installed while a solution is found that would allow the vulnerability to be permanently closed.

It allows you to triage the various exploits that need the most immediate attention.

Re:Of course Microsoft knew

[man_of_mr_e]

Nice of you to quote that part, but leave off the part that answers the question you're asking. That's seriously fucked up, dude.

Do it yourself. I told you how to prove it. It's very easy.

Re:Of course Microsoft knew

Or maybe the dealer just doesn't fix it at all and doesn't tell you how widespread the knowledge to break into your car is. In fact, the dealer probably has reasons to downplay the extent of the problem.

Re:Of course Microsoft knew

[sjames]

Yes, and that's exactly the problem here./

Re:Of course Microsoft knew

[sjames]

It prevented nothing. If they had the patch, they should have shipped it. If they didn't (they do take time to develop and test) they should be honest about that.

Re:Of course Microsoft knew

[icebike]

Being honest about it does not include advertising a vulnerability you have no solution for.
How would that possibly make the problem better?

Its like hanging a big sign on your front door that says your lock is broken.

Re:Of course Microsoft knew

[sjames]

They have a patch now don't they?

Re:Of course Microsoft knew

[jmerlin]

This isn't security by obscurity. And to point out, all current security is based on obscurity. The fact that all you need is a key to get access to something is, by definition, securing something by obscurity (the key is obscured). A measure of the quality of a security system is how local the obscurity is, which makes it easier to measure the strength. So if ALL of the obscurity is in the key, and there isn't an attack to weaken the key space, it's pretty easy to determine just how secure something is.

This, on the other hand, is not telling the criminals that the armored truck accidentally broke down on its route. The point of security here isn't "we have flaws but if nobody ever knows about them, we're fine", it's "we have flaws that were reported, we're working to fix them, and we'd rather not publicly announce them until they're fixed." There's a huge difference.

Re:Of course Microsoft knew

[icebike]

Probably you do as well, if you have auto-updates applied.

Quote first sentence of Summary:

Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday,... the notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw,

So problem solved.

Re:Of course Microsoft knew

There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
You are not doing something right then.
I can update our entire enterprise (800 windows servers spread around in 13 countries) by myself with a single or a hundred patches in a few minutes and a few mouse clicks. Sure, reboots will have to planned out but if the business allowed it and if we did not have any clusters and domain controllers to worry about, I could reboot them all at the same time as well. I don't handle desktops but our patching software can do them as to.

We use VMWare vCenter protect. It's not just for virtual servers running on VMWare either. It used to be called Shavlik Netchk protect before VMWare bought them.

http://www.vmware.com/products/datacenter-virtualization/vcenter-protect/overview.html

It takes a little planning ahead of time to get the system up and running but it really is simple. We have a plain txt file on a DFS share that we add MS patch numbers to (The Q numbers). We also have our servers listed by groups in plain text files as well. Every single week on a schedule the patching system scans all computers listed in those text files looking for patches in the other txt file and reports what is missing. During our maintenance windows, we deploy what it previously reported as missing. We have two groups of servers based on Tier, Tier1 installs the patches and Tier 2 installs the patches and reboots. Like I said, deploying a patch takes a few clicks.

Really simple example, if someone adds two new servers in NY and we approve two new patches for the enterprise, I add the two new servers in NY_Tier1.txt and I add the Q numbers to the bottom of approved_patches.txt . DONE. Our next downtime window will have those servers listed along with all of the other servers in that list with what they are missing and we deploy.

   

Re:Of course Microsoft knew

Mod the parent down. Two months is not acceptable. Yes, I'm in the industry too, but I'm involved with development as well as sustainment, so I know what the fuck I'm talking about.

Re:Of course Microsoft knew

[Bremic]

It's very simple. If you find a defect that could lead to a comprehensive security breach, and you can't fix it within a reasonable period of time (say 4-6 weeks) then you notify people of the fact that your software is defective and should not be used - no details, just simply "stop using it until we have a fix".

If your software is web enabled, and reports back to base (like IE does), issue an "update" that stops it working.

If an airline found out that their planes were vulnerable to sudden engine failure, they are required to stop using them immediately until they are fixed.

Saying that software doesn't risk people's lives like a planes engine does is simply wrong in this day and age. Everything from traffic control, security, financial, through to hospitals and medical support systems all run windows. It's just less "graphic" when they cause people to die.

Anyone who is subjected to loss through this should be able to hold the vendor liable for the loss, because they did not report the potentially devastating defect.

Re:Of course Microsoft knew

[Kalriath]

The component you speak of is WinInet. Chrome also uses CryptoAPI, so that's another surface.

Re:Of course Microsoft knew

[jd]

Can someone forward the parent post to every world leader, corporation and Murdoch paper on the planet.

Re:Of course Microsoft knew

[buglista]

Yes, this was a university, not a standard corporate. If you do have a single build for servers and a single build for workstations everything does get so much easier - this just doesn't fit a Uni model, because of a) necessity of people doing weird stuff and b) internal politics :)

Re:Of course Microsoft knew

[bloodhawk]

He's an A/C troll, what can you expect.

Re:Of course Microsoft knew

You're kind of an idiot, aren't you?

When a report originates with a CVE, it has to be tested and confirmed by the source distributor before it is publicly announced. Not all CVEs are valid, and not all reports originate as CVEs. I suspect you already knew all of this, though.

Re:Of course Microsoft knew

this is /. not ./

Re:Of course Microsoft knew

[man_of_mr_e]

I'm not sure what your point is. The CVE is merely evidence of the MINIMUM amount of time the flaw has been known by the vendor. I only gave examples of vendor acknowledge flaws, so they're valid CVE's.

I didn't go trolling the CVE database, I went trolling the vendor acknowledged security bulletin database, then used the CVE they acknowledge to back up the claim.

It seems in your rush to call me an idiot, you were looking in the mirror.

Rush to market.

[jellomizer]

How many times have you made a quick demo/proof of concept code, only to be rushed to market besides you express statement that it isn't complete yet. Because your boss doesn't understand what it takes harden your code, or pressures you to just fix the UI to prevent the bad stuff from happening.

For example if you see a website that had javascript that clears out Single Quotes before sending the data over, it may mean that it is ripe for a SQL injection attack.

Re:Rush to market.

Geez, are we still talking about the iOS 6 maps?

Re:Rush to market.

How many times have you made a quick demo/proof of concept code, only to be rushed to market besides you express statement that it isn't complete yet. Because your boss doesn't understand what it takes harden your code, or pressures you to just fix the UI to prevent the bad stuff from happening.

For example if you see a website that had javascript that clears out Single Quotes before sending the data over, it may mean that it is ripe for a SQL injection attack.

Oh, I got one better than that. I worked at a small company that produced solid state high voltage (1,900v) motor control devices (Basically A computerized three phase resistor the size of a large kitchen fridge, with buttons, lights and gauges on the front). I worked my way up from painting enclosures, to plasma cutting holes in them, milling heatsinks with a CNC machine, hand drilling/tapping panels & mounting components, wiring them -- I could do everything start to finish. Thanks to the electrical engineering degree I was working on I could even test them, but that was still beyond my pay-grade.

When a down stream area of the line had a problem with the up stream (say, wrong or missing parts, bad contactor wiring schematic, etc) we'd have to send a change request up stream to get the problem fixed. A new rule came out that we had to write up the other area for each change request -- The this counted against their "efficiency" and thus bonuses. So, for someone like me who worked the whole line -- I never wrote anyone up, we just handled things off the record.

For a "hot" rush job I was to build a new prototype unit with the latest LCD displays and instrumentation. It was to be show to the customers, so they wanted it to look nice -- I made the prototype as close to the designs as possible, and as high quality a build as possible. It was, "sexy wire work", a co-worker said.

The blueprint showed a MFG Serial label in the typical spot: A number of inches down and to the left of the enclosure's opening. Usually this fell on the back panel, but the new component placement caused it to be placed across two of the big electricity conducting heat sinks (separated by huge Silicon-Controlled Rectifiers). That's placement wasn't unheard of, because the labels were usually printed on vinyl stickers, but this time it was a metallic sticker.

I wasn't allowed to change the sticker placement without a correction from engineering's drawings and place it in a better spot, Testing would write me up... I ran a continuity check, and the sticker seemed not to be shorting the circuit -- isolated by its adhesive... Still I knew it was messed up: Once twenty thousand volts was in that heat sink the electricity wouldn't mind ignoring the adhesive and taking a shorter path. I called engineering and they said not to write them up, they'd send down a revised plan pronto, just take lunch early and they'd have the sticker placement changed. I left a huge note taped to the front of the device: "REV. IN PROGRESS - DO NOT TEST", pushed it out of my area, and went to eat.

Walking back from lunch I picked up the revised plans, and printed up a new vinyl product / serial label, but I couldn't find the prototype unit. I suspected someone had pushed it into testing, and in the test area I found the note I had written on the floor... A moment later I saw a huge blue flash and heard a wicked bang followed by a 6ft gout of fire shooting out of the enclosure, throwing its door off the hinge -- The fellow testing the unit was on his knees checking test points, and the explosion had occurred about a foot above his head, but thankfully he was unharmed. There was only a scorch mark on the heat sink where the metallic label used to be... He was only dazed & a bit confused -- The unit had "ohmed out fine", showing no short circuits.

The floor manager was in a rush to get the unit out the door, and had looked over the blueprints, found nothing incomplete, Ignored the note and got someone to test the damn th

Clarification Needed (please)

What's a "Internet Explorer" ?

Re:Clarification Needed (please)

What's a "Internet Explorer" ?

A liability.

Next question.

Re:Clarification Needed (please)

[Alter_3d]

What's a "Internet Explorer" ?

It's the tool used to download Firefox, Chrome or Opera on new Windows PCs.

Of course, if you really hate the thing, you can always use the built in ftp client.

Re:Clarification Needed (please)

[geekmux]

What's a "Internet Explorer" ?

A small bug. It is technically part worm, part parasite, but fortunately has shrunk considerably in size from its formidable infectious years, and is easily killed and eaten these days by the Firefox...

Re:Clarification Needed (please)

Tool like any other explorers. It is meant to explore the internets. So if you dont know where your internet is hidding, you explore it every day again and again. Till you find yourself in a madhouse. simple as that. Hope it helps Everyone in their exploration and research.

Re:Clarification Needed (please)

[Penurious+Penguin]

Permuted: Net Pixel Net Error

Re:Clarification Needed (please)

[antdude]

You forgot a "n" before "Internet Explorer" since I is a vowel. :P

Re:Clarification Needed (please)

[Pyrus.mg]

Anyone who types three random words into Google and clicks the I'm Feeling Lucky button earns an Internet Explorer badge. (please contact Microsoft if your badge doesn't arrive by overnight courier)

Re:Clarification Needed (please)

[Billly+Gates]

I used to do just that during my IE hate phase as I did not want to taint the poor CPU with those evil instructions into a tool of satan! I would cmd up ftp to getfirefox and even went as far as replace the blue E off every family computer and putting the firefox icon with it instead.

Maybe I am just OC?

Of course they knew.

[JustAnotherIdiot]

If I've learned anything from my current position it's that if a single person find a problem, they're usually whacked on the head and told to keep their mouths shut.
The person who knew was probably a grunt worker in microsoft who was hushed by his manager.

Re:Of course they knew.

[Penguinisto]

Depends - give MSFT's stack-ranking system, I suspect it goes like this:

If it's a coworker's flaw? You broadcast it to raise your own rankings and screw the other guy over.
If it's your flaw and you discover it way too late in the process to fix w/o raising eyebrows? You shut up and pray like hell no one finds it.

Knowing

Microsoft has a policy of "responsible disclosure" such that they credit the flaw to the first person who participates in that process. If that person reveals it before Microsoft, then the "responsible disclosure" did not take place and the next person is given credit. It is of no surprise that the one who made it public did not get credit from Microsoft.

Re:Knowing

[jd]

I thought that was called "profitable disclosure".

People

[gmuslera]

Sometimes is good to remember that are involved people instead of big companies. Did the "company" knew about it or the people that received initially the report didn't escalated it? Who knows how much vulnerability reports they get every day, and how much of them are taken as dupes, already known, or plain sold to the biggest bidder, without the upper layers knowing about them.

Anyway, they are playing their role. It's supposed to be security by obscurity, so let put a shadow on all hints of insecurity. With a bit of luck the only aware of it will be the researcher that sent the report instead of the bad guys, so will be plenty of time to fix and schedule a deploy without anyone else knowing that it happened.

New kind of ethics in town

[garyisabusyguy]

and that is called, 'returning shareholder value'

Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)

Of course, they already have lawyers on retainer, and 'good relationships' with the media outlets, so that can cover most complaints by simply quashing them with legal briefs and keeping the complainants from ever getting media coverage

There was a long period of time when MS seemed to follow that model, but they seemed to have gotten on their game in the past few years, hopefully this is not a sign that they are falling back to the lowest level of service that they can give to security issues without getting sued

Re:New kind of ethics in town

[icebike]

Look, there is no such thing as a defect free product. Does not exist in any realm.

Given that, an instant recall of any product subsequently found to have a defect would shut down commerce totally. It would be completely unworkable in the real world. Its nothing about returning shareholder value. Its about keeping civilization running WHILE you fix infrastructure instead of running screaming back into the cave every time you discover a loose screw on a cabinet door.

Complex systems are complex to fix. But they work. Bugs and all. They hang together.
Loose axle bolts on a pickup truck, or an obscure vulnerability in a browser. 99.9999% of the users will not encounter the problem, and when they do the vast majority of them will not get hurt.
However, everybody gets hurt when idealists rush in, order all IE9 users to cease and desist using it, and all pickup trucks owners to park them until a fix is found. Its ridiculous.

Further, You can't "quash" anything these days. Don't even go there.
Bugs get fixed in order of priority. Triage. Look it up some time.

Re:New kind of ethics in town

[Wes+Beckwith]

It does not surprise me about MS software and IE. But what is weird to me is how people jump on MS and not others. I am sure Firefox has made mistakes... Wes Beckwith

Re:New kind of ethics in town

Look, there is no such thing as a defect free product. Does not exist in any realm.

Given that, an instant recall of any product subsequently found to have a defect would shut down commerce totally. It would be completely unworkable in the real world. Its nothing about returning shareholder value. Its about keeping civilization running WHILE you fix infrastructure instead of running screaming back into the cave every time you discover a loose screw on a cabinet door.

Complex systems are complex to fix. But they work. Bugs and all. They hang together.
Loose axle bolts on a pickup truck, or an obscure vulnerability in a browser. 99.9999% of the users will not encounter the problem, and when they do the vast majority of them will not get hurt.
However, everybody gets hurt when idealists rush in, order all IE9 users to cease and desist using it, and all pickup trucks owners to park them until a fix is found. Its ridiculous.

Further, You can't "quash" anything these days. Don't even go there.
Bugs get fixed in order of priority. Triage. Look it up some time.

Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.

Re:New kind of ethics in town

[icebike]

Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.

Actually, they don't work 100% of the time.
Its a browser bug.
It only affects IE 6-9. Not Safari, Chrome, or Firefox.
It only appears on a few dodgy websites.
The fact that this is unheard of pretty much means its not close to affecting 100%.

But hey, thanks for reminding me about all those other exploits,

who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame,

I had indeed forgotten about these.
Probably because they never affected me.
Or anyone that I knew.

Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
And of course none of them bothered linux.

Re:New kind of ethics in town

Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)

What a load of crap, I've worked for numerous car manufacturers and manufacturers of vehicular parts in software development for QA systems. Most companies treat it as the end of the world if a bad part makes it outside of the plant, the others keep it on the down-low but do the immediate investigation and recall ASAP. They have numerous DRPs and IRPs to handle these events as soon as possible with high certainty. I've also seen a lot also have BCPs which keep these auditing and recall mechanisms running and available even in the event of disaster which take out production facilities etc. I've also seen companies actually mount these bad parts in staff rooms, factory floors etc. in public view of the workers as examples of what not to do and the consequences of fuck-ups.

Re:New kind of ethics in town

Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.

Actually, they don't work 100% of the time.
Its a browser bug.
It only affects IE 6-9. Not Safari, Chrome, or Firefox.
It only appears on a few dodgy websites.
The fact that this is unheard of pretty much means its not close to affecting 100%.

But hey, thanks for reminding me about all those other exploits,

who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame,

I had indeed forgotten about these.
Probably because they never affected me.
Or anyone that I knew.

Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
And of course none of them bothered linux.

Then how come blaster a did an estimated damage of $320 million http://www.pcworld.com/article/112047/article.html ?

Code red from $1.2 billion to $8.7 billion http://www.theregister.co.uk/2001/08 /02/code_red_hysteria_8_7bn/

conficker http://www.zdnet.com/blog/security/confickers-estimated-economic-cost-9-1-billion/3207 is said to have caused damaged up to $9.1 billion

So, how can you say it "never affected you". Don't you remember the day when "Slammer" was on the loose?

Re:New kind of ethics in town

[ajo_arctus]

I had indeed forgotten about these.
Probably because they never affected me.
Or anyone that I knew.

Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
And of course none of them bothered linux.

Maybe you have poor memory? These were big news.

I worked on a second-level support desk during the iloveyou outbreak, and a great many companies that we supported were affected. Likewise blaster and codered. I was a programmer by then, but I saw the damage on several servers that weren't firewalled.

Re:New kind of ethics in town

[icebike]

Serves you right for running windows servers NOT FIREWALLED.

What the hell were you thinking?

Like I said, none of those outbreaks affected me or my customers.

Inside Job

[Metabolife]

Microsoft released this flaw on themselves so they'd have an excuse to invade multiple innocent computers with security essentials. You're living in a policed antivirus society. Wake up! There was actually a third exploit that you can see being silently removed by Norton before anything hit. You think this is a coincidence?

Re:Inside Job

[Zaphod-AVA]

What is their goal in this? What to they gain from having MSE installed on systems?

Re:Inside Job

Isn't it obvious?

1) Installing MSE would mean users getting rid of 3rd-party anti-virus programs.
2) 3rd-party anti-virus programs are notoriously slow and buggy, hindering machine performance
3) ???
4) Replacing with MSE would improve performance
5) MS gets to report that it takes less time to do everything on their machines.

Trying to force MSE onto user's machines is an insidious plot to improve their response times, and thus, benchmark values, for the next advertising blitz!

Re:Inside Job

[nzac]

No if it's an inside job, it will be so they can claim that: the new win8/IE10 security methods work and this time they have solved IE's security problems.

What if they did?

Most companies know of flaws before they are made public.

Re:What if they did?

MS has stated many times that they DO this.

They are fuzzing/QA'ng their own code all the time and finding things. People are submitting things. They are very clear on how they test, patch things, and credit.

This sort of attitude of 'i found a bug you must fix it *right* now' is rather silly. MS has pushed patches before they were ready and many businesses have suffered because of it. I know I have over the years had to change working code because of badly tested patches (patch 2 months later and it works again...). They have an ecosystem of millions of computers. You take out say 1% of those and it is a big deal.

Their cycle is usually 4-6 months from someone telling them the exploit until it is patched out. With some never being patched because no one else has found it. They roll those into the next version or a service pack. As the second they release a patch for anything the same people exploiting these sorts of things the rip it apart and figure out what it does. Opening a window of possible machines that have not been patched yet being exploited.

MS has stated many times what they do. These sorts of articles are more along the lines of 'dance MS dance for me I am bored'...

If you notice that same patch also had fixes for 5 other things that *NO* one outside of MS knew existed...

It's a typo

It's spelled "... Exploder"

As to what it does, that should be obvious from the name.

Lifecycle for latest IE Bugs

Hello,

I'm one of the maintainers of scip VulDB, a free vulnerability database. We do also provide additional details about the timeline of vulnerabilities. The latest IE bugs have had the following 0-day time (first known date of identification until any public release):

CVE-2012-1529 - 197 days [http://www.scip.ch/en/?vuldb.6513]
CVE-2012-2546 - 135 days [http://www.scip.ch/en/?vuldb.6514]
CVE-2012-2548 - 135 days [http://www.scip.ch/en/?vuldb.6515]
CVE-2012-2557 - 135 days [http://www.scip.ch/en/?vuldb.6516]

It's not unusual that Microsoft bugs have such a long "underground lifespan". But in the end it's hard to tell whether this delay of public disclosure or release of a countermeasure is the fault of a "blackhat", lazy researcher or Microsoft. But one thing is for sure: It takes way to long to provide a fix.

Regards,
Marc

Re:Lifecycle for latest IE Bugs

[man_of_mr_e]

Have you analyzed the typical time for Mozilla, or Google to fix such issue?

Re:Lifecycle for latest IE Bugs

[Billly+Gates]

Really I can just sense the hate. That and the ridiculous assertion made that MS purposely let it in as an inside job. ... of course if I had to write websites optimized for quirks mode all day for ancient versions I could see the angry reaction to any IE news :-)

IE 6 and 7 could be dead fast enough.

Re:Lifecycle for latest IE Bugs

[Kalriath]

Well, I had a quick look at some other CVEs for the hell of it.

Mozilla:
CVE-2012-3980 - 48 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980 (Bugzilla entry concealed from public)
CVE-2012-3979 - 48 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3979 (Bugzilla entry concealed from public)
CVE-2012-3968 - 48 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968 (Bugzilla entry concealed from public)

Google:
CVE-2012-2869 - 103 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2869 (Bug tracker issue concealed from public)
CVE-2012-2864 - 94 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2864 (Bug tracker issue concealed from public)
CVE-2012-2859 - 73 days - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2859 (Bug tracker issue concealed from public)

So, Microsoft is not unique in sucking at getting patches out promptly. It's pretty abundantly clear that "Marc" is just another anti-Microsoft shill ranting about how Microsoft perpetuated every evil in history. (Really, if Open Source is the paragon of transparency, why are all of the bug tracker entries detailing these now fixed bugs private?)

Ethics in the zero day exploit market?

[rainer_d]

I'm sure it exists, as long as the balance sheet is OK. A "market" (and the ZD exploit market, being largely unregulated, TTBOMK) doesn't have any ethics per-se.

More interesting would be to know

Who else knew and was that the reason Microsoft sat still with the patch.

Vendors like Microsoft share vulnerability risks involved information with government either directly or via CERT's, which in turn then forward information to parties responsible about national security ... which has been lately busy coding cyber espionage worms .... Not too hard to connect the dots really.

Ethics?

[mseeger]

The possibility raises questions about Microsoft [...] as well as about the ethics of the zero day exploit market.

You're kidding me, right? You expect ethics on a market whose primary customers are spies and criminals? Selling to manufacturer is only the sale of the last resort.....

The Voice Of Redmond

..and it's irrational behaviour. Nice to have these specimens here for examination.

Typical Case Of M$ Paranioa

"Google would love to see Microsoft die"

That is how M$ operates: Kill every competitor at all cost and by all means. You expect your competitors to have the same Sickness of Mind.

Re:Typical Case Of M$ Paranioa

Um, when its Google? Yes. Google is as evil as Microsoft, Apple, and anyone else as big.

Re:Typical Case Of M$ Paranioa

[Kalriath]

Except that you're talking shit. Microsoft has been credited with informing their competitors of vulnerabilities as often as Microsoft's competitors have been credited with informing them of vulnerabilities.

Not entirely correct

I think he is giving away what kind of inflexible and sluggish bureaucracy M$ nowadays is. They shit into their pants when it comes to bugfixing, because they don't really know what their code does.

There was a story of two M$ guys being tasked to find out how Stuxnet worked. I got the impression that all of that was lots of fumbling, they did not have adequate support and certainly they did not enjoy criticism from the open source community. If M$ is only willing to put two guys on something like Stuxnet, you can clearly see what really is important for them. It's New Product Revenue. NOT Fixing Bugs For Valued Customers.

You meant to say

1.) Guy reports exploit to M$ in February
2.) They do nothing
3.) Guy asks for progress in May
4.) They do nothing
5.) Guy asks for progress in July
6.) They do nothing
7.) Guy asks for progress in October
8.) They do nothing
9.) Guy releases exploit to public
10.) MS bitches loudly about "Google trying to smear us"
11.) MS does nothing for three days
12.) Two low-level guys are told to fix it ASAP on Monday
13.) On Tuesday they are grilled by Sinofski about progress
14.) On Wednesday Ballmer throws a chair at them
15.) On the deathbed (from the Ballmer-inflicted wounds), they fix the issue
16.) On Friday MS releases the patch

Re:You meant to say

[Minwee]

Well, it got a response. Isn't that what "response-able disclosure" is all about?

No

[fa2k]

If Microsoft knew about it, it wasn't a zero-day vulnerability

Re:No

[Mike+Buddha]

Um, how do you figure? A vulnerability that hasn't been fixed when a product is released is still a vulnerability, and it still occurs pre-release, so that satisfies both criteria for being a zero day vulnerability.

Define Zero-Day...

[smilnrt]

So if they knew in advance it would not be a "zero-day" right? I dunno, maybe I am missing something here, carry on.

need to doubl check

it takes so long to fix the problem, because the (endless) fixes / iterations might turn it into a linux (in a couple of years).

Not sure what the problem is here

[detain]

MS knew about an exploit and tried keeping it under wraps until it was patched. It just so happens that the exploit became widely known before they could release it with their normal update cycle so they pushed out an early update. I'm glad they don't post all the potential new exploits they become aware of until they are able to address the problems. If they were relying on outside help to maintain their security then I could see the need to make exploits known right away but as this is not the case, it doesn't make sense to tell the world about security holes like this if they are going to be able to fix it before it becomes a problem.

Re:Not sure what the problem is here

[funnyguy]

This is typical 0-day process. I'm not sure why there is now a problem with the 0-day ethics. But companies that sell their 0-day protection have always paid for and then given to M$ and 0racle (0-details), etc while leaving their customers protected. This is part of the "No more free bugs" approach, it provides a legitimate way to sell your discovery which someone worked towards, while knowing it is going to be responsibly disclosed and tracked and even that some people will be nearly immediately protected in some cases.

Here is how vunlerability disclosure should work

[AngryDad]

This process was developed/implemented by HexView a few years ago (I worked for them at that time): Whoever finds the vulnerability likely has enough knowledge to roughly estimate what it takes to fix it and test the fix. He/she supplies all details to the vendor and gives them a hard time frame, e.g.: "I will release this data to the public 30 days from now". At the same time, vulnerability alert without details to prevent/delay re-discovery may be released to the public. If the vendor fails to resolve the vulnerability in a timely manner -- too bad, you were given enough time for fixing and testing.