Re: Microsoft Cries Wolf ( again )

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

> It is quite legal and responsible disclosing bugs.
> Just look into real world - when you buy fucked up beer, do you notify the 
> vendor and wait to fix it or act in some other way?

Let's set one thing straight -- I never challenged the legality of it, so I
have no clue where that is coming from.

Secondly, that analogy is so flawed it is ridiculous.  When a food/beverage
is recalled, the threat ends.  Food is pulled off the shelves, etc.

That is the result, usually, of a voluntary *VENDOR RECALL*, as most of the
world's systems for managing food safety require a near catastrophy before
they will act.  Although there are other coordinating parties involved, the
original manufacturer of the product is almost *always* involved in
determining the scope of an issue, and deciding appropriate action (i.e,
what to recall).

Let's look at this analogy for a second.  If I disclose a very high
likelihood of some chemical/germ known to be in some food product, the
infection's threat does not become worse -- the products that were infected
are still infected, and those that aren't still aren't.  This does not
grant anyone the ability to worsen the situation, as the harm from an
infected food supply is created the moment the food supply is infected.

However, a security vulnerability is not, in itself, harmful.  What *is*
harmful about a security vulnerability are individuals who wish to exploit
the flaw.  Therefore, the harm from a vulnerability increases dramatically
if more people with the ability to exploit the vulnerability are aware of
it.  This includes exploiting the flaw through pre-written exploit code of
some kind.  This harm is especially great if administrators are exposed
with a known-good workaround.  Therefore, vendor communication is the
*preferred* method of dealing with security flaws, at least in the short
term.  However, if it becomes obvious that the vendor does not wish to
resolve the vulnerability at hand, it should be disclosed.  However,
workarounds should be available so that the added information actually has
the ability to help the administrator.

While there is some argument about what makes a vendor un-responsive, patch
times in this case are, likely and understandably, quite lengthy.  These
fixes are not trivial to begin with, thanks in no small part to the
incredible number of customers Microsoft has.  As if the literally millions
of configurations Microsoft software must support weren't enough, think for
a second about the multiple different character sets its code applies to. 
Even the *DOCUMENTATION* for the patch must be translated into dozens of
different languages -- no small task with exploitation looming on the
horizon.  However, it is obvious that in this case, the reporter did not
attempt any contact with Microsoft what-so-ever.  As a user of IE myself, I
find it ridiculous that this course of action was even considered.

And, last but not least, I don't drink. :-)

> Some day, m$ will call irresponsible the wrong people, and then, some 
> of us will enjoy the fun.

Might I suggest that someone who would share details with people interested
in exploiting the flaw, before people that flaw might affect, truly *IS*
irresponsible?  With that in mind, it doesn't seem like Microsoft would be
wrong at all to call someone who would consider such a course of action
irresponsible.  In fact, this is probably exactly what the reporter was
hoping for -- not caring about the established disclosure process, seeking
instead to increase his/her own standing by antagonizing a major company,
at the expense of its millions of customers.  While I cannot speak for the
philosophies of other researchers, it is my firm belief that a policy which
exposes millions of systems to exploitation without providing feasible
alternatives for any of them is not only irresponsible, it is negligent.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html