Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Tue, 1 Jul 2003 15:25:09 -0400
It is quite legal and responsible disclosing bugs. Just look into real world - when you buy fucked up beer, do you notify the vendor and wait to fix it or act in some other way?
Let's set one thing straight -- I never challenged the legality of it, so I have no clue where that is coming from. Secondly, that analogy is so flawed it is ridiculous. When a food/beverage is recalled, the threat ends. Food is pulled off the shelves, etc. That is the result, usually, of a voluntary *VENDOR RECALL*, as most of the world's systems for managing food safety require a near catastrophy before they will act. Although there are other coordinating parties involved, the original manufacturer of the product is almost *always* involved in determining the scope of an issue, and deciding appropriate action (i.e, what to recall). Let's look at this analogy for a second. If I disclose a very high likelihood of some chemical/germ known to be in some food product, the infection's threat does not become worse -- the products that were infected are still infected, and those that aren't still aren't. This does not grant anyone the ability to worsen the situation, as the harm from an infected food supply is created the moment the food supply is infected. However, a security vulnerability is not, in itself, harmful. What *is* harmful about a security vulnerability are individuals who wish to exploit the flaw. Therefore, the harm from a vulnerability increases dramatically if more people with the ability to exploit the vulnerability are aware of it. This includes exploiting the flaw through pre-written exploit code of some kind. This harm is especially great if administrators are exposed with a known-good workaround. Therefore, vendor communication is the *preferred* method of dealing with security flaws, at least in the short term. However, if it becomes obvious that the vendor does not wish to resolve the vulnerability at hand, it should be disclosed. However, workarounds should be available so that the added information actually has the ability to help the administrator. While there is some argument about what makes a vendor un-responsive, patch times in this case are, likely and understandably, quite lengthy. These fixes are not trivial to begin with, thanks in no small part to the incredible number of customers Microsoft has. As if the literally millions of configurations Microsoft software must support weren't enough, think for a second about the multiple different character sets its code applies to. Even the *DOCUMENTATION* for the patch must be translated into dozens of different languages -- no small task with exploitation looming on the horizon. However, it is obvious that in this case, the reporter did not attempt any contact with Microsoft what-so-ever. As a user of IE myself, I find it ridiculous that this course of action was even considered. And, last but not least, I don't drink. :-)
Some day, m$ will call irresponsible the wrong people, and then, some of us will enjoy the fun.
Might I suggest that someone who would share details with people interested in exploiting the flaw, before people that flaw might affect, truly *IS* irresponsible? With that in mind, it doesn't seem like Microsoft would be wrong at all to call someone who would consider such a course of action irresponsible. In fact, this is probably exactly what the reporter was hoping for -- not caring about the established disclosure process, seeking instead to increase his/her own standing by antagonizing a major company, at the expense of its millions of customers. While I cannot speak for the philosophies of other researchers, it is my firm belief that a policy which exposes millions of systems to exploitation without providing feasible alternatives for any of them is not only irresponsible, it is negligent. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Cries Wolf ( again ), (continued)
- Re: Microsoft Cries Wolf ( again ) Georgi Guninski (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) ATD (Jul 01)
- Re: Microsoft Cries Wolf ( again ) madsaxon (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Mike Fratto (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Cesar (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) dhtml (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Shawn McMahon (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 06)
- Re: Microsoft Cries Wolf ( again ) gandalf94305 (Jul 06)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)