Re: Microsoft Cries Wolf ( again )

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

Ron Dufresne writes:
> > However, a security vulnerability is not, in itself, harmful.  What *is*
> > harmful about a security vulnerability are individuals who wish to 
> > exploit the flaw.  Therefore, the harm from a vulnerability increases
> > dramatically if more people with the ability to exploit the vulnerability
> > are aware of it.  This includes exploiting the flaw through pre-written
> > exploit code of some kind.  This harm is especially great if 
> > administrators are exposed without a known-good workaround.  Therefore,
> > vendor communication is the *preferred* method of dealing with security
> > flaws, at least in the short term.  However, if it becomes obvious that
> > the vendor does not wish to resolve the vulnerability at hand, it should 
> > be disclosed.  However, workarounds should be available so that the added
> > information actually has the ability to help the administrator.

> Nice tunnel vision, one sided interpretations often tend bolster humor at
> least.
[SNIP]
> The spread of information not only supplies all the lamesters wishing to
> exploit and ow3n what's not theirs, but, also feeds information to those
> tasked to fend off those with less then bright lights and wanting what's
> not theirs.  Now, feeding that info to a vendors might not get the info
> out to the masses of their clients, cause, damn, why would they want to
> risk losing customers over an issue?  They sure do not need to be
> harrassed with tons of e-mails from various clients about when a fix might
> come down the pipes, and certainly have no time to talk to any press on
> the matter while doing some tongue and cheek about "secure computing
> innitiatives".  

Obviously, you don't understand the secure computing initiative.  Secure
computing has resulted in the discovery of some severe vulnerabilities,
which the public was warned about.  I'm also guessing you haven't heard of
the security bulletin notification service?  While it could be tweaked not
to require a passport, it provides a simple process for notifying
administrators of security issues.

As for the criticism on Microsoft's blasting researchers who poorly handle
security vulnerabilities, most of it is not valid.  People who disclose
vulnerabilities to the public the same day they notify the vendor?  I'm not
saying we should all become mindless slaves to vendors and let them take
whatever time they please, but I will say that it is usually wrong to
assume that a vendor will be unresponsive.

> Certainly the founding issues that brought about the
> 'original' bugtraq and many of the newer lists like this very one, are
> promoted by vendors that tend to hide and sit upon information about
> weaknesses in their products.  They tend to cry "foul" alot, and then
> often tend to follow through not with work to fix their products, but with
> threats and lawsuits, right snosoft?  Folks forget too quickly the minor
> fallout they had with HP...

I don't know about HP, as I've never worked with HP.  But, in any case,
you're accusing me of "tunnel vision" and "blindness", but you cite one
vendor's poor security response as a reason why all vendor security
responses therefore suck.  You've obviously not worked with MSRC, so let me
provide some balance for *YOUR* tunnel vision, Mr. Dufresne.  Security at
Microsoft is a priority, both in terms of dealing with vulnerabilities, and
promoting generally secure programming practices.  However, fixing a
security flaw is a lengthy process -- just as any other fix.  My previous
e-mail clearly pointed that out, and instead of responding to it with
logical statements, you simply accused me of having "tunnel vision".  Who
is really the one going blind here?

Secondly, Microsoft is more than right in the majority of cases to point
out that immediate disclosure of security vulnerabilities without prior
contact *ATTEMPTS* is ridiculous.

> > While there is some argument about what makes a vendor un-responsive,
> > patch times in this case are, likely and understandably, quite lengthy.
>
> Now we add over generalising to tunnel vision.  It depends upon the issue
> at hand, often the whole fix might be nothing more then removing the suid
> bits, or something else as trivial...

How ridiculous is that?  For one, Windows doesn't even have the concept of
suid bits, and although I know your example was a general one, perhaps it
would be appropriate to at least provide one with some context. ;-)

Once again, you completely missed my point.  Even if a patch is simply to
remove an ACL entry, or something as simple as this, the very bulletin
advising people to change the entry needs to be translated into dozens of
languages.  And, as much as they try, Babelfish is still not acceptable to
translate business materials.  This takes time.

> > These fixes are not trivial to begin with, thanks in no small part to the
> > incredible number of customers Microsoft has.
>
> So, now we are at a pass in a trail, but, since we've gone about nearly
> blind, why open our eyes at this point!?
>
> Had security been a prime motivator  in the early M$ days, they might not
> be so hindered now by zillions of lines of insecure code!

Perhaps you would consider that security is rarely a motivator in any
company, except ones that produce so-called security solutions, where
security breaches are usually emphatically denied for as long as possible. 
As the X-Force Internet Watch defacement, various security holes in ISS
main site (very nicely pointed out by Sir Mordred on this very list a
matter of weeks ago), and a buffer overflow vulnerability in Symantec's
Online Scanner show -- all within a matter of weeks -- nobody is perfect.

Security takes time -- when you learn a language, you are not immediately
educated in its weaknesses.  Sure, a good tutor will tell you things like
"avoid strcpy()", "watch %s formats", "always validate input", "allow
known-good input only", etc., but it is ultimately up to the programmer to
learn to code securely.  Also, even the best programmers make security
mistakes.  You will not find one person here with the experience of an
average Microsoft developer who can honestly say they've not made one
security-relevant mistake.

> > As if the literally millions of configurations Microsoft software must
> > support weren't enough, think for a second about the multiple different
> > character sets its code applies to.  Even the *DOCUMENTATION* for the
> > patch must be translated into dozens of different languages -- no small
> > task with exploitation looming on the horizon.  However, it is obvious
> > that in this case, the reporter did not attempt any contact with
> > Microsoft what-so-ever.  As a user of IE myself, I find it ridiculous
> > that this course of action was even considered.
>
> And the users that refuse at any cost to have to work with IE in any way
> shape or form, they chuckle each time those that "remain loyal" spew
> private information to the  unintended eachtime the product is
> re-exploited, which seems to be about once every 2-4 weeks.

And, of course, none of IE's competitors have ever suffered
vulnerabilities.  Or, at least, they won't publicly admit to it.  Nearly
all of IE's major competitors have no established process to contact
clients when vulnerabilities are found.  I personally receive notifications
about IE patches in my own mailbox.

However, as you rightly pointed out, most researchers who find IE flaws
announce them before patch development is complete.  So, how is it that I
manage to survive with nearly no patches since IE 6.0 SP1 was released? 
The reason I'm able to avoid exploitation is because I employ an incredible
security tool known as common sense.  I thouroughly inspect the credentials
of all objects I'm asked to download, and usually tend to avoid sites where
I know that malicious content is likely.

Further, the newest version of IE 6.0 for Windows Server locks down IE's
security settings much tighter than previous versions in an attempt to
prevent vulnerabilities from being exploited.

> > And, last but not least, I don't drink. :-)
>
> You might want to take it up <smile>, viewing from another perspective
> might add some clarity...

What other perspective is there, Mr. Dufresne?  See, we live in an
imperfect world -- people make mistakes...

> > Might I suggest that someone who would share details with people
> > interested in exploiting the flaw, before people that flaw might affect,
> > truly *IS* irresponsible?  With that in mind, it doesn't seem like
> > Microsoft would be wrong at all to call someone who would consider such a
> > course of action irresponsible.  In fact, this is probably exactly what
> > the reporter was hoping for -- not caring about the established
> > disclosure process, seeking instead to increase his/her own standing by
> > antagonizing a major company, at the expense of its millions of
> > customers.  While I cannot speak for the philosophies of other
> > researchers, it is my firm belief that a policy which exposes millions of
> > systems to exploitation without providing feasible alternatives for any
> > of them is not only irresponsible, it is negligent.
>
> The debate will rage on for many more years.  But allowing M$ and various
> other vendors to cry foul when information about their lack of pride and
> responsibility to produce something other then mere crap for big bucks to
> their clients puts them on par with the spammers and lamers their code
> tends to foster.

And you're still standing by your statement that *I* have tunnel vision? 
I'm laughing.  Well, when you run a major company serving millions of
different customers from all over the globe, and offering hundreds of
products, and your security staff is paid to simply sit on their asses (as
your code would, of course, be perfect), you can then criticize others.  

The truth is that while lengthy, Microsoft has the best security response
of major commercial software developers.  And, for all of their
vulnerabilities, Microsoft's products have outsold competitors on their
quality.  Until recently, security was a relative non-issue for most of
Microsoft's user base -- perhaps this is why so many IE users "reveal
information to the unintended" so frequently.  How can you blame the
company for putting security on the back burner when the vast majority of
its client base did the same?  One only needs to see another SMTP mass
mailer (in spite of the virus filter that now ships standard with
Microsoft's mail clients), to prove that a system is only as secure as its
administrator.

For the number of products it offers, and the large feature sets typically
seen in each, the relative vulnerability of Microsoft's code is only
increased compared to others when Microsoft's products make it too easy to
be stupid.  This has been a very valid criticism, but regardless of your
willingness to admit this, this is slowly but surely being corrected.  When
you have as large of a product base as Microsoft does, major changes to the
design profile of that software take time.

> Seems to take far less lines of code to create and foster an exploit upon
> the computing public then the number of it takes lawyers/politicians to
> screw lightbulbs.

And you, I assume, are very familiar with the legal team at Microsoft, and
of course, know the source tree of every product they've produced inside
out.  It is unproven criticisms such as this that make my point so well --
Microsoft is targeted for senseless criticisms such as these because of its
position in the industry.

And, while IE may have vulnerabilities, those can be effectively
neutralized with good browsing habits.  The startup time on that slow,
klunky piece of shit called Mozilla, or the nightmare of a CSS/JavaScript
engine in Opera?  Well, that's another story, because in Mozilla's case,
fixing that horrible startup time is a matter of re-writing the browser,
and Opera, well, I can't even do that.  

With IE, it's a matter of either avoiding suspect sites, adding the ones I
need to my "Trusted Sites" list (which, if you're lazy, does require an
extra 5 clicks or so), or setting a few option buttons to "Disable". 
Really tough to avoid all those exploits in this "mere crap" that MS has
produced -- mere crap that easily out-performs its competition, and is far
easier to use than those competitors.  Sorry to say, but if IE is mere
crap, I could read you the entire list about the other options... but that
would be dropped by all the corporate profanity filters, so I won't.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html