Re: Re: Security Bug in MSVC

[bkfsec <bkfsec () sdf lonestar org>]

Jason Coombs wrote:

> Just after Donnie reported this issue to Microsoft (September) we 
> started seeing Microserfs suggest that their security team was working 
> on a never-before-encountered novel class of vulnerability, and the 
> implication was that Microsoft's security competency had finally 
> surpassed both the black hats and all other white hat groups -- since 
> it would be politically valuable for Microsoft to be able to claim 
> that sharing source code is an unsafe behavior, and since there have 
> been no other vulnerabilities disclosed since that time which might 
> have appeared to Microsoft to be entirely new and far-reaching, I 
> suspect that this disclosure prompted those previous statements about 
> work being done by Microsoft.
>
> How many other attacks can you point to where Microsoft's development 
> tools are exploited to specifically target the unwary programmer who 
> still thinks it's perfectly safe to download arbitrary data from an 
> untrusted source and then open it in a text editor? My guess is that 
> Donnie got Microsoft thinking about this very risk, and they started 
> talking internally about it being an entirely new class of 
> vulnerability. Yes, if my supposition is correct it would be quite 
> pathetic and give us another reason to laugh at Microsoft; but you can 
> probably see how much benefit Microsoft is going to be able to milk 
> out of this and related attacks that exploit bugs in programmers' 
> tools that are launched by the simple act of opening or attempting to 
> compile a source code distribution.
>
> Source code is just as dangerous as binary code. Clearly, the only way 
> to be safe is to rely on Microsoft's programmers to create and 
> digitally-sign software for us. Go Microsoft. Yeah!

But, I think that what people have been saying (and this is my take on 
it, as well) is that it's not a new class of vulnerabilities... it's 
executing programs from a script.

I think that the point that source code distributions can be trojaned 
(or, perhaps contain bugs that could be unintentionally malicious) is a 
very valid point.  At the very least new "untrustworthy" code should be 
first run in a sandbox.

However, this is not really a revolutionary discovery by any means.  Any 
language which is designed to run "arbitrary" code by design can be used 
to subvert the system.   Not to mention that *knowledgable* Free 
Software/Open Source proponents won't even try to claim (unless 
over-caffeinated/over-excited) that source code distribution is 
inherently and automatically more secure.  The argument that Free 
Software and Open Source methodologies increase security is the peer 
review argument -- that if a hole or trojan is introduced, it will 
eventually be found by someone who intends to review the code.  The same 
is, possibly, not always true for proprietary software.   Review of 
proprietary software won't always reveal answers.  Considerable review 
of code available projects will always yield answers.

Granted the amount of time it takes for a community member to find the 
hole or trojan may be lengthy.  The examples in the past have used 
sometimes well hidden methods to run the malicious code.

So, in closing, Microsoft never needed this disclosure to show that 
source code distribution could contain trojan code -- it's been 
happening in the wild for some time now.  And Free Software/Open Source 
proponents (the knowledgable ones) never claimed that it was a surefire 
solution anyway.  :)  (A lot of relatively gullible individuals, 
however, have claimed as much in the past.)

Either way you color it, Free Software/Open Source still has the greater 
potential.

               -bkfsec



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/