Full Disclosure mailing list archives
Re: Office 0day
From: Valdis.Kletnieks () vt edu
Date: Mon, 25 Jun 2007 17:59:41 -0400
On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said:
*Proposition* Microsoft is a 280+ billion dollar corporation. Why don't/can't they have a standard ransom fee for security flaws? 0day Remote OS flaw: $1,000,000 0day IE explorer flaws that give administrative shells: $200,000 0day (other flaws) that affect other products (ie office): $200,000 etc..(these fees could be much higher)
If other places are offering $20K for a 0day, why should Microsoft offer 10 times that, when they can probably make the sale offering only $25K? Remember - Microsoft isn't there to make good software. It's there to make a profit.
Provided the person who discovered the vulnerability gives a full working patch, Then Microsoft could patch the hole right away and people could update.
Yes. They could. But if they've bought exclusive rights to the exploit, why should they? Remember why the concept of "full disclosure" started in the first place - because if a vendor is the only one who knows about a hole, they have little to no motivation to actually *fix* it.
(yes i know lots of people don't update but at least it is a start, and then legally they would be so liable). Maybe this concept isint new and I am just in the dark about it.
There's companies in the security arena buying 0days, been happening for years already.
Why does'nt Microsoft (or any company) do this?
There's plenty of companies that make a living fixing the problems in the Microsoft products (IDS and A/V and all the rest), and they've been doing it for a while. It would be a *bad* idea for Microsoft to get caught doing that, as the instant they shell out some money for a 0day, they lose most of their plausible deniability. It's hard to argue "We didn't know about that bug until the public posting on the XYZ-L list on Dec 3" if the other side's lawyers find records of buying a 0day for the hole back in early April. Something to keep in mind is that security is *always* about tradeoffs, especially when you're a vendor. You're probably *not* interested in shipping a massively hardened secure system - only a few sites are truly paranoid or require that sort of thing. Windows XP will end up selling hundreds of millions of copies - the amount of security in those will end up being the amount of security that hundreds of millions of Joe Sixpack customers are willing to actually *pay* for. Since Microsoft is a for-profit corporation, their security team is charged with reducing the *total* cost of the security - the expense of actually auditing any existing code, and writing new code to stricter standards, *plus* the costs of fixing bugs once they escape, *plus* the costs of keeping customers happy when a security bugfix changes an API and production software breaks, *plus* the PR costs of following your planned decision. Which is a better bet for Microsoft - spending $15 million on a big PR and advertising campaign that announces the 'New Secure Attitude', or spending $50M on quietly fixing the broken software?
And also has Microsoft ever been held criminaly liable for negligence in a criminal case for not patching a flaw leading to a security breach?
Making a *criminal* negligence case stick would be *exceedingly* hard to do, as you'd have to find a district attorney who wanted to try to press charges, and it's hard to make it stick against a corporation - the legal standard really *does* approach "the defendant knew or should have known that their behavior was likely to result in somebody literally getting hurt or killed". (One web site gave the hypothetical examples of a canoeing tour operator that takes kids who are beginning canoers out on a lake, without life preservers, when stormy weather is forecast, or a company releasing toxic chemicals that they should have known would end up in a town's drinking water). It would be a lot easier to make a case for civil liability for the negligence, but then you'd have a *big* problem - by using a non-pirated copy of Windows, you presumably agreed to the EULA, where you disclaimed most of the obligations you would normally have. And *at best*, you'd only be able to pin them with "contributory negligence" - Microsoft could *easily* argue that the webmaster or sysadmin or whatever *should* have known that "software is hackable" and taken additional precautions of their own. A number of pretty clever people have been looking at this, and it's pretty generally agreed that the test case you'd want to see in court would be a non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or otherwise attacked from compromised Windows boxes, such that the compromise allows the attacker to remain anonymous/unfindable. And even then it's not a clearly winnable *practical* suit to battle - if the plaintiff company only lost $250,000 due to the DDoS, and the attorney is doing it for the semi-standard 30% of the award, and it will take more than $75K worth of legal just to get the case rolling, it becomes difficult to get the lawsuit moving. So you'd need either a non-Microsoft shop that lost millions of dollars due to the DDoS, or a law firm that wants to rack up *lots* of pro bono hours..
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Office 0day toto . toto (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)
- Re: Office 0day Kradorex Xeron (Jun 25)
- Re: Office 0day secure poon (Jun 25)
- Re: Office 0day Jared DeMott (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)
- Re: Office 0day phpninja (Jun 25)
- Re: Office 0day Troy (Jun 25)
- Re: Office 0day phpninja (Jun 25)
- Re: Office 0day kefka (Jun 25)
- Re: Office 0day secure poon (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)