Re: Office 0day

[Valdis.Kletnieks () vt edu]

On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said:

> *Proposition*
>
> Microsoft is a 280+ billion dollar corporation. Why don't/can't they have a
> standard ransom fee for security flaws?
>
> 0day Remote OS flaw: $1,000,000
> 0day  IE explorer flaws that give administrative shells: $200,000
> 0day (other flaws) that affect other products (ie office): $200,000
> etc..(these fees could be much higher)

If other places are offering $20K for a 0day, why should Microsoft offer
10 times that, when they can probably make the sale offering only $25K?

Remember - Microsoft isn't there to make good software. It's there to
make a profit.

> Provided the person who discovered the vulnerability gives a full working
> patch, Then Microsoft could patch the hole right away and people could
> update.

Yes. They could.  But if they've bought exclusive rights to the exploit, why
should they?  Remember why the concept of "full disclosure" started in the
first place - because if a vendor is the only one who knows about a hole, they
have little to no motivation to actually *fix* it.

>         (yes i know lots of people don't update but at least it is a start,
> and then legally they would be so liable). Maybe this concept isint new and
> I am just in the dark about it.

There's companies in the security arena buying 0days, been happening for
years already.

> Why does'nt Microsoft (or any company) do this? 

There's plenty of companies that make a living fixing the problems in the
Microsoft products (IDS and A/V and all the rest), and they've been doing it
for a while.  It would be a *bad* idea for Microsoft to get caught doing that,
as the instant they shell out some money for a 0day, they lose most of their
plausible deniability.  It's hard to argue "We didn't know about that bug until
the public posting on the XYZ-L list on Dec 3" if the other side's lawyers find
records of buying a 0day for the hole back in early April.

Something to keep in mind is that security is *always* about tradeoffs,
especially when you're a vendor.  You're probably *not* interested in shipping
a massively hardened secure system - only a few sites are truly paranoid
or require that sort of thing.  Windows XP will end up selling hundreds of
millions of copies - the amount of security in those will end up being the
amount of security that hundreds of millions of Joe Sixpack customers are
willing to actually *pay* for.

Since Microsoft is a for-profit corporation, their security team is charged with
reducing the *total* cost of the security - the expense of actually auditing
any existing code, and writing new code to stricter standards, *plus* the
costs of fixing bugs once they escape, *plus* the costs of keeping customers
happy when a security bugfix changes an API and production software breaks,
*plus* the PR costs of following your planned decision.

Which is a better bet for Microsoft - spending $15 million on a big PR and
advertising campaign that announces the 'New Secure Attitude', or spending
$50M on quietly fixing the broken software?

>                                                   And also has Microsoft ever
> been held criminaly liable for negligence in a criminal case for not
> patching a flaw leading to a security breach?

Making a *criminal* negligence case stick would be *exceedingly* hard to do,
as you'd have to find a district attorney who wanted to try to press charges,
and it's hard to make it stick against a corporation - the legal standard
really *does* approach "the defendant knew or should have known that their
behavior was likely to result in somebody literally getting hurt or killed".
(One web site gave the hypothetical examples of a canoeing tour operator that
takes kids who are beginning canoers out on a lake, without life preservers,
when stormy weather is forecast, or a company releasing toxic chemicals that
they should have known would end up in a town's drinking water).

It would be a lot easier to make a case for civil liability for the negligence,
but then you'd have a *big* problem - by using a non-pirated copy of Windows,
you presumably agreed to the EULA, where you disclaimed most of the obligations
you would normally have.  And *at best*, you'd only be able to pin them with
"contributory negligence" - Microsoft could *easily* argue that the webmaster
or sysadmin or whatever *should* have known that "software is hackable" and
taken additional precautions of their own.

A number of pretty clever people have been looking at this, and it's pretty
generally agreed that the test case you'd want to see in court would be a
non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or
otherwise attacked from compromised Windows boxes, such that the compromise
allows the attacker to remain anonymous/unfindable.  And even then it's not
a clearly winnable *practical* suit to battle - if the plaintiff company
only lost $250,000 due to the DDoS, and the attorney is doing it for the
semi-standard 30% of the award, and it will take more than $75K worth of
legal just to get the case rolling, it becomes difficult to get the lawsuit
moving.  So you'd need either a non-Microsoft shop that lost millions of
dollars due to the DDoS, or a law firm that wants to rack up *lots* of
pro bono hours..

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/