Information Security News mailing list archives
MS Right
From: InfoSec News <isn () C4I ORG>
Date: Fri, 20 Oct 2000 02:16:15 -0500
MS Right by Carole Fennelly Microsoft is the company everyone loves to hate -- myself definitely included. I admit my prejudice: I grew up on Unix. Got my first account in 1980 and struggled through the cryptic command line syntax. Graphical User Interface? Hell, there wasn't even a visual editor. Writing a document was an excercise in troff programming skills. I didn't really get exposed to Windows until 1993 ... and I hated it. I found it to be buggy, unreliable and horribly insecure. Microsoft seems to be motivated purely by profit, not technical innovation. Like every other Unix bigot, I enjoy a good joke at Microsoft's expense (http://www.attrition.org/gallery/ms/) While I religiously hate Microsoft, after all the bashing I've given them it's only fair to acknowlege when they do something right. It seems Microsoft is finally responding to vulnerability reports with technical solutions, rather than just media spin. Rain Forest Puppy recently reported a major vulnerability in the IIS Web server. This vulnerability had been discussed in the Packetstorm forum, but no one could reproduce the exploit. RFP could. RFP's IIS %c1%1c bug report http://www.wiretrip.net/rfp/p/doc.asp?id=57&iface=2 PacketStorm posting http://209.143.242.119/cgi-bin/cbmc/forums.cgi? editoron=&authkey=anonymous&nscanon=&outgoing=&uname=anonymous&datopic=Windows&gum=474&mesgcheck=defined Microsoft worked with RFP to analyse the problem and determine the appropriate solution. It turns out that a previous Microsoft patch fixed the vulnerability, which was a lucky break for Microsoft. Credit Microsoft for handling the situation for a change, rather than minimizing the impact. Microsoft Bulletin: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Bugtraq entry: http://www.securityfocus.com/bid/1806 Microsoft could have covered themselves with the previously released patch that happened to fix the vulnerability. Instead, they stated in the above bulletin: "This patch was originally released in August 2000 as a fix for a completely different vulnerability (discussed in Microsoft Security Bulletin MS00-057), and customers who have already applied it do not need to take any additional action." I asked Rain Forest Puppy about this apparent change in attitude on Microsoft's part. He commented: "MS has been in the process of cleaning up their act. I think MS00- 078 was a perfect example of them taking it seriously. However, they lucked out since a previous patch (MS00-057) fixed this problem, so that drasticly cut down the time needed. However, the fact that I had a 2 hour response at 2am, and they were contacting IIS developers at 3am Sat morning was impressive." I have no illusions that Microsoft was motivated to "do the right thing" for altruistic reasons. Microsoft is well aware that RFP would follow through on his promise to publicly disclose vulnerabilities, as stated in his disclosure policy. RFPolicy v2.0 http://www.wiretrip.net/rfp/policy.html Microsoft is also painfully aware of the consequences of public disclosure of exploits as thousands of Script Kidiots attack vulnerable systems. It is in Microsoft's best interests to get their customers to patch the vulnerabilities before their systems become yet another damning security statistic. When will Microsoft realise that it would be in their best interests to design their systems securely in the first place? RESOURCES Info.Sec.Radio panel discussion on Full Disclosure: http://www.itworld.com/jump/unxsec_nl/www.securityfocus.com/media/69 MSNBC: Microsoft Flaw Exposes Web Servers http://www.itworld.com/jump/unxsec_nl/www.msnbc.com/news/477722.asp More than privacy at stake http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_3086.html Meet the 'hactivist' http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_3113.html Hacking rises despite increased security spending http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_2902.html COMMUNITY DISCUSSION Delve into the gory technical details of Web security, debate community politics, and share your expertise in this discussion for security pros of all stripes. Moderated by Carole Fennelly and Brian Martin. http://www.itworld.com/jump/unxsec_nl/forums.itworld.com/webx?14@@.ee6b67b/71!skip=16 About the author ---------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for SunWorld (http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () sunworld com ********************************************************************* http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- MS Right InfoSec News (Oct 20)