Re: Microsoft Cries Wolf ( again )

[Ron DuFresne <dufresne () winternet com>]

        [SNIP]

> However, a security vulnerability is not, in itself, harmful.  What *is*
> harmful about a security vulnerability are individuals who wish to exploit
> the flaw.  Therefore, the harm from a vulnerability increases dramatically
> if more people with the ability to exploit the vulnerability are aware of
> it.  This includes exploiting the flaw through pre-written exploit code of
> some kind.  This harm is especially great if administrators are exposed
> with a known-good workaround.  Therefore, vendor communication is the
> *preferred* method of dealing with security flaws, at least in the short
> term.  However, if it becomes obvious that the vendor does not wish to
> resolve the vulnerability at hand, it should be disclosed.  However,
> workarounds should be available so that the added information actually has
> the ability to help the administrator.

Nice tunnel vision, one sided interpretations often tend bolster humor at
least.

Let's face it, from the otherside of the coin, and of course this coin is
more then two sided for sure, hell this whole discussion has been going on
for more then 20+ years, prior to the morris worm, but, I digress.  The
spread of information not only supplies all the lamesters wishing to
exploit and ow3n what's not theirs, but, also feeds information to those
tasked to fend off those with less then bright lights and wanting what's
not theirs.  Now, feeding that info to a vendors might not get the info
out to the masses of their clients, cause, damn, why would they want to
risk losing customers over an issue?  They sure do not need to be
harrassed with tons of e-mails from various clients about when a fix might
come down the pipes, and certainly have no time to talk to any press on
the matter while doing some tongue and cheek about "secure computing
innitiatives".  Certainly the founding issues that brought about the
'original' bugtraq and many of the newer lists like this very one, are
promoted by vendors that tend to hide and sit upon information about
weaknesses in their products.  They tend to cry "foul" alot, and then
often tend to follow through not with work to fix their products, but with
threats and lawsuits, right snosoft?  Folks forget too quickly the minor
fallout they had with HP...


> While there is some argument about what makes a vendor un-responsive, patch
> times in this case are, likely and understandably, quite lengthy.

Now we add over generalising to tunnel vision.  It depends upon the issue
at hand, often the whole fix might be nothing more then removing the suid
bits, or something else as trivial...

> These
> fixes are not trivial to begin with, thanks in no small part to the
> incredible number of customers Microsoft has.

So, now we are at a pass in a trail, but, since we've gone about nearly
blind, why open our eyes at this point!?

Had security been a prime motivator  in the early M$ days, they might not
be so hindered now by zillions of lines of insecure code!

> As if the literally millions
> of configurations Microsoft software must support weren't enough, think for
> a second about the multiple different character sets its code applies to.
> Even the *DOCUMENTATION* for the patch must be translated into dozens of
> different languages -- no small task with exploitation looming on the
> horizon.  However, it is obvious that in this case, the reporter did not
> attempt any contact with Microsoft what-so-ever.  As a user of IE myself, I
> find it ridiculous that this course of action was even considered.

And the users that refuse at any cost to have to work with IE in any way
shape or form, they chuckle each time those that "remain loyal" spew
private information to the  unintended eachtime the product is
re-exploited, which seems to be about once every 2-4 weeks.

> And, last but not least, I don't drink. :-)

You might want to take it up <smile>, viewing from another perspective
might add some clarity...

> > Some day, m$ will call irresponsible the wrong people, and then, some
> > of us will enjoy the fun.
>
> Might I suggest that someone who would share details with people interested
> in exploiting the flaw, before people that flaw might affect, truly *IS*
> irresponsible?  With that in mind, it doesn't seem like Microsoft would be
> wrong at all to call someone who would consider such a course of action
> irresponsible.  In fact, this is probably exactly what the reporter was
> hoping for -- not caring about the established disclosure process, seeking
> instead to increase his/her own standing by antagonizing a major company,
> at the expense of its millions of customers.  While I cannot speak for the
> philosophies of other researchers, it is my firm belief that a policy which
> exposes millions of systems to exploitation without providing feasible
> alternatives for any of them is not only irresponsible, it is negligent.


The debate will rage on for many more years.  But allowing M$ and various
other vendors to cry foul when information about their lack of pride and
responsibility to produce something other then mere crap for big bucks to
their clients puts them on par with the spammers and lamers their code
tends to foster.

Seems to take far less lines of code to create and foster an exploit upon
the computing public then the number of it takes lawyers/politicians to
screw lightbulbs.


Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html