Full Disclosure mailing list archives
Re: New MyDoom exploiting IFRAME
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Wed, 10 Nov 2004 01:39:53 +0100 (CET)
On Tue, 9 Nov 2004, n3td3v wrote:
The worst problem with this is microsoft have not announced a patch for the exploit which the virii exploits, so this is wild in every description of the word "wild".
I never had strong feelings about Microsoft; I took their side on several occassions. Weren't it for my favorable view of their HTML parser, the IFRAME overflow would be likely not discovered by ned two weeks ago. Now, the way they handled this flaw makes me want turn into a rabid Microsoft basher. That's something. The problem is known for over two weeks. It was, from the very beginning, obvious how bad it can get. The vendor knew from day zero. An exploit was released. Then a worm. With variants. And yet, the patch is STILL not even planned for Thursday hotfix roundup. There are business customers that are probably starting to feel uneasy about this. Rather than releasing a patch, Microsoft so far had only initially denied knowing of an exploit (which was a lie, regardless of what it origins were - I myself sent it to SRC and got a confirmation from a live person). They also criticized the discoverer for "irresponsible handling" of the flaw - which couldn't be farther from truth, if you followed the story. It is reasonable to expect that after CNN and other major news outlet ran a story about the problem, they do feel a considerable pressure from big customers - and yet, they fail to act. This would suggest that their security response capabilities are *very* inadequate at best - they should have the resources to fix an extremely critical problem like this by now, regardless of how much QA is needed on a patch. I suppose that either all the MSIE coders took a sick leave, or that this is how SRC works. Perhaps Microsoft had taught the world to release responsibly - that is, give them three to six months, sometimes more, to prepare fixes and argue over the impact of an issue - getting to a point where the evidence of their terribly inadequate handling of security problems does not see the daylight, or is even turned into a PR advantage. Do customers really benefit from a situation where "responsible disclosure" and OIS policies are used to save money by making it easy to under-fund or under-staff security programs, because in most cases it is possible to convince security researchers to give vendors up to or over six months to fix a problem? Doubtly so, because a frail balance is easily destroyed by an accident such as this one - where no malicious intent came into play, really. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-11-10 01:01 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New MyDoom exploiting IFRAME Berend-Jan Wever (Nov 09)
- Re: New MyDoom exploiting IFRAME Nick FitzGerald (Nov 09)
- Re: New MyDoom exploiting IFRAME Danny (Nov 09)
- Re: New MyDoom exploiting IFRAME n3td3v (Nov 09)
- Re: New MyDoom exploiting IFRAME Michal Zalewski (Nov 09)
- Re: New MyDoom exploiting IFRAME Georgi Guninski (Nov 10)
- Re: New MyDoom exploiting IFRAME Nick FitzGerald (Nov 09)