Re: Compromising pictures of Microsoft Internet Explorer!

[Michal Zalewski <lcamtuf () dione ids pl>]

On Sat, 16 Jul 2005, tuytumadre () att net wrote:

> I do not mean to flame you, but you are an irresponsible disgrace to the
> hacking community.

You do mean to flame me, apparently, and constructing sentences this way
makes them unintentionally funny. Pretty much like saying "Sir, with all
due respect, you are a filthy low-life scum".

> Do you not care about the customer?

I do security research for fun. Because I mean no harm, I usually take
efforts to notify vendors in advance, or release advisories that are of
more value to those who want to fix problems, than to those exploiting
them. The latter is the case here. The former isn't, because I had a poor
experience with the vendor.

That about sums up my philosophy. No, I do not particularly care about
Microsoft customers - Microsoft should.

> I firmly believe that you are decieving us when you say you had a hard
> time with secure () microsoft com; in fact, I don't even think that you
> have ever once in your life reported a vulnerability to them
> responsibly.

I did, a couple of times. In fact, if you had gone through the effort of
actually using a search engine, you would find out that I did coordinate
some stuff with them.

It is my experience, however, that they require you to:

  1) Prove them beyond any doubt that a particular issue is exploitable;
     they seem to be doing this not to fully comprehend the threat, but
     to see if you are not absolutely certain on all the phases of the
     attack, and then exploit the benefit of doubt. You need to either:

     a) Debug their code in great detail and explain the execution path
     that leads to this, along with an explanation why overwriting an
     arbitrary byte in memory might cause problems,

     b) Provide an exploit that works for them (and be sure it also
     works on SP2, or they will come up with ridiculous recommendations
     - look up the Bofra IFRAME stuff),

     c) Find a bug that is so patently obvious it hurts (stack buffer
     overflow, for example).

     If you fail to do that, they - in my opinion - use this to downplay
     the issue. Look up how many times Microsoft considered something to
     be less critical than the researcher would believe it to be - and
     were proved wrong by having exploits developed later on. How
     often does the opposite happen?

  2) Wait forever for them to release a patch. Frankly, I see no reason
     why a multi-billion dollar company with so many customers at risk
     would need to take more than a week or two to develop, test and
     release trivial fixes.

  3) Most insidious - if you happen to work for a company that depends on
     Microsoft in one way or another (for example, to recommend, bundle,
     or just not break your products), when you disagree with them, I
     seem to recall they would take an opportunity to give you a friendly
     reminder it would be "unwise" not to agree in your advisory.

All this, combined with the general disregard for the customer who does
not immediately vote with his money (lacking viable options makes this
hard; if you're looking for real-world examples, how long it took
Microsoft to release goddamn patches after Bofra went loose?!), makes me
somewhat less interested in investing several weeks into this type of
cooperation.

/mz
http://lcamtuf.coredump.cx/silence/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/