Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Unveils Open Source Exploit Finder

Soulskill posted more than 5 years ago | from the solutions-looking-for-problems dept.

Security 310

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

cancel ×

310 comments

frist (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#27287837)

first!

Bang exploitable (1, Funny)

Anonymous Coward | more than 5 years ago | (#27287843)

!exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer')

LOL

Damn you microsoft! For the next few months I won't be able to read the "not" operator without giggling.

Re:Bang exploitable (5, Informative)

Clover_Kicker (20761) | more than 5 years ago | (#27287919)

Re:Bang exploitable (4, Funny)

NeverVotedBush (1041088) | more than 5 years ago | (#27288183)

I think this might explain some of Microsoft's buggy code issues.

Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.

No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.

Rules of Open Source club (4, Funny)

CarpetShark (865376) | more than 5 years ago | (#27288675)

1. Fork the project
2. Change the name

Open Source?! Wait for it... (2, Funny)

Macthorpe (960048) | more than 5 years ago | (#27287845)

'hellfrozeover' tag in 3... 2... 1...

Libre? (1)

Toe, The (545098) | more than 5 years ago | (#27287887)

OK, so the source is viewable, but does it qualify as free software as in freedom?

Or is that a senseless question anyway since it runs under Windows?

Re:Libre? (5, Informative)

Macthorpe (960048) | more than 5 years ago | (#27287911)

It's released under the Ms-PL, which is OSI-approved.

Re:Libre? (1)

LingNoi (1066278) | more than 5 years ago | (#27288245)

Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?

I don't keep up to date on such things so I am generally interested.

Re:Libre? (1)

poetmatt (793785) | more than 5 years ago | (#27288289)

The proper way to say it is "it's not open source compatible (gpl/others)", and even OSI knows that.

Just because its close in name, doesn't mean it's still not as proprietary as possible.

This is like putting an open source bumper sticker on a car and saying it's open source.

Re:Libre? (5, Informative)

larry bagina (561269) | more than 5 years ago | (#27288379)

The GPL isn't open source compatible with most other open source licenses, either.

Re:Libre? (1, Informative)

Anonymous Coward | more than 5 years ago | (#27288669)

"it's not open source compatible (gpl/others)"

Since when has Open Source and GPL been synonymous? BSD comes to mind....

Re:Libre? (1, Informative)

Anonymous Coward | more than 5 years ago | (#27287977)

Or is that a senseless question anyway since it runs under Windows?

To answer the rhetorical question, yes it is a senseless question and the software is not really free. Here's an article on such a situation http://www.gnu.org/philosophy/java-trap.html [gnu.org]

Re:Open Source?! Wait for it... (2, Insightful)

vadim_t (324782) | more than 5 years ago | (#27287897)

Definitely not.

Microsoft doesn't have anything about open source actually. They're perfectly fine with the BSD for instance, which they can incorporate in their products. They're also fine with their own "shared source" deal, which goes from "non commercial" to "you can only look at it".

What MS really despises is the GPL. They can't use it, and can't buy the source out in many cases. Of course they could technically use it, but they could apply the "embrace and extend" tactics, and would have to give out any improvements.

Re:Open Source?! Wait for it... (0)

Anonymous Coward | more than 5 years ago | (#27287987)

It's released under the Ms-PL, which is OSI-approved.

guess that makes you +1 wrong.

really? (2, Informative)

someone1234 (830754) | more than 5 years ago | (#27288175)

Are you sure, Coward?

http://www.opensource.org/licenses/ms-pl.html [opensource.org]

Or you say it won't be released under ms-pl?

Re:really? (2, Funny)

Anonymous Coward | more than 5 years ago | (#27288347)

Are you sure, Coward?

Please, no need for the formality. You can call me Anonymous...

Re:Open Source?! Wait for it... (2, Interesting)

koiransuklaa (1502579) | more than 5 years ago | (#27288205)

Wrong? Maybe... Note that MS-PL is not compatible with GNU GPL. That may have been just a coincidence from other requirements they had, but it may also have been #1 requirement for all MS-* licenses.

As far as I can tell MS-PL is exactly like BSD license, except it has a clause that makes it GPL-incompatible. MS-RL is very much like GPL plus a clause that makes it GPL-incompatible. I notice a trend here and it fits parents comment quite well.

Note that I'm not saying everything needs to be GPL-incompatible, I'm just pointing out an important feature in these license.

Re:Open Source?! Wait for it... (0)

Anonymous Coward | more than 5 years ago | (#27288219)

So what? The viral GPL license is not the only one that makes your software free.

Re:Open Source?! Wait for it... (0)

Anonymous Coward | more than 5 years ago | (#27288229)

uh, I meant Note that I'm not saying everything needs to be GPL-compatible of course.

Re:Open Source?! Wait for it... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27288261)

Return to Digg, you asshole.

Re:Open Source?! Wait for it... (0)

LingNoi (1066278) | more than 5 years ago | (#27288263)

No I think the MS-PL have patent waivers as well which is why they didn't just go with BSD in the first place.

I say "i think" because I haven't read the license since it was first published.

This is M$ double speak for "Finding Free Sofware" (0, Interesting)

Anonymous Coward | more than 5 years ago | (#27287917)

The threat free software has to your buddies at M$ is astronomical. This is the reason M$ will do anything ion their power to remove all free softwre from M$ Winblows, which includes the use of M$'s new tactic of removing free software and using multiple accounts [slashdot.org] to back the story. The only way to eliminate the M$ exploits is to use free software instead of non-free software, or any software from M$.

--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.

Re:This is M$ double speak for "Finding Free Sofwa (3, Insightful)

gcnaddict (841664) | more than 5 years ago | (#27287933)

Your comment loses all credibility not so much because of your lack of evidence but because of your use of "M$."

Also, your suicide joke wasn't funny.

Re:This is M$ double speak for "Finding Free Sofwa (0, Troll)

jav1231 (539129) | more than 5 years ago | (#27288493)

Yeah, because we all know how benevolent Micro$oft is, right?

Re:This is M$ double speak for "Finding Free Sofwa (5, Insightful)

multisync (218450) | more than 5 years ago | (#27288579)

You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.

But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.

And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.

In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.

In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.

BTW, I agree with you about the suicide remark.

Re:This is M$ double speak for "Finding Free Sofwa (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27288087)

Hi twitter.

Re:This is M$ double speak for "Finding Free Sofwa (0)

Anonymous Coward | more than 5 years ago | (#27288427)

Hi bleeding rectum.

Re:This is M$ double speak for "Finding Free Sofwa (0)

Anonymous Coward | more than 5 years ago | (#27288659)

Hi troll [slashdot.org]

--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.

Re:This is M$ double speak for "Finding Free Sofwa (5, Insightful)

DrSkwid (118965) | more than 5 years ago | (#27288117)

yeah, FOSS exploits are cuddlier

But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.

Re:This is M$ double speak for "Finding Free Sofwa (1)

mikesd81 (518581) | more than 5 years ago | (#27288181)

Or maybe you're an educated user and know what you're doing and know how to safely use the the internet and install programs. I haven't had any malware or viruses either, because I know not to install questionable programs and go to questionable sites.

auto-hack or brute force? (4, Insightful)

Gothmolly (148874) | more than 5 years ago | (#27287849)

Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?

Re:auto-hack or brute force? (4, Informative)

interiot (50685) | more than 5 years ago | (#27287877)

The article mentions it does fuzz testing [wikipedia.org] , so it'd be the former.

Re:auto-hack or brute force? (2, Informative)

Wodin (33658) | more than 5 years ago | (#27288565)

The article mentions it does fuzz testing, so it'd be the former.

Actually, the article says it's used during fuzz testing, not that it does fuzz testing.

It's a Windows debugger extension that's used during fuzz testing[...]

It sounds more like an automated crash dump analyzer used after a fuzzer has caused the program to crash.

AFAICT, Neither (2, Informative)

spaceturtle (687994) | more than 5 years ago | (#27287881)

They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.

Re:auto-hack or brute force? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27287913)

They also don't say they've run any of it on Microsoft products or standards before...

Quite a few(think SMB) could have used a bit of fuzz-testing before the ink dried.

Re:auto-hack or brute force? (0)

Anonymous Coward | more than 5 years ago | (#27288367)

how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?

Because it changes the game, man. Read the summary, at least.

I'm feeling quite dizzy... (4, Funny)

Anonymous Coward | more than 5 years ago | (#27287855)

Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)

Re:I'm feeling quite dizzy... (0)

Anonymous Coward | more than 5 years ago | (#27288007)

I guess the first app they need to run this against is windows

Re:I'm feeling quite dizzy... (2, Funny)

mail2345 (1201389) | more than 5 years ago | (#27288667)

Which just causes the finder to crash.

Things that make you go hmmm... (5, Funny)

Anonymous Coward | more than 5 years ago | (#27287869)

Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?

It's nice to see... (3, Funny)

rlanctot (310750) | more than 5 years ago | (#27287883)

Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...

Re:It's nice to see... (3, Funny)

Quothz (683368) | more than 5 years ago | (#27288009)

with baited breath...

Speaking of Microsoft and security, I think you've picked up a worm.

I'm not a programmer... (1)

Quantos (1327889) | more than 5 years ago | (#27287939)

But it almost sounds to me like the users are supposed to run this and then report their findings.
Do the people that run it get a paycheck? Or is that the part that's open source?
Aren't there other programs that also do this? If so(I really can't imagine that MS are the first to release something like this), then how is this news?

Re:I'm not a programmer... (0)

Anonymous Coward | more than 5 years ago | (#27287953)

The summary say "identifying security vulnerabilities in software while it's still under development", where do you get the idea that it's intended for end users?

Re:I'm not a programmer... (1)

Quantos (1327889) | more than 5 years ago | (#27288093)

Is beta testing not considered part of the development process?
True, most end users aren't interested in running beta tests. However MS always seems to manage to leak their software early, I'm assuming it's to get more testing done by the public.

Re:I'm not a programmer... (1)

LingNoi (1066278) | more than 5 years ago | (#27288293)

It's open source so everyone wins, not just Microsoft.

Here's a better idea (-1, Troll)

thetoadwarrior (1268702) | more than 5 years ago | (#27287947)

Fix all the bugs and then you're sure you've fixed all the big bugs.

Re:Here's a better idea (1)

FooAtWFU (699187) | more than 5 years ago | (#27288113)

Well, that's a nice idea, but it takes a finite nonzero amount of time to do so. And, during that time, if you already have a product which is out (as many people do), people may be exploiting it, and so the bugs they are most likely to exploit are probably worthy of being deemed more urgent to fix, and what bugs are more likely to be exploited than the ones you can find using automated tools?

Re:Here's a better idea (1)

wonderboss (952111) | more than 5 years ago | (#27288693)

You're saying you ship a product with so many crashes that you can't possible fix them all quickly? We are not just talking bugs. To quote the original post the tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". You're fired.

pronounced 'bang exploitable crash analyzer' (2, Funny)

c.derby (574103) | more than 5 years ago | (#27287949)

...or as i prefer to call it, "bang beca."

Re:pronounced 'bang exploitable crash analyzer' (-1, Troll)

Reality Master 201 (578873) | more than 5 years ago | (#27287991)

That's what she said. And by she, I mean your mom.

Re:pronounced 'bang exploitable crash analyzer' (1)

MonsterOfTheLake (880659) | more than 5 years ago | (#27288017)

...or as i prefer to call it, "bang beca."

My girlfriend's name is Rebecca.

Thanks Microsoft!

Re:pronounced 'bang exploitable crash analyzer' (0)

Anonymous Coward | more than 5 years ago | (#27288185)

Yeah, it sounds less like a Microsoft name than something that Miguel came up with for his open source knockoff.

- and I heard that a Hong Kong filmmaker is suing Microsoft, seems the name was already taken.

People in glass houses... (0)

AnalPerfume (1356177) | more than 5 years ago | (#27287983)

...only see Windows.

"Now, Microsoft wants to help secure third-party applications that run on top of Windows."

Microsoft can't even secure their OWN stuff, what makes them think anyone can take them seriously when they try to secure third party stuff? Who knows, maybe it will make third party stuff more secure, which puts the blame back onto Microsoft for every exploit. It will just enhance the fact that the best way to make Windows secure is to use as little Microsoft software as you can on it. It may also backfire on them if people start wondering why they don't use their little tool to make Microsoft software more secure too. If they do, will the difference be noticeable? Will people get noticeably fewer malware infections per week?

interesting excerpt from bang source code (5, Funny)

Anonymous Coward | more than 5 years ago | (#27287985)


int assess_severity( struct* bug )
{
    string vendor = get_application_vendor( bug );
    if ((vendor == "Google") ||
        (vendor == "Adobe") ||
        (vendor == "Mozilla"))
          return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
    else if (vendor == "Microsoft")
          return TRIVIAL_SECURITY_RISK;
    else
          return MODERATE_SECURITY_RISK;
}

There's already proof that this can't work (1)

mark-t (151149) | more than 5 years ago | (#27287989)

It's called Turing's halting problem.

Re:There's already proof that this can't work (4, Informative)

spydabyte (1032538) | more than 5 years ago | (#27288019)

That's proof that it can't always work. Not that it never works.

Re:There's already proof that this can't work (2, Insightful)

mark-t (151149) | more than 5 years ago | (#27288319)

And just like anti-virus software, it will lull people into a false sense of security that can easily result in catastrophe

Re:There's already proof that this can't work (2, Insightful)

MoralHazard (447833) | more than 5 years ago | (#27288121)

Has anybody every told you "'Perfect' is the enemy of 'good enough'."? Perhaps after listening to you explain why your project is behind schedule, then sighing and face-palming?

The halting problem says that there cannot be a GENERAL ALGORITHM that works in all cases, for any of the infinity of possible programs that can exist.

That proves ZERO about, say, whether I can write an algorithm that covers 99% of the common cases. The lack of a general solution doesn't imply that it can't be done often enough, in practice.

Re:There's already proof that this can't work (0)

mark-t (151149) | more than 5 years ago | (#27288291)

What's 1% of infinity? It can't work.

Re:There's already proof that this can't work (1)

Zironic (1112127) | more than 5 years ago | (#27288503)

What part of the word "common" are you unable to comprehend?

Re:There's already proof that this can't work (1)

aslate (675607) | more than 5 years ago | (#27288393)

No, all it states is that it cannot prove the program is bug free. It can, however, keep running and finding as many bugs as possible.

If you get to a stage where you don't find bugs after a long enough period of time, you've probably reached the limits of that particular testing method's ability to provide any useful data about the application. That or the bugs are now awkward to find and probably won't be found by the majority of user input either.

On the halting problem basis, users will never find every bug in an application either, so lets not fix them!

Re:There's already proof that this can't work (0)

Anonymous Coward | more than 5 years ago | (#27288507)

I bet you don't use lint either, because it doesn't catch every possible problem?

Re:There's already proof that this can't work (1)

TwilightXaos (860408) | more than 5 years ago | (#27288629)

Because the majority of crash-inducing bugs don't result in security vulnerabilities, there can be a fair amount of internal debate when they're discovered during development.

a repeatable tool that takes a look at a crash

Both of the above quotes indicate that the tool does not determine when a program will crash. It only analysis the crash after a tester/developer has found a bug that makes the program crash.

This is not the halting problem, but a more ambiguous problem of weather a specific crash inducing bug is a security risk, or just a bug.

In related news (0)

Anonymous Coward | more than 5 years ago | (#27287993)

Windows 7 is delayed 8 months, and Vista is being recalled...

The first thing Microsoft should do with it (0)

Anonymous Coward | more than 5 years ago | (#27288031)

is run it against explorer.exe and find out why explorer.exe is such a stinking piece of shit application. If there has been one thing in every version of Windows since 95 that has caused me to nearly lose my temper and smash something so many times it is explorer.exe. Freezing, glacier slow with networks and networked drives, and other assorted annoyances like taking the goddamn task bar and desktop out when having to kill the explorer.exe process in Task Manager. Every time one of those things happens in XP, I'd love to smack Ballmer in the face with a chair.

THOUSANDS OF BUGS? (0, Flamebait)

v1 (525388) | more than 5 years ago | (#27288051)

Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

Maybe I'm just totally out of touch here, but for my development, finding the bugs is the time consuming part, fixing them usually goes pretty quick. I welcome anything that helps find my bugs, that saves so much time. If your code is so decrepit that this tool is going to find "thousands" of bugs, you need to go back to school for awhile.

Given a tool like that, I'd be running it regularly and not just addressing the "important" bugs. Making that thing pass clean would be one of the steps in my development cycle.

Or maybe he's just speaking more about a common windows programming philosophy? (I certainly hope not)

Re:THOUSANDS OF BUGS? (4, Insightful)

MoralHazard (447833) | more than 5 years ago | (#27288171)

How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?

Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?

And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.

Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.

Re:THOUSANDS OF BUGS? (2, Interesting)

v1 (525388) | more than 5 years ago | (#27288257)

Shipping a large project with 1,000 bugs might be a perfectly valid decision

Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision

I don't ship crap.

And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.

I still can remember back to the days when "version one-point-oh" didn't always have to mean "train wreck, we'll start seriously fixing bugs around 2.5". Today's translation works as follows: Today's 1.0 is yesterday's early beta. Today's 2.0 is yesterday's Still Beta. Today's 3.0 is yesterday's 1.0.

Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use.

Re:THOUSANDS OF BUGS? (1)

scribblej (195445) | more than 5 years ago | (#27288635)

While I agree that people could do better, your overall attitude of EVERY BUG MUST GO BEFORE WE RELEASE is probably why you have to say "if I had a big project" rather than "the big project I'm on now..."

"Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use."

Agreed, we're not talking about bugs that prevent use of the software here. Your inability to distinguish possibly hinders you professionally.

Re:THOUSANDS OF BUGS? (1)

v1 (525388) | more than 5 years ago | (#27288399)

Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.

I forgot to address this. Yes, early adopters and capturing your market are important. I can see where "version 1" could be considered beta for the purposes of getting your foot in the door. I don't think anyone expects a polished product on 1.0. But I'm talking about things that have gotten a ways. I mean, Windows SEVEN? Come on, by now everyone expects you to have your act together. You should already have your market carved out. Nobody is "early adopting" Windows anymore. Releases should be solid by 3. There is no excuse for a product's major releases 3+ years after initial release to be crutching themselves up on the notion of "early adopters" and "capturing market".

Re:THOUSANDS OF BUGS? (1)

owlstead (636356) | more than 5 years ago | (#27288193)

Thousands of bugs? They must have tested it against their office suite :)

But seriously, Microsoft must have loads of legacy code lying around, so thousands of bugs are to be expected. Office just happens one of them (and the number of Word related crashes on my office computer is just about hopeless).

Re:THOUSANDS OF BUGS? (1)

jlebrech (810586) | more than 5 years ago | (#27288481)

MS have to keep the legacy bugs in there for compatibility reasons.

Am I the only one that already wondered... (0)

Anonymous Coward | more than 5 years ago | (#27288063)

whether microsoft has run this app on itself? I'm waiting for the first exploit. Let me suggest that we name it "crash bang exploitable crash analyzer".

Enough problems of their own (0, Flamebait)

kimvette (919543) | more than 5 years ago | (#27288067)

This is another form of FUD, IMHO, Why not focus on finding all the exploits in their own software which results in easy installation of rootkits and spyware and other malware in their systems which results in boot times of 5 to 15 minutes, where there can be literally HUNDREDS to THOUSANDS of processes infesting the Windows platform and the Microsoft Office suite?

I have yet to see an exploit in *nix that can't be relatively easily removed. I HAVE seen rooted boxes but they have been installed by determined crackers - on slowlaris and Linux - in those cases the exploit was able to be removed and verifying against known-clean machines has verified they were clean - in an enterprise environment at a state college. Other infections I've seen have been confined to individual user accounts, or to an individual application (apache).

Heck, I've had a machine rooted because I did not want to update OpenSSL on one of my machines a few years ago. I had opened the machine up to the net (it was normally on a clean net but I opened it up and forgot to close the firewall after I finished testing) but even that was easily cleaned, and I verified against a backup that I had successfully cleaned the system. I did reinstall as a safeguard and finally patched OpenSSL. However that was a known-and-patched exploit that I didn't care to upgrade because it was a private machine normally inaccessible from the wild. It was the result of carelessness. I cleaned it in under 15 minutes and could have left it and been safe but I took the opportunity to upgrade to a newer distro release anyhow.

The difference is, so many Windows apps require admin/root access that it is the normal operating mode of Windows, and one application with an exploit (MSIE and IIS in particular) can almost invariably result in the box being rooted, and Windows does not make it easy to clean. Why? Because even "safe mode" can be exploited to run processes at startup. Cleaning up the mess is a tedious process, and while BartPE or WinPE (if you have access to WinPE) do make the job a little easier, it's still a pain in the neck.

Linux exploits usually are the result of one to three things:

1. Carelessness: running an intentionally-or-uninentionally patched box open to the 'net. I've done this before and had to clean up the mess.

2. User running as root - this is a surefire way to get exploited. No mainstream applications not designed for administration tasks require root access, and unlike Vista's UAC, the privilege escalation mechanisms in *nix variants/distros actually do what they are designed without being obnoxious.

3. Sheer determination: the cracker just keeps pounding and pounding on the box using all known exploits and then turns to brute force. Eventually the user will get in unless the firewall detects the attempts because you can't stop determined douchebaggery.

Now, as far as Windows is concerned: there are a quintillion (OK, a slight exaggeration) unpatched known exploits (some of them having been known for 10+ years), probably >99% of users run as Administrator because many applications and even some games require admin access to run, so the boxes are uber-easy to hack.

So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple. It's not about caring about F/OSS, it's not about wanting to contribute, and it certainly is not about being a good netizen. It is entirely self-centered. And, it makes sense for Microsoft since their duopoly is in danger and they know they peaked long ago and the only direction they have to go is down, and they know it.

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288273)

Nice tirade, but the "open source" designation refers to the exploit-finding tool, not to the programs it analyzes. In other words, Microsoft released a tool for finding exploits in programs, and this tool was released under an open-source license.

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288295)

Maybe if you would RTFS before posting, you would know that this software is an exploit finder that is open source, not an exploit finder that targets open source.

So yes Microsoft can, and should, use this tool to find exploits in their own software. The problem is they can't really brag about doing this because if the tool fails to find a lot of exploits it will be seen as a failure, but if it does find a lot, then MS will have to admit that Windows itself has been a failure, from a security standpoint.

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288301)

You're misinterpreting the title.

They released and exploit finder under an open source license, not an exploit finder for open source applications.

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288305)

I think you misunderstood the title, as I did initially. The tool is an "Open source exploit finder" in the sense that it is an exploit finder which is open source, not that it finds exploits in open source software.

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288307)

Wow you spent a lot of time on that comment. Unfortunately, you read the title without reading the description? The exploit finder IS open source, not FOR open source.

Re:Enough problems of their own (4, Insightful)

BasharTeg (71923) | more than 5 years ago | (#27288445)

So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.

Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.

As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.

Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.

Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.

Re:Enough problems of their own (1)

cybrthng (22291) | more than 5 years ago | (#27288463)

I wish i could mod you up.. i'm not sure what high horse the OP was on, but i'd like some of what he is smoking!

Re:Enough problems of their own (0)

Anonymous Coward | more than 5 years ago | (#27288483)

If you were not an obvious fanboi, I might suggest you read the article.
But don't let the truth prevent you from spewing anti-MS zealotry.
They are not testing open source software exploit. The tool is an MS open source tool (not GPL, their MS-pl in all likelihood). There is a difference in being an open source tool and a tool for open source.

A bounty for first exploit of !exploit (1)

PrescriptionWarning (932687) | more than 5 years ago | (#27288077)

Just wait till people get to see the code for this thing, then we'll see the true colors of their idea of security

!static code analyzer (1)

owlstead (636356) | more than 5 years ago | (#27288141)

I would be more impressed if they released a free and open static code analyzer to include for their compilers that may also compile to native code (e.g. Visual C++).

That said, I'll be nice and applaud this effort. But if anywhere possible, use managed code (scripting or a secure VM) instead of relying on this kind of analysis. With this rate, it will take centuries to get rid of all the buffer overflows and other rather inexcusable code out there. I would be very amazed if this tool would (help to) remove all those kind of vulnerabilities.

This article scores an 11 on the inflammatory headline, shame on the editors for letting this get through. Slashdot seems to be getting worse (which is certainly kind of amazing).

Wow! (0, Flamebait)

edivad (1186799) | more than 5 years ago | (#27288153)

Once again, Microsoft invented the ... drum roll ... wheel!
Fuzzy data injection is used by ages in the security world. By both bad and good guys.
Oh, and the Address Space Layout Randomization thing, Linux had it long before them, so I guess that according to their very same rules, they invested that too.

Eat your own dogfood? (0, Troll)

v1 (525388) | more than 5 years ago | (#27288203)

Microsoft Unveils Open Source Exploit Finder

Kind of makes one wonder why they don't oh I don't know... say... Run it on their Windows source???

Re:Eat your own dogfood? (2, Informative)

LO0G (606364) | more than 5 years ago | (#27288337)

Why do you believe that Microsoft doesn't run it on their own code?

Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.

From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).

OSS bug search engine already exists! (1)

jumper32 (1280396) | more than 5 years ago | (#27288241)

http://bugspy.net/ [bugspy.net] do this already- It gatheres tens of thousands of bugs.

It's Called Windows (0)

Anonymous Coward | more than 5 years ago | (#27288259)

Microsoft's program aimed at finding and analyzing security and exploit issues is named "Windows". All version will help you do this.

huh??? (1)

iScharfschtze (1506249) | more than 5 years ago | (#27288285)

N still, they dont use that in Win?! lol

Valgrind? (0)

Anonymous Coward | more than 5 years ago | (#27288359)

Haven't read TFA. Will not do, but this sounds a lot like a mixture of grep and valgrind on a bugzilla.

If they've been sitting on this for a while, we know how good it is then.

palmface (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27288401)

Summary of the story: Microsoft made an open-source tool to fix problems in their crappy closed-source software.

In analogous news,
the tires on my car are a little worn out, so I bought some new tires and put them on my ATV instead of my car.

Why isn't it working?

Open Source Exploit Finder? (1)

D Ninja (825055) | more than 5 years ago | (#27288433)

So...let me get this straight...they're open sourcing their Windows code base?

I'm here all week. The veal is amazing!

Help me understand this. (1)

wonderboss (952111) | more than 5 years ago | (#27288467)

This tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". So we then decide whether to fix the crash or not based on whether the crash is exploitable? Anyone that buys this idea is fired.

Curious to See... (1)

Quartz25 (1195075) | more than 5 years ago | (#27288641)

Has Microsoft run Crash Analyzer on Crash Analyzer?

windbg needs PDB so app must compile in MSVS (5, Informative)

formal_entity (778568) | more than 5 years ago | (#27288651)

It's a plugin to the windbg debugger. so that when it hits an access violation (which is MS speak for SIGSEG) you can do !expoitable and it will use some heuristics to guess whether this bug is an exploitable security vulnerability.

Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.

For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.

Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.

Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).

So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.

Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.

I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...