×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Daily Exploit Releases Irk Both Vendors and Crooks

Zonk posted more than 7 years ago | from the can't-please-anyone dept.

165

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

165 comments

Or (3, Informative)

gowen (141411) | more than 7 years ago | (#15722187)

Re:Or (5, Informative)

Anonymous Coward | more than 7 years ago | (#15722237)

Re:Or (0)

Anonymous Coward | more than 7 years ago | (#15722261)

Bravo on posting as AC rather than karma whoring like the GP.

Re:Or (2, Interesting)

n0-0p (325773) | more than 7 years ago | (#15722362)

Wow, talk about some FUD. Of the 14 vulns so far 10 are NULL pointer dereferences. HD must be really desperate for publicity if he's trying to pump these up as legitimate security vulns. I mean, you can argue that a server crash is a DoS, but crashing a browser? Get real.

Re:Or (5, Insightful)

jrockway (229604) | more than 7 years ago | (#15722540)

Crashing browsers is a huge PITA. Do you like your history? Do you keep multiple tabs open. All that is gone when your browser SEGVs.

If a remote user can make your software do something it's not supposed to do, that's a security problem.

Re:Or (1, Troll)

liquidpele (663430) | more than 7 years ago | (#15722862)

No, that's a stability problem. If the browser crashed the OS, I could see that being an issue, but lets get real, no one will remotely crash the browser just for shits and giggles because it's just dumb and a waste of time. Crashing an application is not a security issue unless the application is critical such as a webserver, database, etc.

No! Don't tell anyone!!! (5, Funny)

dubmun (891874) | more than 7 years ago | (#15722192)

A direct quote from the IE team over at Microsoft: "Don't tell anyone about all our holes! Then we won't have to fix them."

Re:No! Don't tell anyone!!! (1)

dtfinch (661405) | more than 7 years ago | (#15722275)

Not far from the truth at all. In their mind, every reported vulnerability serves to give customers an impression that IE is riddled with security problems. No matter that the damage is already done. If they looked at what's on a typical home Windows system, they'd know that already.

Re:No! Don't tell anyone!!! (5, Funny)

Kesch (943326) | more than 7 years ago | (#15722308)

Here are the responses from the different browsers after recieving vulnerability reports:

Firefox: Fixed!
Opera: Fixed in 9.0
IE: ...(4 months later) DUDE!? Why you have to go tattle on us!?

Re:No! Don't tell anyone!!! (1)

AK Marc (707885) | more than 7 years ago | (#15722736)

Here are the responses from the different browsers after recieving vulnerability reports:

Firefox: Fixed now, but when you install the new version for the fix, all your extensions won't work.
Opera: We didn't have to fix it, it was a non-standard that everyone wanted bet we didn't impliment it because it might have broken an actual standard.
IE: The problem is with the people that report vulnerabilities. It's much more efficient to wait until someone writes and exploit before patching.

Re:No! Don't tell anyone!!! (1)

jlarocco (851450) | more than 7 years ago | (#15722837)

Firefox: Fixed!

I think you mean "Fixed in CVS!"

Re:No! Don't tell anyone!!! (1)

jZnat (793348) | more than 7 years ago | (#15723011)

Nah man, that's the answer to almost everything on the MPlayer mailing list. Nowadays, it's "Fixed in Subversion _ages_ ago."

Re:No! Don't tell anyone!!! (1)

alexandreracine (859693) | more than 7 years ago | (#15722486)

[Microsoft] the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
Actually, this should have been like :"We believe we own you, your computer, and all your data, and we will fixe problem only when we want to, even if this is months after you got all those pop ups, etc, etc. Except in the case you by our One Care support of course."

Re:No! Don't tell anyone!!! (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15722780)

http://www.nsfocus.com/english/homepage/research/0 604.htm [nsfocus.com]

Impact:
======
NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft Office GIF filter, which could allow attackers to run arbitrary code via a carefully crafted GIF image.

Vendor Status
==============

2005.05.27 Informed the vendor
2005.06.02 Vendor confirmed the vulnerability
2006.07.11 Microsoft has released a security bulletin (MS06-039) and related
                        patches.

Over one YEAR !!

don't tell anyone :)

Too bad these WERE reported to mickeysoft (5, Informative)

drinkypoo (153816) | more than 7 years ago | (#15722204)

'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

Re:Too bad these WERE reported to mickeysoft (2, Interesting)

TheNetAvenger (624455) | more than 7 years ago | (#15722360)

Ok, this does seem strange, but brings more questions for myself...

First, lets assume he is reporting these to Microsoft in a responsible way...

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.

If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

Sure we all agree that MS should sometimes push up exploit fixes, but we also see others on here complain too much about MS addressing updates and fixes too rapidly if they break applications.

So I am left a bit conflicted over this..

Sure I can use another OS or another Browser, but there is a large base of 'consumers' that do use MS OSes and Browsers and they will be the least likely to even 'hear' of the exploit or protect themselves, instead this information will be gobbled up by the people that want to do harm to them and in the end the consumers get screwed.

Also of note, it isn't only MS this person has released information about when the vendor hasn't meet his timeline demands, and what are his standards based on what formula for what level of exploit and what level of code that would need to be fixed?

Does projects like Firefox and the Safari team have the resources to meet his timelines? How about distributions that spin off of other technologies that only have a small amount of people to work on them?

What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

Looking for honest debate because, I'm very curious to others views on this.

(Side Note) I also have been in a position much like this myself, finding holes that don't seem to be addressed on a timeline I would have liked...

Re:Too bad these WERE reported to mickeysoft (5, Insightful)

Anonymous Coward | more than 7 years ago | (#15722389)

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

At which point, what good does keeping silent do?

Re:Too bad these WERE reported to mickeysoft (4, Interesting)

Entropy (6967) | more than 7 years ago | (#15722694)

The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware.


I think it goes further than you took it, though:

Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.

And telling all the ushers to stand in the way, too.

And he's lit up a big fat cigar to cloak the smoke as best as possible.

And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking ..

Re:Too bad these WERE reported to mickeysoft (1)

Score Whore (32328) | more than 7 years ago | (#15722956)

Nah to stretch the original metaphor... HD Self-Promoter sees a situation in the theatre that under the proper conditions that won't pop up in normal operations of the theatre would start a fire. So he decides to demonstrate that he is correct about this by burning the theatre to the ground.

Re:Too bad these WERE reported to mickeysoft (3, Insightful)

schon (31600) | more than 7 years ago | (#15723140)

Odds are good that if he's found a hole, others have as well, and are misusing it.

Isn't that why the black hats are pissed too?

The odds aren't "good" - they're 100%.

Re:Too bad these WERE reported to mickeysoft (5, Insightful)

drinkypoo (153816) | more than 7 years ago | (#15722391)

If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

Clearly they are in a position to make it, because they have the information on the vulnerability :)

Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

Re:Too bad these WERE reported to mickeysoft (2, Insightful)

mcrbids (148650) | more than 7 years ago | (#15722554)

Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

Ok, then.

Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an O/S at all - little more than a kernel and a few utilities.

Linux is definitely imperfect. Slowlaris isn't all that wonderful. In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.

I choose Linux for my development because

A) distributing patches is damned easy (yum update)

B) I don't have to go to the facility to apply them,

C) It's very reliable - 99.94% uptime on a single machine!

D) It's very cheap - no licensing worries.

E) Security record is decent overall.

Re:Too bad these WERE reported to mickeysoft (0)

Anonymous Coward | more than 7 years ago | (#15723061)

Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an O/S at all - little more than a kernel and a few utilities.

Linux is definitely imperfect. Slowlaris isn't all that wonderful. In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.


True, all operating systems that have any degree of functionality are likely to foul up here and there. This is not the point, everyone realizes this, and few rational people have a problem with little problems cropping up in their software here and there.

What we don't agree on is the level of responsibility Microsoft seems to assume. If a problem is found in Linux or OpenBSD, or FreeBSD, it's usually fixed within hours and is available as a patch or an update in some form within a day or two.

If a big problem is found in Windows (like something that could be a security issue), the person who found it out could submit it to MS, but it's all too likely that it will be many moons before it's fixed, assuming they didn't chose to act like an ostrich. I can understand if it took a month on average to get a fix out... Heck, I'd be willing to give them a couple months. I think that's plenty generous when you consider a group of volunteers can fix a similar hole in a few days. You have to draw the a line somewhere.

If the problem is made public, it sometimes happens that someone will find a workaround. Firewall that, disable this, whatever, you know. At least having this stuff in the public encourages MS to get off its ass. Like a multi-multi-billion dollar giant dosen't have the resources to fix their stuff! If the Linux guys were in charge, the problem would be fixed in the newest version in a reasonable amount of time--and it would eventually be backported to prior versions that were affected--even to some EOL'd versions.

Re:Too bad these WERE reported to mickeysoft (1)

dosius (230542) | more than 7 years ago | (#15723193)

Funny. I use Linux too.

root@andisteele:~# yum
-su: yum: command not found
root@andisteele:~# uname -a
Linux andisteele 2.6.12-9-686 #1 Mon Oct 10 13:25:32 BST 2005 i686 GNU/Linux

Oh, you mean Hed Rat, not Linux per se.

-uso.

Re:Too bad these WERE reported to mickeysoft (1)

fishbowl (7759) | more than 7 years ago | (#15722678)

>Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large.

And, thanks to our living in the twenty-first century, it is quite simple to report such things completely anonymously.

Instead, we see people who insist on identifying themselves, making sure everyone knows *who* discovered and reported these vulnerabilities. And that makes it an entirely different game.

Re:Too bad these WERE reported to mickeysoft (1)

Loonacy (459630) | more than 7 years ago | (#15722395)

If it's going to take 2+ months to fix an exploit due to the large amount of code involved, is it right to leave your customers running vulnerable software just because you can't fix it fast enough?

Re:Too bad these WERE reported to mickeysoft (5, Insightful)

Trepalium (109107) | more than 7 years ago | (#15722417)

Let me play devil's advocate on this one.

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?
And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?
So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.
Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

My answer (1, Informative)

Anonymous Coward | more than 7 years ago | (#15722539)

Reading http://browserfun.blogspot.com/ [blogspot.com], it looks like he submitted these on March 6. He is publically reporting them in July. That's three months.

Microsoft has had 3 months notification that they need to fix a list of bugs which are findable with publically available tools, and some of which are being actively exploited by the blackhat community.

Without this publicity, the blackhat community would continue exploiting machines indefinitely. With it there is at least a fighting chance that Microsoft will fix their bugs and force the blackhat community to look for some new bugs and write new tools. I have a hard time thinking of this public disclosure as anything but beneficial.

As for the open source bugs, there is no way to report bugs to those projects without making them public. However their development is fast enough, and they are small enough targets, that I don't see these releases as being a problem for them.

MS doesn't care (1)

NineNine (235196) | more than 7 years ago | (#15722576)

Call me nuts, but Microsoft isn't going to be intimidated by one guy, no matter who he is. If MS even notices this guy, they'll just send their lawyers after him, and he'll regret being such a smary ass reeeel fast.

Re:Too bad these WERE reported to mickeysoft (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#15722667)

Is there 'actually' some 'rhyme' or 'reason' to the 'words' you put in 'quotes'? Not to be 'rude', but it makes an otherwise 'reasonable post' instead sound like it comes from a 'complete ass'.

Re:Too bad these WERE reported to mickeysoft (1)

AK Marc (707885) | more than 7 years ago | (#15722697)

With that said, who is he to 'determine' the 'timeline' for the fix?

He is the person that reported it. I have never reported a problem to MS, but if they handle it like I expect (after dealing with other places that I've reported problems), I would expect that they take the information, toss it in the "we'll look at it" bucket, and ignore the person that reported it. If they want him to wait on reporting it, they should give him a reason. Perhaps something as simple as "we've had this reported before, but it is a difficult fix, we will be working on it, but it may be a while." Or even, "Thanks for reporting the overflow vulnerability, the engineer in charge is George. If you would like to follow the vulnerability you reported, please email RarelyCheckedEngineeringGeneralEmailBox@microsoft. com ATTN:George in the subject." However, an automated reply at best followed by days, weeks, months, possibly years of silence is not a way to deal with a valuable contributor to the security of your most ubiquitous product.

So, to make it short, MS (like everyone else I've ever dealt with) probably treats him like some vulnerability scanning bot, not a human. So, though MS does set the timeline, he is (rightly) offended by his poor treatment and makes up his own timeline. When the companies treat these free workers as the asset they are, there will be fewer such incidents.

Re:Too bad these WERE reported to mickeysoft (1)

charlesnw (843045) | more than 7 years ago | (#15722810)

Having reported problems to microsoft and worked with people who do, I can say that Microsofts response to security issues is prompt DEPENDING ON THE PRODUCT. For excel and exchange the issues were fixed quickly and quietly. I don't know about other products and haven't delt with them. Obviously if you look at my website [thewybles.com] and the Projects [sf.net] I am involved in [thewybles.com] you will see why I have reported things for these products.

A culture of secrecy doesn't help (1)

dbIII (701233) | more than 7 years ago | (#15722722)

This borders on yelling fire in a theater
No it is just another form of journalism, and parties that are made to look bad by inconvenient details want to make it as contentious as reporting on wars. Obsurity has not worked, and going after the people that point out that MS or others have problems is not giving comfort to some sort of enemy because the people vunerable to the flaws can also do something about it even if there is no patch available yet. Why should the script kiddies and two or three guys at Microsoft with the fix low on their schedule be the only ones to know about an exploit that could result in damaging security breaches?

Re:Too bad these WERE reported to mickeysoft (1)

plover (150551) | more than 7 years ago | (#15722843)

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

The hackers and the software firms wrestled with this throughout the last half of the 1990s. They came to an uneasy truce somewhere around 2000 and decided that 30 days should be enough time to elapse between reporting to the vendor and public disclosure.

The hackers don't have to give them any notice at all. There is no legal obligation or responsibility to keep quiet. What they did was to agree to delay in exchange for some respectability; basically for the l33tness of seeing their names in the Microsoft technical bulletins. Microsoft was opposed to such a short timeframe, but acknowledged they needed to act quickly. Microsoft was (and still is, basically) opposed to any public disclosure, of course, but learned that the hackers can get themselves plenty of attention by simply exploiting the bugs. It was better to come to an arrangement than to be embarrassed on a daily basis.

The 30 days isn't an absolute. Microsoft has been known to ask the "more legitimate" security researchers to sit on a critical bug for many months while they work up a fix. And plenty of grey-hat hackers have simply announced their exploits publically.

Re:Too bad these WERE reported to mickeysoft (5, Insightful)

More Trouble (211162) | more than 7 years ago | (#15722871)

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

And when there is a fire, how irresponsible is it to not yell fire?

Maybe MS needs some humility. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#15723077)

Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)

I think the software vendors are forgetting something: giving them an advance warning of the pending release of a vulnerability is a professional courtesy.

If they don't do anything, particularly if they don't ask politely that the release of the vulnerability be delayed, then they really have no business bitching when they see it over their coffee while reading the Wall Street Journal some morning.

I think reporting vulnerabilities to vendors is the right thing to do, but if the vendors piss all over people who are trying to do them a favor, then the hell with them. It's unfortunate that their customers end up getting hurt because of their lack of any sort of humility or willingness to communicate, but that's what you get when you do business with people like that.

If I was advising Microsoft, or any other large vendor -- or if I was a major customer of theirs, large enough that I could give input on their internal policy -- I'd tell them that every time a serious vulnerability was reported, they should assign an analyst to it personally; not only to verify the possible implications of the threat, but also to act as a one-to-one point of contact with the discoverer, to build a relationship with them and hopefully get them to agree to hold off on disclosure until the problem can be fixed. (I'd also expect them to throw wads of cash at anyone with a possible 0-day, and troll the black-hat IRC channels just like the mafia does, buying them up.)

It's ridiculous to expect people who are inherently doing the vendors and their customers a favor to simply sit on their hands when there's no active dialogue between them and the vendor on what progress is being made -- particularly when being the first to report a vulnerability can be a career-making move for some people.

Re:Too bad these WERE reported to mickeysoft (1)

YU Nicks NE Way (129084) | more than 7 years ago | (#15722499)

Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft
And too bad that all of these which were actually vulnerabilities had already been patched in MS06-21.

Re:Too bad these WERE reported to mickeysoft (1)

waferhead (557795) | more than 7 years ago | (#15723180)

...Also note that "This common accepted practice " of only telling the vendor is ONLY MICROSOFTS preference.
The nets historically accepted method is broadcasting to the world, via bulletins on a security related (but "open") mailing list,
preferably with example exploit code. (Sometimes code witheld/only sent to vendor until reporter finds someone who cares)

Lack of security sells PCs and crappy software. (2, Insightful)

a_greer2005 (863926) | more than 7 years ago | (#15722223)

Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...

Re:Lack of security sells PCs and crappy software. (1)

smilindog2000 (907665) | more than 7 years ago | (#15722386)

It's all just evil marketting after all... Not stupidity, just good business.

Re:Lack of security sells PCs and crappy software. (0)

Anonymous Coward | more than 7 years ago | (#15722711)

Grandparent was not saying that it was planned, only that fixing problems may actually hurt revenue.

Agreed. (1)

transporter_ii (986545) | more than 7 years ago | (#15722719)

Microsoft is in a tough position. The Windows line has matured to the point that it does most everything people need it to do. Heck, on an article posted just a little while ago here, people are jumping on MS for not supporting Win98 any more...which came out how long ago???

The thing is, Windows 98 still does just about everything the average joe needs it to do, after all these years. What makes people upgrade is getting a new computer that comes with a new operating system and/or trying to get better security.

Now, if Microsoft actually put out a stable and secure operating system, how much money would it cost them from the people who decide to stick with what they have because it does everything they need it to do???

And the real kicker is, now that they have improved the security of their software, at least a little since the Win98 days, now we are looking at expiring licenses, forced upgrades...and DRM. Why? Because when the OS is mature and nobody is upgrading, that is where the money will be.

Transporter_ii

Reporting directly to vendors (5, Insightful)

dtfinch (661405) | more than 7 years ago | (#15722228)

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

From the looks of it, most if not all of those were reported months before they were published.

Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.

Re:Reporting directly to vendors (-1, Flamebait)

Andrew Tanenbaum (896883) | more than 7 years ago | (#15722367)

Analogy

You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

90 days passes, and he STILL DOES IT. You are OUTRAGED that your advice does not go heeded, you tell EVERYONE that he leaves his patio door is unlocked. Word quickly passes to the seedier parts of town, and the next day, your neighbor is robbed.

A fucking moral hero of you ask me. You're not just screwing "Micro$oft" when you pull publicity stunts like this, you're screwing over real people.

Re:Reporting directly to vendors (5, Interesting)

drinkypoo (153816) | more than 7 years ago | (#15722419)

You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

This is not an even slightly similar situation to your example.

If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.

Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.

Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.

Still, it makes dramatically more sense than the bullshit you spouted.

Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.

Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.

Re:Reporting directly to vendors (4, Interesting)

vadim_t (324782) | more than 7 years ago | (#15722438)

You know, I'm really tired of stupid analogies on slashdot.

Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:
1. Somebody finds a vulnerability and makes it public
2. I block SSH port immediately
3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception
4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.
5. Test patch (obviously)
6. Remove SSH port block
7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)

Now your version:
1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month
2. Since I don't know anything, I can't take any action
3. Two weeks later, some jerk roots the box
4. Yay, now I have to take the box offine, examine it, restore from backups.
5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!
6. Bring box back online, without being really sure I won't get rooted again
7. If I'm lucky, some time later, the vendor's patch arrives.

Re:Reporting directly to vendors DAMN! (1)

davidsyes (765062) | more than 7 years ago | (#15723221)

Why isn't there a SUPERPLUSGOOD for clean, crisp comments this one vadim_t posted. That pair of examples could summarize the best of all the best comments on this thread.

But, yeh, if it IS provable that the guy indeed notified ms, then, with their EIGHT BILLION or more per year in R&D or whatEVER the hell it is they throw around that money on, they OUGHT to be forced to keep pace. If Open Source can do it with pennies and sweat, then ms should NOT be allowed to let its customers be shafted.

Letting ms take its sweet time to issue fixes and patches is like watching a stream of front-end shovel-equipped highway cleaner trucks whiz by a set of 18-wheeler wheels and tires on the road with the lugs FACING UP. (I happened to run one over and because my U-Haul was overweight, the lugs hit the truck's transmission oil drain pan. Fortunately for me said the U-Haul guys, as had I NOT hit that wheel in the Sacto area and IF I tried to wend my way up the mountains going into Oregon, I'd have lost power on the incline and the gas-powered truck would likely have sputtered and rolled backwards with my car in tow, spilling all my goods, clogging up the lanes and would likely have gotten me billed for a whole truck lost as well as the clean up for snarling traffic for dozens if not over 100 miles. SO, in MY analogy, losing $1400 for repair and getting a DIESEL truck in exchange saved my ass BIG time. YOUR MILEAGE may vary with my analogy...)

Re:Reporting directly to vendors (1)

Loonacy (459630) | more than 7 years ago | (#15722443)

So, in your analogy, is your neighbor supposed to be MicroSoft, or everyone running IE?
Who are the people who suffer if the door is unlocked? And who has the capability to lock the door?

A better analogy would be:
Your neighborhood all gets their locks from one vendor. You find out that someone can make a key that works in every one of those locks. You inform your vendor of the problem.
Meanwhile, someone could be running around stealing things from people's homes because of these locks. Your vendor sits on it, doesn't seem to be doing anything about it. What do you do?

Personally, I would tell everyone "Hey, your locks aren't secure! Change them now!" and hope people change to minimize the damage rather than just sit and hope nobody's already using that key.

It doesn't really say in the article whether or not he's disclosing the DETAILS of the vulnerability, which would be like saying "Hey, if you make a key that looks like this, you can get in every house in the neibghborhood." and now everyone knows how to get into everyone else's house.

Re:Reporting directly to vendors (1)

Joebert (946227) | more than 7 years ago | (#15722463)

Must be nice to be able to sit around in the morning & watch everyone else go to work. What do you do for a living ? More importantly, why are you paying soo much attention to how I leave my house when I leave ? We live in a gated community. How did you get in here ?

Re:Reporting directly to vendors (1)

vadim_t (324782) | more than 7 years ago | (#15722377)

You kidding?

I'd give the vendor a week at most, and that's being generous. And always release full details anyway. That's a lot of systems that could be getting broken into during those 90 days. If you know how to exploit something, making a program to do it automatically is a question of hours.

Re:Reporting directly to vendors (0)

Anonymous Coward | more than 7 years ago | (#15722581)


>I'd give the vendor a week at most, and that's being generous.

Inform them that an anonymous report is going to be released with or without their action,
and the report has already been written with the vulnerability documented and also thanks the company for
the prompt fix.

It's not your fault if they chose not to fix it in the time given. Either way, the report goes out.

Re:Reporting directly to vendors (1)

rthille (8526) | more than 7 years ago | (#15722383)

No, because if you never make the exploit public that doesn't mean that the black-hats won't know about it. And the 'slow to update' users will be vulnerable without ever knowing it.

Hell, publish it with the note that if they don't patch this vulnerability then a black-hat can break into their computer and use it to steal all their money from their bank _and_ rape their puppy! Maybe that will help them to be less 'slow' to update.

(yeah, I know it's pissing up a rope, but it's a dream)

Re:Reporting directly to vendors (3, Interesting)

CherniyVolk (513591) | more than 7 years ago | (#15722445)


Three months is too long.

Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.

Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.

Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.

So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.

Re:Reporting directly to vendors (1)

wordsofwisedumb (957054) | more than 7 years ago | (#15722758)

Let's say a vendor did fix the vulnerability. It's fine not to release the details of the vulnerability, but as a user I want to know that there was a vulnerability, how long it existed, and how long it took them to fix it once they were notified. It helps me make an educated decision as a consumer about which product to use. A vendor who has a track record of lots of vulnerabilities may not produce a product good enough for me to be using compared to their competition, but if they have very short turnover time on fixes that may outweigh excessive flaws. Keep the user educated, not in the dark.

Only one OS? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15722235)

Will he release vulnerabilites from several vendors?
Or do some vendors not have enough to mention?
Or do other vendors actually fix them in a timely fashion?

In releated news... (2, Funny)

Kenja (541830) | more than 7 years ago | (#15722244)

I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

Re:In releated news... (1, Funny)

Anonymous Coward | more than 7 years ago | (#15722287)

I feel that there is not enough being done about stupid legislators. So I'm going to pass a stupid law a day, every day, for the month of July. Any reports I'm getting huge checks under the table are lies.

Re:In releated news... (2, Insightful)

Tackhead (54550) | more than 7 years ago | (#15722290)

> I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

(Not to put a downer on your funny post but...)

...it's more like "So I'm going to report every murder on the TV news, for everyone to see, until people get so fed up with seeing it every night, that they pressure the Oakland Police (who, just as Microsoft has a legal monopoly on its own source code, have the legal monopoly on the use of force in Oakland) to get off their asses and start doing something to stop it."

(Of course, just as in Oakland... we get bored of seeing a bunch of dead people every night on the news, and we get bored of seeing the latest exploit, and once the cops - and the vendors - figure out that after a certain point, we stop giving a shit, nothing gets done :)

Re:In releated news... (4, Insightful)

Odin_Tiger (585113) | more than 7 years ago | (#15722384)

This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."

Re:In releated news... (1)

Odin_Tiger (585113) | more than 7 years ago | (#15722388)

Before anybody has the chance to point it out, yes I know I screwed up. -prosecute +arrest. >:P

Re:In releated news... (1)

Joebert (946227) | more than 7 years ago | (#15722510)

That's ok, it had a Grand Theft Auto feel to it & I thought it said somthing about "falling prostitute" before you pointed it out. :)

The Exploits Themselves (4, Informative)

FsG (648587) | more than 7 years ago | (#15722247)

Here's the link [blogspot.com] to the list of Moore's browser exploits, the ones that the article is talking about.

Re:The Exploits Themselves (0)

Anonymous Coward | more than 7 years ago | (#15723141)

It's funny to read the comments on Slashdot about "responsible disclosure" and then look at the exploits. It seems like every one of these was "disclosed to Microsoft on March xx".

Uh, guys it's July 14th, this *IS* responsible disclosure.

If you annoy both groups (5, Insightful)

Anonymous Coward | more than 7 years ago | (#15722251)

...you must be doing something right.

Give reasonable deadlines then go public (2, Insightful)

davidwr (791652) | more than 7 years ago | (#15722253)

Best practices in my not-so-humble-opinion:

1) warn the vendor ASAP
2) warn the security community within a week, immediately if the vendor has no objections
3) as soon as there is an exploit that represents a real threat:
  a) give all details to the security community
  b) give a workaround, like "disable such and such service," to the general public.

How do you know if there is an exploit? (1)

khasim (1285) | more than 7 years ago | (#15722309)

There's no reason that the bad guys cannot find the same flaws he is finding and exploit them.

Unless the bad guys do something massively stupid, how would the researcher know that the bad guys were exploiting it?

Instead, I'd prefer a 90 day countdown. This provides the incentive for the companies to patch their products.

Otherwise, an exploit can exist for years without anyone but the bad guys knowing it.

Re:Give reasonable deadlines then go public (0)

Anonymous Coward | more than 7 years ago | (#15722324)

Resulting practices of your suggested practices, in my not so humble oppinion:

1. Infiltrate the "security community"
2. Leak the mentioned warnings and exploits to blackhats
3. ???
4. Profit!

Re:Give reasonable deadlines then go public (2, Interesting)

fermion (181285) | more than 7 years ago | (#15722349)

This is the vendor party line, and this is why I disagree with it.

First, this process does not protect the user, it is merely a PR thing for the vendor. While I feel for the vendor, wish to give them adequate time to correct the problem, history tells us that this sympathy backfires. Here is the normal drill. If a venerability gets reported, but there is no exploit "in the wild", then the venerability gets less priority. This is fine because the exploitable code needs to fixed first. But then later on the bug that was ignored does have an exploit. Well then that bug is put to the top of this list, and even though it may have knonw for ages, the vendor gets ages more to fix it. All the while the user is at uneccesary risk.

As a customer the product cycle should take my convenience into account, at least as far as I willing to pay for it. And since MS has margins approaching 40%,and Apple has margins over 20%, I certainly think we are paying enough to both companies not to have to inconvenience ourselves because they can't get to work.

Here is the second thing. The issue either has an exploit or it doesn't. If it has an exploit, then the customer deserves to know so they can protect against it, and often that requires some level of detail. If it makes the problem public, then that is a good thing because then the scrip kiddeies will exploit it, and it will be more of a problem, so then it will be fixed. Instead of having months of small problems, we will simply have a short time of big problems. If the bug has no exploit, then nothing is lost. However, knowing the bug is known does put pressure on the vendor to fix the issue.

As i say, delaying publication is merely to protect the vendor, and does nothing to help the customer. As has been mentioned here often, a properly secured and updated system in any OS is relatively safe. But if we are going to blame the users, then the users must know what the exploits are than we need to defend against. If the exploits are secret, then we are back to the situation where the vendors are withholding material information, and they become liable. It is a very similar situation to the pinto.

Re:Give reasonable deadlines then go public (1)

Gnavpot (708731) | more than 7 years ago | (#15722406)

If a venerability gets reported
If a venerability gets reported, he has probably lost all possibilities of becoming a saint.

Why that won't work (1)

geekoid (135745) | more than 7 years ago | (#15722380)

Go to vendor, vendor gets a court order against you so you can't sayanything, then doesn't fix the hole.
Or, vendors sues you for trying to 'extort' them.

no, these large companies have made their beds, now they can sleep in them.

Tell everyone you can loud and clear about any exploit.

Re:Give reasonable deadlines then go public (1)

Joebert (946227) | more than 7 years ago | (#15722570)

I like this one better myself.

1) Write an exploit for the hole that disables everything that would use that hole on the system, open a text editor with an explaination & instructions of how to save the file.

2) Release it into the wild.

3) Notify vendor, including source of temp-patch.


Now,
1) Temp-patch writer doesn't get screwed out of credit.
2) Computer user is safe from said exploit untill a working patch is devoloped.
3) Vendor doesn't sit around with their thumb up their ass wondering if it's actually an exploit or not. 4) Anti-virus products clean up after the MIB, err I mean the temp-patch writer.

Re:Give reasonable deadlines then go public (1)

fishbowl (7759) | more than 7 years ago | (#15722644)


>Best practices in my not-so-humble-opinion:

Warn the users in your enterprise immediately.
Warn any clients or business associates immediately.
Warn the vendor that if the situation is not corrected immediately,
litigation will ensue.

To hell with the public.

Re:Give reasonable deadlines then go public (1)

miffo.swe (547642) | more than 7 years ago | (#15722840)

Waiting is just letting the crackers have more time before things hit the fan. Security shouldnt be something you slap on like bandaid afterwards. Before exploits are being "found" by security vendors and researchers they are often being actively used by crackers. Security vendors then buy the exploits and sell the information to their customers.

Thank God (0)

Anonymous Coward | more than 7 years ago | (#15722260)

Hopefully Microsoft switched to Patch-Tuesday once a month, otherwise
it would have become "Reboot-Every-Day-in-July" nightmare.

--

It "irks" them? (2, Insightful)

andytrevino (943397) | more than 7 years ago | (#15722281)

So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?

While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. Producing better software is far more important.

Samson-smash? (1)

cdrguru (88047) | more than 7 years ago | (#15722293)

So, is the proper way to move people from Windows to Linux is to destroy the ability to use Windows as a computing platform?

Been a long time (1)

militaunt (988730) | more than 7 years ago | (#15722358)

I used to be a linux fan. never really stopped, but life didn't let me pursue it for a while. now i'm admin of a linux-based phone switch (eOn's equeue) and these alerts suddenly concern me. fact is, i don't even have root. it's menu-based, you can get a shell but su doesn't work. the eOn techs are the ones responsible for root tasks, and i'm not sure they're going to handle this promptly.

in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

Re:Been a long time (2, Insightful)

frogstar_robot (926792) | more than 7 years ago | (#15723056)

in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somewhat forgivable. Even though a Linux machine may be an outstanding way to replace a cranky Windows server, ANY malfunction is evidence "This Linux stuff sucks!" even though worse might be tolerated from the accustomed Windows solutions.

I've been the advocate for many such Linux deployments. Being the advocate, I make it my personal and professional business that the solutions I advance work. I've pulled a few overtimes here and there sorting issues out. It's what you have to do when it is YOUR big idea being tried out and that big idea bucks prejudices.

If you've been a long while from Linux, then you are correct to hang back. Find a little time to get to know your shit again so that if you ever DO propose a Linux trial that you can do the groundwork to really make it perform.

Another Vista Delay... (1)

R3d M3rcury (871886) | more than 7 years ago | (#15722361)

We had to take the time to patch XP, test those, then move them over to Vista, test those...

Vista is now scheduled to be released to OEMs in the second quarter. No, we won't say what year...

If you're pissing off everybody... (1, Redundant)

topham (32406) | more than 7 years ago | (#15722370)

If you're pissing off everybody you're probably doing something right.

Re:If you're pissing off everybody... (0)

Anonymous Coward | more than 7 years ago | (#15722476)

Mod parent up +2 Reality

In everyone's best interest (1)

Trouvist (958280) | more than 7 years ago | (#15722515)

Clearly "in everyone's best interest" means "in Microsoft's interest." See, if 90% of the vulnerabilities found are part of Microsoft products, and they don't have time to patch them before they get exploited, then too many people will get burned for using the insecure software with the vulnerabilities. This in turn will pull those same users to the places that they find less threatening to their well being.

The only way I can see something like public disclosure helping Microsoft would be to find vulnerabilities in the competition and disclose THEM publicly, all in order to discredit said competition. The hard part with that way of doing things involves the fact that the competition will probably have the code fixed within hours or days (without creating more vulnerabilities) compared to Microsoft's own lengthy patch procedure.

Dep't of Redundancy Dept (4, Funny)

PavementPizza (907876) | more than 7 years ago | (#15722530)

Headline says: Daily Exploit Releases Irk Both Vendors and Crooks

Considering that Microsoft is the only Vendor complaining, and considering they've had months to fix all of these and didn't, the headline should be:

Daily Exploit Releases Irk Crooks

Ignorance (1)

bunhed (208100) | more than 7 years ago | (#15722650)

I would rather know that my [insert product here] has problems then not, regardless of whether the manufacturer is ready willing and/or able to deal with it. It gives me the option to deal with it as well. Keeping me ignorant is not keeping me safe. Manufacturing has it's problems no matter what the field and bad things are bound to happen so blame is irrelevant to me. The issue is whether the product I am using is safe for my particular use. The manufacturer does not know the use I've put thier product to (am i playing WoW or running an air traffic control system?) so they are in no way informed enough to make the decision as to whether it is safe for me to use or not. It is my decision in the end and I appreciate having enough information to make that decision. Keep the expoits in the open. If the manufacturer does not have enough brains cells to fix it perhaps I have enough to determine whether to continue to use it or not.

one more (at least) (1)

Tom (822) | more than 7 years ago | (#15722651)

but he appears to be the only one enjoying it

Add at least me in there as well.

Blackhats have been doing this and other work like it for years. The current state of security is defined better by ignorance than by safety. Patching is a workaround, not a solution. To use an analogy: Patching means we built more hospitals in response to car crashes, instead of inventing air bags.

I'll enjoy the show. It's a very good demonstration that "oh, we'll fix whatever comes along as soon as we learn about it" is not a viable method in security. It's making closing the barn door after the horse has left a standard business procedure. I've been waiting for just such a "one exploit every day" event for a long time now, and I'll enjoy it a lot. If anything, I hope they can keep it up for more than one month. After this, everyone hopefully realizes that patching isn't enough and you can't fix up the plane after takeoff, in mid-flight.

Windos is the worst offender, by far. But as Hughes said at HAL2001: "My spaceship will surely not be running Linux." - we're still very far away from reliable and secure software, and these two aspects are closer together than most people realize.

H D Moore... (0)

Anonymous Coward | more than 7 years ago | (#15722717)

...rocks my fucking world. He's also responsible for the Metasploit Framework and to original DCOM exploit amongst many many other things. MOBB is helping me make the case for banning MSIE to the most obdurate management I've ever encountered. Every day I send out an update. "H D Moore today released vulnerability #14. Totals: MSIE: 11; Firefox: 1; Safari: 1; Konquerer: 1.

I'm also a pen-tester and Metasploit saves an awful lot of arguing with idiots. "you say there's an obscure heap overflow in our domain controller, but why should we care?" Metasploit's point-and-exploit UI makes even the most irritatingly cretinous manager shut the fuck up.

Thanks, H D!

Mmhmm (1)

derEikopf (624124) | more than 7 years ago | (#15722741)

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."


Microsoft knows exactly what everyone's best interest is, right?

No...in this case Microsoft only knows what is in their own best interest.

hackaday (0)

Anonymous Coward | more than 7 years ago | (#15722804)

He should be posting at www.hackaday.com , they haven't had luck posting every day.

HD Keep up the good work (0)

Anonymous Coward | more than 7 years ago | (#15723039)

Software risk is not determined by the amount of vulnerabilities found in a product in the past, but how the vendor deals with the vulnerabilities and how the vendor moves forward with being proactive about vulnerabilities in the future, such as developer education, code reviews, etc.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...