Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Honeymonkeys Discover Undisclosed Vulnerability

Posted by CmdrTaco on Fri Aug 12, 2005 07:43 AM
from the bug-hunting-is-dangerous-work dept.
Microsoft Security IT
spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Honeymonkeys Discover Undisclosed Vulnerability 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Big respect to the guys behind this. (Score:5, Funny)

    by mrRay720 (874710) on Friday August 12 2005, @07:45AM (#13302818)
    I have no idea what Honeymonkey is, what Windows is, or even who Microsoft are.

    BUT....Damn "Honeymonkey" is such a cool codename. I'm going to name my firstborn after it!

    • Re:Big respect to the guys behind this. (Score:5, Funny)

      by elrous0 (869638) on Friday August 12 2005, @08:29AM (#13303150)
      Damn "Honeymonkey" is such a cool codename.

      At last, my search for a new nickname for my penis is over.

      -Eric

    • I assume that they are combining web-monkey with Honeypot. (not that they are somking anything.)

      Seriously, MS has set up a bunch of machines that actively surf the web trolling for vulnerabilities. I guess it's the "If we can't code securely, at least we can find the holes to plug." theory. Considering IE, it's not a bad idea.

      It would be nice if they shared the exploits with everyone, at least once a patch exists, though.

      OK, good job Microsoft: Now if you could implement a "least privileges" model by defau

  • Honeymonkeys and typewriters... (Score:5, Funny)

    by jtcedinburgh (626412) on Friday August 12 2005, @07:46AM (#13302825)
    Aha, the new MS OS development team has been revealed: an infinite number of honeymonkeys at an infinite number of typewriters...

    Explains a lot...

  • The key word is unpatched. (Score:5, Funny)

    by mikeophile (647318) on Friday August 12 2005, @07:46AM (#13302827)
    Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

    I don't think I have a stronger word than DUH!

  • It just occurred to me. (Score:4, Interesting)

    by mikeophile (647318) on Friday August 12 2005, @07:56AM (#13302906)
    The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries.

    Why not build a virtual machine into the browser itself?

    Sort of a special purpose virtual machine that has
    just enough of an OS to run the browser.

    If Microsoft refuses to remove IE from Windows, at least IE could be isolated from the rest of the operating system.

    • Re:It just occurred to me. (Score:5, Insightful)

      by johnjaydk (584895) on Friday August 12 2005, @08:09AM (#13302998)
      Why not build a virtual machine into the browser itself? Sort of a special purpose virtual machine that has just enough of an OS to run the browser.

      You mean like Java ?

      MS has already killed that idea because it commoditized the desktop and broke their API lock-in.

  • Is it me... (Score:3, Interesting)

    by OwlWhacker (758974) on Friday August 12 2005, @08:08AM (#13302988) Homepage Journal
    or are Microsoft's buzzwords getting way too 'weird'?

    Obviously Microsoft copied the idea from the aptly named Honeypot [wikipedia.org].

    Honeypot makes sense.

    Why ever would anybody in their right mind come up with something as lame as 'Honeymonkey'?

    Is it because Microsoft is 'getting old'? It's like the old guy saying "In my day, we used to say 'Whizzo!' when something was really neat", and the teenager laughs, and comments that it doesn't sound half as good as 'cool'.

    • Re:Is it me... (Score:4, Insightful)

      by shotfeel (235240) on Friday August 12 2005, @08:25AM (#13303116)
      If you read TFA, they explain it. Yes, they based the name on honeypot, but a honeypot just sits there waiting to be attacked.

      A honeymonkey goes swinging around the net looking for someone to attack it.

      Now if MS would compile a database of offending sites and allow me to use it as a blacklist for my browser, that'd be even better. Unfortunately they'd probably only make it available for IE.
      • Oh, so a honeymonkey goes swinging around does it? You say that almost as if it's normal for honeymonkeys to swing around.

        I can't imagine that there is any real attraction, seeing a monkey swinging through the trees, whereby people would line up to attack it. And how does it mix with honey?

        I suppose that if you dunk the monkey in honey then some people may want to grab it and suck it - only if they're ravenous, I would have thought.

  • Oh for pete's sake (Score:4, Insightful)

    by Hyksos (595814) on Friday August 12 2005, @08:09AM (#13303003)
    Breaking news: Microsoft has found a security hole all by itself :P

  • Coincidence? (Score:3, Interesting)

    by Jump (135604) on Friday August 12 2005, @08:10AM (#13303007)
    It strikes me odd, that this important security patch arrived *after* the genuine advantage update. After the genuine advantage update all our windows computers stopped making automatic updates and therefore the genuine advantage was not patched as quickly as possible. Manual interaction was required to accept the 'genuine advantage' update. I wonder how many users out there stopped watching their automatic update function to work correctly. What is the advantage of having automatic updates if you have to monitor them? What is advantage is meant in 'genuine advantage'? And why do they now publish this information, when many people out there will not have applied the patch simply because they believe they still have automatic updates running?
    • Genuine advantage is required only for non-security related updates. Security updates will keep streaming to your computer irrespective of Windows Genuine Advantage

  • honeymonkeys... (Score:4, Funny)

    by arootbeer (808234) on Friday August 12 2005, @08:41AM (#13303243)
    So Microsoft has a room full of computers that do nothing but automatically surf the "questionable" parts of the web? Anybody wanna guess how many hours a day that room is packed with employees just sitting in front of a computer "doing nothing"?

  • I can't believe that people are lapping this up.

    The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published [sec-consult.com] on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).

    While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.

    It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.

    Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

    • Re:More Misdirection from the Masters (Score:4, Interesting)

      by Amoeba (55277) on Friday August 12 2005, @09:19AM (#13303579)
      Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

      If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.

      You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.

      Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.

      [1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.

      • I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).

        Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary [sans.org]. I a

  • Obligatory.... (Score:3, Funny)

    by dhasenan (758719) on Friday August 12 2005, @08:42AM (#13303252)
    Even a monkey can find a flaw in Windows.

  • Security Risk (Score:3, Insightful)

    by CSHARP123 (904951) on Friday August 12 2005, @08:44AM (#13303268)
    This is good. This should have been done by MS a long time ago and this should be an ongoing process. Everyone knows no OS is bullet proof on security terms. Better late than never.

  • What Makes Reading /. Hard Some Times ... (Score:5, Insightful)

    by hagrin (896731) on Friday August 12 2005, @09:15AM (#13303549) Homepage Journal
    ... are reader responses to an article like this. Some people just refuse to see the trees I guess.

    If an indepedent, third party security company were performing these web site audits, the company wouldn't be admonished, but readers would still attack the "unfinished product" which was Windows XP unpatched. However, how can you fault a company that is trying to correct tens of years of security ignorance with new pro-active efforts?

    MSFT is basically performing external penetration testing of their software while security teams are writing vulnerability scanners and focusing on individual aspects of an application's design. In fact, one could argue that this is one of the more effective ways of performing security testing since exploits in the wild can exist in the wild for months before any security company diagnoses the vulnerability and this method will identify areas of the Internet that seem to disseminate these exploits between web sites.

    If you want to comment on the lack of security focus in the past, definitely. Are they playing a major game of catch up? Definitely. Should IE be so tightly meshed with the OS? Of course not. But can some of you just grow up and get past the MSFT bias and stop doing childish crap like making fun of the "honeymonkey" term or accusing workers of just sitting in the room not doing anything?

  • zero day exploit?! (Score:3, Insightful)

    by jurv!s (688306) on Friday August 12 2005, @09:32AM (#13303702) Journal
    Microsoft's "monkeys" find first zero-day exploit

    How can you call it a zero-day exploit with a straight face when you found it in the wild??

    • Re:This is a good thing (Score:4, Interesting)

      by shotfeel (235240) on Friday August 12 2005, @08:29AM (#13303147)
      Now if they'd go one step farther and compile a database of sites that "attacked" and allowed access to it for use as a blacklist. We've got spiders walking all over the net compiling all kinds of databases, I'm surprised nobody's done one like that before.
      • I was referring to the concept of testing such applications BEFORE releasing them to the public. How many years have there been updates for Windows? If I remember correctly Windows 2000 went through 5 service packs, totalling hundreds of patches. (I should know, I had to download them constantly.)

        As part of the software development lifecycle, there is a part normally called something like Testing/Debugging. I'm suggesting that maybe they should spend some more time in that stage, rather than using the major
        • Ummm...

          So let's say that Microsoft tests Windows Vista in this way.

          What information do they learn? Remember - the bad guys don't have access to Windows Vista, so they can't know about exploits in the new code in Windows Vista.

          It's a chicken and egg problem - the bad guys can't know about 0day Windows Vista exploits because they don't have access to Windows Vista to exploit it.

          If they find exploits in Windows Vista, it's because they're also in XP. If they're in XP, they can simply test with XP.

          A honeymonk

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.