MS Giving Exploit Writers Clues To Flaws

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

I can see open vs closed source

[Skreech]

I know the ongoing debate about whether open source or closed source has the security advantage when it comes to exploits in code.

But this is a case where a half-and-half approach is probably the worst of all.

Clear choice

[The Bungi]

Microsoft should stop providing so much information in their advisories. Or better yet, stop issuing them altogether. Oh, wait. They used to do that, and that proved unpopular.

Maybe they should do what Mozilla does, which is to "hide" vulnerabilities until they either patch them or feel that a sufficient number of people have applied the patch (which is of course the other problem). Of course, like with Blaster for example, you can release a patch and 30 days later the exploit nails all the people who didn't bother to fucking patch.

I can see some people's heads exploding with this one.

Re:Tick tock tick tock...

[644bd346996]

Open source projects have to write security advisories, too. They just have the option of including the patch with the advisory.

Fabulous

[SeaFox]

How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits.

That's great. Now they have an excuse to be incredibly vague about the problem in the advisories. It will be like the Government and National Security Letters.

"We need you to submit to this, to protect you from hackers. We can't discuss the issue as it's a trade secret and a threat to computing security. This is a critical venerability. But we can't tell your why. Just install this patch when it comes out and you'll be better. Trust us, we know what we're doing."

Re:When in doubt provide more information

[Anonymous Coward]

Hackers that RTFM .. now that's funny.

Actually, hackers DO RTFM [catb.org].

They also know How To Ask Questions The Smart Way [catb.org].

Crackers have the upper hand on system administrators, because the focus is very narrow. System administrators have to RTFM and stay up-to-date on everything from why Alice can't print (because her network cable is unplugged) through to debugging the cause of a fatal exception/crash in a plugin they've written for a HTTP daemon. System administrators are very overloaded with work whereas crackers can take it much easier.

Re:Chaffing

[fm6]

Microsoft should pre-publish a whole bunch of tasty looking security advisories that are 100% fake every time they publish one that is real.

If they had the expertise to do that, they wouldn't have so many security holes in the first place!

Shoot from the hip fixing is not always right

[EmbeddedJanitor]

In any reasonably complex hunk of software, the chance of being able to confidently fix a oneliner and release it immediately is pretty low. Most software needs verification/testing of some sorts before a change can be mainstreamed.

I actually think that MS pushes out some patches too fast. My Windows laptop gets autopatched and the problematic parts of the system (wireless networking in particular) sometimes get screwed up for a while until the next patch set arrives. I don't think that MS is responsible for all the breakage. Often, MS makes a change which can break an existing driver or app. From a user's perspective all that you see is that a MS patch breaks the system.

Re:Chaffing

[AndrewM1]

The problem with this is the bad press MS would get from announcing 11 exploits for every one they discovered. Those "outside the know" would think MS insecurity had gone up by 11x. MS already has major press issues about their many security exploits, they don't need 11 times that.

Also, introducing fake honey pots in the code would cause problems. If they announced it and fixed each one, the honey pots would be useless. If they announced it but didn't fix it, they'd look like they didn't care/or it would make it obvious it was a honey pot. If they didn't announce it or fix it, then invariably some security researcher would find it (it has to be discoverable to become a honey pot) and blast MS for the security vulnerability.

Re:Chaffing

[norton_I]

Aren't all these reasonable 'security by obscurity' examples that work ok?

Only one of them, the $20,000 in your basement. The reason you only do that for one night is that it isn't a good long-term security solution. Eventually, someone will find out that you have that much cash lying around and your chances of being robbed go way up.

Re:Tick tock tick tock...

[Quantam]

Congratulations. You have just unwittingly illustrated the mindset that makes businesses wary of open-source software, and gives bite to Microsoft's FUD. Of course not all open source coders have such a knee-jerk mindset, but you are a member of an influential (in intimidation power, not number) minority.

There's always a "0-day"

[omgwtfroflbbqwasd]

It really doesn't matter how much information you disclose about the technical details or workarounds except in how long it will take to develop the exploit. Once an exploit writer knows there is a critical vuln in a particular area of the system, it's not that hard to narrow down the inputs required to exploit it. In particular, Metasploit makes this much easier [wikibooks.org] to do by being able to see what memory offsets are in EIP when the process segfaults.

The only real impact is how many people will be able to write their own 0-day, and how quickly. Personally, I'd rather see more exploit development, since it proves a risk rather than making it theoretical (and likely only exploitable by the 31337).

+1 troll to the headline

[twifosp]

That headline is utter rubbish and sensationalist. Microsoft is not giving anyone clues to create exploits. The wording makes Microsoft sound intentionally malicious. While Microsoft is pretty god damn malicious, they aren't out there trying to help exploit writers.

The headline should instead read something like Hackers Create Exploits Using Microsoft Published information. This IS what hackers do after all. They read documentation and manuals. They find out how things work with all the available information. They social engineer. Trying to pin this on Microsoft is childish.

Re:Here's an idea that Microsoft hasn't thought of

[blowdart]

You realise RPC [exct.net] is, in fact, a UNIX feature? That it's there on your Linux/Sun/BSD/OSX box? That like anything running on a known port it's easily blockable at the firewall? Or via IPSEC if you don't run a firewall? And that the Win2003 firewall will block it by default?

Well done; next time I develop code I'll make sure I name my services something like "Sooper secure, non-remote admin interface", because we wouldn't want to make the cracker's job easier with a name now would we?

Yet another buffer overflow...time to stop using C

[master_p]

C's time has passed! the IT industry can not afford it any more economically as well as politically. Even the slightest mistake can cost millions of dollars.

And before someone says it's all about the programmers and not the language, I would say I agree: it takes a God programmer to produce a flawless C program. The God programmer category has few members around the world, and most of them are not in Microsoft (hint: they are Linux / open source guys).

So it's time to stop using this horrific programming language called 'C'. It worked so far, but its flaws are very serious...time to move on!

Re:Here's an idea that Microsoft hasn't thought of

[ThirdPrize]

Good idea, if it wasn't for the fact that the legitimate uses for all these things far outweigh the trouble they cause.