Controversy Surrounds Huge IE Hole

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

Of course it was irresponsible

[Anonymous Coward]

If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.

Irresponsible?

[FortKnox]

The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

Don't say "it'll never happen," cause anything is possible.

Yes!!!

[jschmerge]

It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.

In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

Were Bugtraq irresponsible?

[psyconaut]

No. Not in the slightest. Sometimes you have to go to great lengths to get vendors to fix crummy code -- and I have no doubt that simply "reporting the bug" to MS would have resulted in a wait until a maintence release was issued.

I'd even go as far to commend Bugtraq....it takes balls to do something like that and it *does* benefit the whole community eventually.

-psy

Shooting the messenger ..

[zyklone]

Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".

The article is just stupid ...

Re:Irresponsible?

[nuggz]

Yes I'd be pissed off, and I would be mad that they posted an exploit.

However I'd also be quite upset at my vendor for letting this happen.

what is the stink about it....

[f00zbll]

If people think script kiddies didn't already have the code or grabbed the exploit off some IRC server, they are sadly mistaken. People who bitch about full disclosure would like to live in a nice little world where there's no hackers, but get real. I grew up around hackers. Some were brilliant and were coding in assembly at 10, others were lamers wannabe hackers. Even before the Internet these types of things we widely distributed within the model Bulletin boards. Anyone who was active in the Bulletin Board era knows the most active category was always virii.

Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."

Moot point

[odoitau]

I think BugTraq was irresponsible posting working code for the exploit, but I also think the point is academic.

After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Any kind of bugtraq mailing list

[RomikQ]

is insecure.

Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.

If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.

Know the code, avoid the code?

[Anonymous Custard]

If I don't know what the malicious code is, how am I supposed to avoid it?

Informed security is way better than uninformed security.

Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.

Re:Were Bugtraq irresponsible?

[Columbo]

Nonsense. It's like giving out a key to someone's house. You wouldn't want that, would you? I think they were quite irresponsible in this instance. There are other ways of raising attention to an issue and thereby prodding Microsoft to take action not the least of which is simply submitting the bug first. There's no need to expose the Internet community to script kiddies that will want to use this script because they think they're l337. I'm not saying they didn't submit the bug first -- they might very well have done so -- but I just feel that a more carefully considered course of action would have been appropriate.

Was it irresponsible?

[Anonymous Coward]

I'd say it's really no better or worse then, say, Slashdot posting links to warez [slashdot.org].

Easy

[4of12]

• It's responsible to warn users immediately that a vulnerability exists and to sketch out broadly what kind of vulnerability it is and how to recognize it.
• It's irresponsible to post a working exploit prior to notifying the code maintainer of the existence of the problem.
• At some point it becomes necessary and convenient for vulnerable users to have a tool they can use to test for the vulnerability and to see if they can protect themselves from the exploit. They should have the tool in a relatively short time frame, comparable to the same timeframe that crackers make tools from the exploit.

Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.

As far as I'm concerned, the interests of the software users should be the primary concern.

If you still use IE...

[caldroun]

...you are the one irresponsible.

Re:Of course it was irresponsible

[sean@thingsihate.org]

No, you're wrong.

How long would a software company just sit on a bug without releasing a fix as long as it wasn't public knowledge?

How long would it take for a software company to release a fix when users are getting fucked up from it on a daily basis?

Accussing bug reporters ?!

[Anonymous Coward]

It has proven time and time again that MS does not care about fixing their bugs or securing their users. Their only concern is furthering their illegal monopoly position by abusing the political system of america.

That leaves us with each other as our ONLY protection. Personally, I WANT to know if users in my network are able to accidentally destory their computers, and I NEED to know how the problem occurs so I can help avoid it. As I already stated, if we can not help each other get past the problems, then malicious programmers will have already won, thats just the MS world. Trusted computing is between users, not with the vendor in these dark times.

Re:Of course it was irresponsible

[The Raven]

Microsoft, and many other companies, have shown a remarkable ability to IGNORE bugs given to them. They don't care. They don't fix it. UNTIL their customers find out that the bug exists... then they care. Then they fix it.

Posting an exploit that is currently available to the script kiddies on BugTraq is a way of bringing exploits that so far are only posted in script kiddy boards into the public eye, so they find out about it, get offended, and get the damn hole patched.

It works. It is PROVEN to work. So I don't know why people still bitch about it.

Microsoft has known of the hole for over two weeks now. It's in the wild. It's not patched. Maybe NOW it will get patched.

Re:Irresponsible?

[farnz]

Nope; firstly, I have enough knowledge to disable or firewall off the services that are being exploited (and this would include disabling scripting in IE if IE ran under Linux).

Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).

Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.

Re:Active content...

[psocccer]

It's not that simple I think. True that active content is overused, but it can really be helpful when you don't want to roundtrip to the server just to calc some numbers, and twiddling settings is annoying for the user, if they choose to turn it off and on. It would be better if the thing was secure. The problem IE has in particular is they try to "zone" thing, local zone, trusted zone, internet zone, secure zone, etc. They do this so that you can have stuff in the local zone executre programs or virtually do anything on the system. And that's the problem, by trying to make javascript in to a generic scripting language, they've opened up the local zone to anyone that can break through the zone barrier.

Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.

Re:Any kind of bugtraq mailing list

[schon]

Only people who need that information should be allowed to it.

How do you determine need?

If I use the software, I need the information, so I can protect myself. With that in mind, everybody potentially needs the information.

Read the article. The information in question was already available in black-hat circles, and was actively being used in the wild. Do you believe that the white hats shouldn't be on level footing?

Re:Of course it was irresponsible

[jcostom]

If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner.

Irresponsible my foot. Mickeysoft WAS given a chance to fix this.

This was a well-known problem in IE for quite some time. Mickeysoft simply chose to ignore it, pretending it wouldn't have any impact. This proof-of-concept exploit shows that they're wrong.

Do you think Mickeysoft would have fixed the problem had no exploit been shown? Of course not, they proved that already. Now that there's an exploit will they fix the problem? I would certainly hope so.

Nothing to see here...

[Anonymous Coward]

Neither this incident nor the wired story adds anything new to the debate.

It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.

Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.

If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.

This isn't even a particularly good example to use, since the exploit was already public.

Re:irresponsible?

[sacdelta]

If IE wasn't so heavily linked to the OS, this really couldn't happen. MicroSoft has insisted on having both IE and Outlook linked into the OS despite having only superficial benefit by this decision. The amount of security risk by this decision is huge though.

No!!!

[Rupert]

There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.

Prevention BEFORE patching!

[corvi42]

I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.

For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.

This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.

Re:Of course it was irresponsible

[bpfinn]

I believe this is the usual course of actions:

Security Researcher: "There's a security flaw in your product X."
Big Software Company: "No there isn't."
Security Researcher: "Yes, there is. If you don't fix it, I'm going to tell."

(denial leads to public annoucement of problem)

Big Software Company: "OK, there could be a problem, but it's not possible to exploit it."
Security Reseacher: "Yes it is possible. It you don't fix it I'm goint to tell everyone how."

(denial leads to public announcement of exploit)

Big Software Company: "Well, I guess we better fix it."

And wrong.

[CrystalFalcon]

The article is stupid and wrong.

The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.

Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...

Re:Of course it was irresponsible

[Nermal]

Umm...

But until a large percentage of the population gets screwed royally by a security hole... a large percentage of the population hasn't gotten screwed royally by a security hole!

Don't get me wrong, MS should be faster to patch their security holes, but where are your priorities? If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".

Re:Active content...

[michaelggreer]

I agree. Javascript is very useful as a web scripting language, but a horrible idea as an OS scripting language. There is no reason to blame JS, just Microsoft's allowing it to roam outside the webpage. In fact, i would suggest that the problem is never Javascript, but ActiveX accessed from Javascript. ActiveX is the hole into the local system, Javascript is just the controlling language.

Irresponsible?

[jaaron]

You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.

Could you please explain how one could "properly" describe a bug without giving away how to exploit it? To describe a bug means you show what it is and how it's reproducable, which by definition is how to exploit it. The better you describe it, the better you pave the way for an exploit. So would you rather just no one mention the bug in the first place? Or perhaps just give a hint to the developers: "Psst! Hey, IE has another bug, and this one's a doozy!"

That's part of the problem with security thru obsecurity. If you either only "hint" at the bug or just don't mention it at all, you run the risk of an exploit being discovered and maliciously used while everyone else is still in the dark.

That said, the first step for security related bugs is to inform the original developers (in this case Microsoft). However, if and when the developers do not respond, what responsibility to the general public do you then have? Moreover, in this case the exploit was already out in the public domain (but you have to actually read the article to know that):

"The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."

Given that, it's important that those who are responsible for their own and others security (generally the types who actually read bugtraq) know about this bug and can be prepared for it.

I disagree.

[SlashChick]

"I have no doubt that simply 'reporting the bug' to MS would have resulted in a wait until a maintence [sic] release was issued."

Yes. Which is exactly what any vendor needs before working exploit code is placed on a high-traffic mailing list.

It's not like this bug has been around for 6 months. The article says the bug was discovered "earlier in November", which has so far given Microsoft (as of today) twelve working days to fix the bug (and that's assuming it was discovered on November 1!)

Considering Internet Explorer 5.5 and 6 run on over 73% of the computers on the 'Net [onestat.com], Microsoft has a huge responsibility here. BugTraq needs to give Microsoft a reasonable time in which to fix this bug before posting exploit code. I don't feel that ~2 weeks is reasonable for something that large. After all, if the patch crashes a single system and renders it unbootable, or even one out of every 1000 systems, it's a huge amount of trouble for Microsoft!

Now, if Microsoft hasn't posted a fix for 6 months, then I think it's reasonable to take additional steps. However, posting working exploit code probably isn't going to push Microsoft to fix the bug faster. It's just going to irritate the community, put additional pressure on Microsoft to release an untested fix, and allow script kiddies to copy and paste working exploit code into their web pages. It's a lose-lose situation.

Re:what is the stink about it....

[Havokmon]

Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait?

While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.

I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.

I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.

IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.

Re:Any kind of bugtraq mailing list

[Kaa]

Only people who need that information should be allowed to it.

Of course. That is why from now on we have instituted a simple procedure that must be followed any time you want to buy a book or read one in a library.

Just submit to the nearest government office the Request For Information Access form (RFIA-1984) together with all the necessary documentation proving that you need the information. In due time the form will be returned to you, stamped "approved" or "rejected". If it has been approved, take this form to your book dealer or library and you will be granted access.

Please be aware that having multiple requests rejected can adversly affect your future.

Have a pleasant day.

I once "discovered" a virus...

[venomkid]

...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).

We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.

Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.

But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.

I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.

vk.

Re:Of course it was irresponsible

[AgentTim3]

You know, the script kiddie that's waiting around for exploits to be published on bugtraq is a pretty junior kiddie indeed. This thing's been out there for a couple weeks.

What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.

And riddle me this, how is Symantec possibly irresponsible in this matter? They have no responsiblity whatsoever towards Microsoft or any of their products; they're both separate corporations. They both pursue their own separate agendas as they see fit. The good that comes of this is that maybe the public gets a little more aware of the situation.

MS has its own side to this, Symantec has its own side, they both have valid points to their arguments, but what winds up happening is the general public gets caught in the middle. If just one more person wakes up and realizes that because of this, then there's the real benefit.

Re:Irresponsible?

[m1a1]

If linux had such a whole the BEST POSSIBLE THING would be for it to be posted to bugtraq. As soon as it hit the page there would be 20-30 people trying to recreate and patch the bug. We don't have the option to write our own patch for IE.

Re:Know the code, avoid the code?

[Shimbo]

If I don't know what the malicious code is, how am I supposed to avoid it?

The point is that even full disclosure only requires 'proof of concept' malicious code. There is no benefit on going the last step and widely circulating examples of code that actually f***s your hard disk.

OTOH, you don't gain that much either because it's generally fairly trivial to make damaging code from a 'proof of concept' exploit.

It's not a big deal either way really. Most vulnerable systems don't get trashed when the next exploit shows because crackers prefer backdooring to trashing. Not because they can't.

Re:Of course it was irresponsible

[doi]

This is not just a question of how quickly the vendor will fix it (or not). There's a lot of documentation on how to build an atomic bomb, and Al-Qaeda, Iraq, North Korea and others already have that info. Does that mean it's a good idea for The New York Times to publish detailed engineering schematics and procedures on its front page? Would that be responsible reporting, in your opinion?

Wonder how you'd feel when the People's Movement For Some Obscure Cause vaporize your town based on those plans...

Re:You can't force people to be free.

[jvmatthe]

Allow me to introduce you to my friend. His name's Bob, but many call him Smiley. Here's a digital photo I took of him:
;^D
I append this digital photo to the end of all messages in which I'm using humour for effect. One look at Bob's face and you'll understand why. If you now reread my comment all the way to the end, the meaning should become clear.

Hope that helps.

Re:I can't feel bad for Windows users.

[Tenebrious1]

If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.

But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."

Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.

Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."

Yawn

[cyranoVR]

It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-

There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!

Re:Irresponsible?

[thomas.galvin]

If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

No, and here's why; if I have working code that roots my box, I can start looking for ways to prevent it from running. Know yourself. Know your enemy. The easiest way to beat something is to study it.

Now, that isn't an option in the case of IE, but I don't run it anyway. Still, there is at least some value in being shown how to exploit a vulnerability; it proves that it is real. I could send out an email tomorrow saying "Mozilla has a huge security bug that allows arbitrary execution of malicious VBScript," but unless I show you how, most (technical) people will assume I am blowing smoke. If I put up some code that demonstrates it, though, most (technical) people will say "crap, better 1. stop using Mozilla, or 2. get to hacking out a fix."

Wired's "article" is basically...

[talks_to_birds]

...a puff piece for alleged "security expert" Richard Smith, who has a long-standing agenda about full disclosure [computerbytesman.com].

What new ground is broken here?

None.

The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.

So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?

Are you kidding me?

billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.

As for full disclosure, let 'er rip.

It's the only way Micro$oft will ever be held in the least bit accountable for their crap.

t_t_b

Re:Irresponsible?

[FortKnox]

MS has only had a week or two with the knowledge of this bug (article mentions that MS learned in November aka this month some time). For such a huge exploit, I'd suspect it'll take a week to pinpoint the code error, a week to fix the code, and two to four weeks of testing it.

That's about a month/month-and-a-half. Don't you think they deserve a good solid two months before posting the exploit?

Wrongly Phrased

[Srin Tuar]

If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".

Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"

Then they will at least be angry at the right entity.

Responsibility

[BrianWCarver]

It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.

That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)

But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.

For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.

In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.

BWCarver

Re:Of course it was irresponsible

[Jason Earl]

The problem with your analogy is that the atomic bomb has already been created and deployed and it is sitting in your kitchen disguised as a toaster. What's worse is that most of the bad guys already know how to detonate this bomb. This information had already been posted to the web. Here's the quote from the article:

The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums

At this point the only logical conclusion is that a working exploit should be shared so that systems administrators can test and make sure that their installations are safe. To go back to the bomb analogy, it's time to tell folks that they need to unplug their toaster and get it the heck out of their house. If that takes having an article on the front page of The New York Times so be it.

Re:Irresponsible?

[repvik]

If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

There is a slight difference between windows and linux on this issue...

Usually the responsetime for a security hole that big would be patched within a few hours of the issue becoming known. (for linux) Besides, the patches are usually out before the exploits are.

On windows, I wouldn't expect the security-hole to be plugged for the first two months.

This is an issue Microsoft has known about for more than a month. Why haven't they fixed it?

Releasing the exploit forces Microsoft to release a patch for a hole that should have been patched several weeks ago.

hack update.microsoft.com

[Tom]

Now if only someone could break into update.microsoft.com and put the exploit there...

(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)

Re:I disagree.

[Hal-9001]

The original public posting of the exploit [securityfocus.com] was posted on Bugtraq on Nov 6 2002. The posting indicates that Microsoft was contacted on Oct 4 2002 regarding the exploit and had decided not to fix the vulnerability. Since Microsoft willfully decided not to fix this bug, I think posting working exploit code is justified in order to force Microsoft to address the problem rather than sweeping it under the carpet.

Re:Of course it was irresponsible

[walt-sjc]

Frankly, the fact that there is an exploit to reformat peoples hard drives is a GOOD thing IMHO. As a matter of fact, I hope it bites tons of people. The fact that "the average user" doesn't check for updates and maintain their machine NEEDS TO CHANGE.

The auto is a great example. If you didn't maintain your car (change the tires, fix the brakes, etc.) when it needed to be done, YOU are a danger to yourself and others around you.

People who don't maintain their machines are a big problem on the net. They are responsible for being DDOS agents, virus distributers, etc. MS (and other software vendors including open source) being slow at releasing patches is ALSO an enabler for distructive issues on the net.

Back to the article, it IS irresponsible to release exploits when the vendor hasn't had a reasonable amount of time to fix the bug and distribute the patch. There is an indjustry accepted time frame for this. If the vunerability is already well known in the wild however, keeping it a secret from the public does NO GOOD WHATSOEVER. The script kiddies keep in touch via IRC, and other mechanisms so they will know about the vunerability anyway. Not releasing the info only harms the public as they will have no chance to be prepared. Admins can add filters to their proxies for example, but they need to know details about how the exploit works in order to do so.

Keeping secrets about vunerabilities that are already known to the black-hats only harms the rest of us.

Controversy? What controversy

[tomhudson]

<quote>Title: Controversy Surrounds Huge Hole in IE</quote>

<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>

It's just unfortunate that this is the sad reality.

But is the fault really bugtraq's?

[fizbin]

I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.

I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.

Re:Of course it was irresponsible

[Sherloqq]

If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".

Probably not. Neither would you be, once you'd get an answer to "Where was your backup?"

I'm sorry, but things like backups cannot be stressed enough. People should learn that the cost of backup is far smaller than the cost of having to recreate a bazillion documents from scratch. Better they learn now than later. I'm sorry, but I have very little sympathy for people who refuse to make backups.

Re:Any kind of bugtraq mailing list

[dasunt]

RomikQ asks:
Do you find information on how to build a nuclear device in your library?

I do! Its in a section called 'physics'. Another section called 'history' details the Manhatten project. Still another section called 'chemistry' gives me more knowledge on how to refine it. (The chemistry section is helpful for building explosives as well.) Yet another section called 'metalurgy and metalworking' helps me with the manufacturing skills.

Since you say 'nuclear device', I believe a nuclear pile or dirty bomb would fit in that definition, and the knowledge to build one of those is found in any local library. A true fission bomb needs some information that is not available at the library, but the library gives me one heck of a headstart on a project. For a vehicle bomb with conventional explosives, the library gives more then enough knowledge.

Ignore the anarchist cookbook, its full of half truths and downright lies. Go to the local university and grab copies of all their science textboks, its a lot more dangerous.

Just my $.02

Re:I can't feel bad for Windows users.

[xrayspx]

And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them.

I am a GNU hippy, I avoid using Windows on the desktop except when necessary, but I have to disagree.

Insecure features like:

• RPC
• LPD
• WUFTPd
• Telnet
• Sendmail
• BIND(? BIND for christs sake?)
• X listening remotely

All running by default?

It would be interesting...

[Cylix]

What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.

Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.

It *can* happen, but now companies are definately more security cautious.

Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).

Re:Of course it was irresponsible

[buzban]

interesting point.

i can't agree though. if this situation was in fact under an open source O.S. (e.g., Linux) how would the tons of potential problem fixers get the details unless the exploit was explicitly expressed on the Internet?

Re:Of course it was irresponsible

[chunkwhite86]

The point would not be to impress the microsoftie who lost his data. the point would be to impress upon him the inherent lack of security in the microsoft windows security model.

another point to press upon him would be microsoft's lackluster performance when it comes to fixing said hole.

If more microsoft users out there were negatively impacted by each security hole discovered, I guarantee you there would be much fewer microsoft users in the near future - either that, or microsoft would get off their ass and produce stronger products.

Simple Solution

[ddkilzer]

Download and install Mozilla. [mozilla.org]

Yes, Mozilla has had its share of security flaws [slashdot.org], but they generally get fixed faster [archive.org], too.

Re:Of course it was irresponsible

[ChaosDiscord]

Does that mean it's a good idea for The New York Times to publish detailed engineering schematics and procedures [for an atomic bomb] on its front page?

Well, not it's not a good idea, since most NYT readers would rather have news coverage on the front page. But that's avoiding the real question, which I believe is "If the New York Times printed detailed instructions on how to build and use a nuclear weapon in their newspaper, would the world be less safe?" The answer, naturally, is that the world would be just fine. Anyone with access to the nuclear materials and technical skills necessary to build an atomic bomb can easily get the information on how to build the bomb.

The information is already out there. By not publishing it in the NYT, you're only making it a little tiny bit harder to get. I guess the terrorists will have to spend a little money to buy some books on the subject. The only way to significantly increase the difficulty of getting the information is to declare the information and anything related absolutely and fundamentally illegal. Of course, if any physics student interested in nuclear power needs security clearance, and any medical student needs a background check before they can learn about anthrax, the cost might prove to be too high. Furthermore, even if you declare it illegal, do you think that someone who has decided to try and kill people with a nuclear weapon is going to be seriously dissauded because the information is illegal? "Gee, I'd like to blow up the infidels, but the infidels has declared bomb making instructions illegal." I think not. The information is already out there, if it becomes illegal you'll just create a black market. End result: people who are genuinely curious about nuclear weapons (say a reporter doing an indepth study to determine the feasibility of terrorists acquiring the materials and skills necessary to build a bomb) won't have access to the information. The bad guys will still have access to the information. Plenty of loss for society, nothing gained.

The carries over (somewhat) to exploit code. The really skilled bad guys can and will create their own exploit code. Once the information is created, the script kiddies can reuse it.

That said, my complaint is with your inappriate comparison, not your point. In reality, most script kiddies are leeches of other people's work. There isn't much of a black market and there is incentive to keep ones work to oneself ("I have an exploit you don't!"), so the information won't travel as quickly. If an exploit is harder to get (because they need to get it off a more skill bad guy instead of off Bugtraq), fewer script kiddies will have the exploit, reducing your risk. Delayed publication of the exploit can reduce the threat in the short term.

Re:Irresponsible?

[Khazunga]

That's about a month/month-and-a-half. Don't you think they deserve a good solid two months before posting the exploit?

Nope. If the bug allows someone to have complete access to my computer, for two months, I'd expect MS to release a patch that disables enough features for the bug to be also disabled.

Not that it affects me. I'm MS free.

Re:Prevention BEFORE patching!

[fizbin]

corvi42 wrote:

I'm not sure about the details of the current case

Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)

1. The original advisory about the IE bug [neohapsis.com] (note that it includes sample code to execute "winmine") [Nov. 6]
2. The post pointing to zdnet forums [neohapsis.com]. Note that it is on the ZDNet forums that this format code first appeared - I find it most odd that Wired chose not to mention that. [Nov. 11]
3. The post that got everyone's panties bunched up. [neohapsis.com] Someone took the code that was on that ZDNet forums thread and posted it to Bugtraq. [Nov. 14]

One especially noteworthy point: Microsoft was informed of the bug on October 4th.

So:

• The original discoverer (that we know of), Sandblad, acted responsibly.
• Bugtraq was being perfectly responsible in posting Sandblad's advisory
• The format exploit code was free for the taking on public forums
• Bugtraq published the format exploit, creating a PR issue for Microsoft, after said code had been public for three days

My opinion? A wired writer needed a story.

Re:I can't feel bad for Windows users.

[pgilman]

"...if you're using a Windows box, I've got to assume one of three things is happening:

1. You're ready to have a hair-trigger response to the constant stream of security patches and updates you'll need to use. You probably have up-to-date virus protection software, and you probably work in an office with really paranoid, on-the-ball IT staff.
2. For whatever reason, you don't care that your files could get mangled, erased, and resent: Maybe nothing's that critical, maybe you're just playing around, maybe you make constant backups.
3. You're completely irresponsible."

That's really unfair. What you say makes sense when applied to the slashdot population, but what about my mom? What about your dentist? Most people who use computers aren't IT professionals who can dedicate an hour every day to reading several security-related websites and downloading and installing software patches, and they shouldn't have to be.

Re:Of course it was irresponsible

[Iguanaphobic]

Oh, I get it. Microsoft needs to be held to a higher standard of moral behavior than some script kiddie. I guess it's because they deserve whatever bad happens to them because "they're Microsoft", and the hackers that use the (now widely) published exploit are absolved of any wrongdoing.

Nope. Microsoft has exploited their monopoly to accumulate a massive amount of cash at the expense of their users. I would hold Microsoft to a higher standard based on the fact that we (the public) have already paid them sufficient cash for us to have a reasonable expectation of secure code or at least responsive support.

Somehow, the hyper-capitalistic viewpoint of a lot of people actually admires Microsoft for their criminal behaviour and uses their success (excess) as an excuse to let them literally get away with whatever they want.

They have your money and they have not delivered the goods. And you admire them for that and wish you could be more like them. Talk about the American Dream on mushrooms.

Re:Of course it was irresponsible

[ichimunki]

Your analogy is totally off. Publishing a how-to isn't "committing a crime", it's journalism. A few years ago I saw a TV news spot on car break-in/theft in which they showed a car thief disabling several anti-theft devices. Was the TV news breaking the law or simply alerting people to how false their sense of security really was?

This is why, in these cases, I think the argument would be well-served if people avoided analogies altogether. It's difficult enough to attempt to clarify the assumptions and facts so that symbolic logic can be applied to reach sensible conclusions without muddying the waters with literary devices.

MS is recklessly endangering your computer and your data with their shoddy attention to security prior to release. I think BugTraq is doing us all a favor by pointing it out.

Re:Slashdotted Already - Article Text

[njdj]

There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express.

Crap. The simplest and most appropriate technical defense is to switch to another browser. Even Windows users have a choice of browser.

The news does it...

[Anonymous Coward]

When channel x news sneeks a weapon through airport security and alerts the airport. Then a month later does the same thing, should they alert the public to make them aware of the danger?

Timlock puzzles

[karlm]

Look at "Timelock puzzles" or something to that effect by Professor Rivest. You can make the solution to a cryptographic puzzle the decryption key for an exploit. Publish the puzzle and the encrypted explot along with your submission. Give the vendor the decryption key. The problem of repeatedly calulating quadratic residues modulo a Blum integer is essentially non-parallelizable, so it doesn't matter if you set up a beowulf cluster or a distributed.net project. You still only solve the problem as fast as your fastest node. Hence governments don't get the solution much faster than some slashdot reader with a 4 GHz overclocked system. If you have REALLY low latency interconnects, you may be able to spread the work out among several CPUs in the same box.

This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.

Re:Of course it was irresponsible

[Citizen of Earth]

Big Software Company: "Well, I guess we better fix it."

I think you mean:

Big Software Company: "Well, I guess we'd better sue."

No; they decided to define the problem away

[Anonymous Coward]

According to their security model, anything running as "Local computer zone" is always trusted. So, by definition, trusting something in that zone to run programs isn't a security problem.

The flaw, of course, is that it's a lot easier to remove a capability of dubious value from a zone than it is to find and patch the many zone privilege exploits. So, they've made their design that much more fragile. We've all complained about MS's fragile security models; it's nice to have a concrete example.

Linux had a similar problem. Superuser access is too powerful, and there was no way to grant just certain rights to users. Sudo was written as a stopgap, but its model suffers from the same problems as MS's: fragility (although, to be fair, sudo has always been much more robust than IE). Now, however, the capabilities system has been designed, and is slowly gaining acceptance.

The difference between Linux and Microsoft is obvious. The Linux people could recognize a problem and work towards a usable solution; Microsoft simply denies the problem, and no one can convince them otherwise.

yes, of course.

[twitter]

There was no need to add that payload to the exploit.

If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.

I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.

Ahh, more FUD...

[sheldon]

"And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them."

Really?

Show me the security bulletin on Redhat's website for the issues found in KDE last August.

The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.

Re:Of course it was irresponsible

[ivan_13013]

That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."

No -- nobody is committing a crime yet. This is more like if Joe Whistleblower were to say, "My town's police are lazy and resistant to change their ways, so I am going to publically talk about their problems. The public needs to be warned for their safety, and the PD needs to get their a** in gear."

Well, after Joe says that, some residents may take extra precautions to protect themselves. Also, some potential criminals now know have information that police response time is bad, and they may take advantage of this by breaking the law.

Whose fault is that? The police, for failing to keep the town secure in the first place? JW, for letting potential criminals know about the flaw in the system? Or was it the criminal's fault because he was the one breaking the law?

I believe that it's mostly the fault of the criminal when crimes are committed, and some blame should also go to the police if they have failed to protect. Joe was just doing his duty.

But comparing MS to the police is too much of a frightening thought, time for the happy pill... ;-)

-=Ivan

Re:Of course it was irresponsible

[vericgar]

I may seem absurd, but the way I see it, it really isn't.

Say most homes doors and locks from the same company. Some person discovers that you can open the door by lifting the handle and turning even if the door was locked. If this information wasn't release to the public, then many people would never know. Granted, some people would figure that out, but many would not. One of those that figure it out get his face on the news and let's everyone know how to do that. How fast do you think the company that made the doors would be having a recall then if only a lot fewer people knew and there wasn't as many problems?

The diffrence between Microsoft and this imaginary door company comes however, is that once a few people discover this problem with the doors, the company would issue a recall. Microsoft (though many other companies do this also, Microsoft isn't the only one) in most cases would hide the fact, and even when it was brought public sometimes waits months before fixing the hole.

Granted your front door to your home is usually much more important then your computer, but you can see what I mean...

Re:He Gave Them a Month

[SuiteSisterMary]

If it only works if run from computers in the 'local computer' zone, then no, it's not a security hole, it's operation by design.

That's like saying 'there's a huge security hole in the UNIX 'rm' command, which allows the root user to delete entire filesystems!'

Re:Irresponsible?

[CoolVibe]

Then switch to ext3 and tune2fs those counts away (disable them by setting them to 0). No more waiting. Oh, and upgrading from ext2 to ext3 is painless.

Re:Of course it was irresponsible

[commodoresloat]

Does that mean it's a good idea for The New York Times to publish detailed engineering schematics and procedures on its front page?

A more appropriate analogy would be whether it's a good idea for Bulletin of the Atomic Scientists [thebulletin.org] to publish it. And then, yes, it would be responsible reporting.

Re:Of course it was irresponsible

[InnovATIONS]

Pointing out the existence of the bug is a service. Giving how-to lessons about using it to wreck havoc is irresponsible. Maybe you may call it journalism, but it is irresponsible journalism. The public's need to be alerted about auto theft was in no way enhanced by actually showing how to defeat the devices. Similarly the public's need to know about caring about security holes in software is in no way enhanced by showing them how to exploit the holes maliciously.

Re:Microsoft did decide to fix it.

[Hal-9001]

"[Microsoft's] final response were that the technique used to run programs with parameters from the 'Local computer zone' was no security vulnerability. A fix should instead be applied for all possibilities for content in the 'Internet zone' to access the 'Local computer zone'."

This is entirely the right response from Microsoft. They don't want to fix the symptom; they want to fix the underlying problem. I think this should be applauded.

I don't. The exploit proves the Microsoft's initial assessment was wrong and that a vulnerability exists. If you have a disease with no known cure, it's better to receive treatment for the symptoms than to do nothing and wait for a cure to be discovered. Analogously, the right thing for Microsoft to do would be to fix the symptoms immediately, and then fix the underlying problem. Releasing a temporary fix quickly demonstrates that they understand the seriousness of the problem, and that are doing something about it instead of ignoring it. It also buys them more time to fix the underlying problem. Unfortunately, Microsoft has shown over and over again that actually fixing things is not the Microsoft way.

Re:SuperVirus

[theLOUDroom]

I disagree. First off script kiddies don't really do very much. If they do ever write code, it's a tiny little program to do one or two things.
I don't think that any of them are going to write a super virus because that would take a lot of work. They may get a kick out of reformatting someone's box but the aren't going to code for months to be able to do so.

What I would worry about is someone writing a hacking application. It would have a database of most know root exploits for the last 20 years. You could pick your target IP address and it would use programs like nmap to try and figure out as much as possible about the target(s) and then it would start trying all know exploits for that system.
A program like this would actually be worth a serious black-hat hacker's time. Especially if it was written in a way the made it easy to update the database when new exploits were found. It could have a nice GUI and everything.
Luckily, someone white-hat would take the same program and extend it so that the database includes way to fix all the vulnerabilities. Sysadmins could run it on their own networks.

Re:Of course it was irresponsible

[0x0d0a]

Actually, the mainstream media has gotten in the habit of snagging feelings about things off major tech forums like Slashdot.

Code Red got *tons* of coverage, despite it not being all that interesting from a technical standpoint. Joe Public knew about it, even if he didn't know what it was (and didn't know that MS's products were the only ones at fault).

Re:Malicious?

[Da VinMan]

I doubt you were trying to be funny about this. All I can tell you is this: Go find the exploit code and try it. When you're done filling your pants, go find a Mozilla based browser you like and stick with that.

Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!

Re:what is the stink about it....

[karlm]

My point is, the cracker community doesn't need bugtraq to even find these exploits.

Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.

If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.

Hummmm

[inerte]

Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code.

Yeah, and reading Mein Kampf will make me a nazi.

Reading about guns will make an assassin.

Reading Kama Sutra will make me a Don Juan.

Reading Juan Manuel Fangio's biography will make me a F1 racer.

But not reading any of these will make me dumb.

Difficult choice, isn't?

Re:Of course it was irresponsible

[theLOUDroom]

Can we knock it off with the god-damned terrorism analogies already?
Every fricking time someone posts an exploit somebody else has to drag Al-Qaeda into it.
Your analgy is retarded.
It's not even close to simlar. What would be similar is if the NYT posted a story about crappy security procedures at a military base that housed bombs.
What solution do you suggest? Should we just pretend tat the US is going to be the only country ever to have acces to nuclear devices? Is describing how a terroist state could build a nuclear device making it easier for the terrorists, or is it trying to get people like you to pull their heads out of their asses and realize something: That a security vulnerability exists and we should do something about it.

If someone is insecure we shouldn't be pretending that it is. That's what we'd been doing with airplanes. That's part of how 9/11 happend. If someone thinks that security of something has been breached, the have to let others know about it, so that it can actually get fixed. It's really idiotic to pretend that only one person could ever find a certain vulnerability. If one person knows about something,.chances are someone else has figured it out too. If I'm running that program on my machine I want to know about any security issues ASAP. I don't care if there is a fix yet, I want to know. If there's no patch, the decision should be mine, as to whether is want to leave an insecure system attached to the internet or unplug it until a patch is availible.
If a security problem exists, it exists. Keeping it quiet doesn't make it not exist. If there's a bug, your system is vulnerable whether you know it or not.

Think about it this way:
If you keep all security flaws secret (except from the vendor), you a relying on:

• The guy who discovers the flaw not to use it for fun/profit.
• The company to recognize and fix it in a timely manner.
• The silly assumption the the guy who found the flaw is the only person who ever could.

If you make them public you are relying on:

• Youself. You decide whether to use an insecure system or not.

I trust myself more than I trust any private company. I can make my own assessments about the likelihood of someone trying to exploit a given vulnerability, and decide what to do about it.

Re:Irresponsible?

[riptalon]

If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

No, I would imediately disable sshd (or if necessary disable networking entirely) and wait the short time necessary for a fix to become available. I would rather know that there is a exploitable bug in my system so I could immediately plug the hole (even if that ment losing some functionality) than not know and risk my system being cracked in the interim. This isn't about keeping infomation from the "crackers" (who if they really care will know already), it is about keeping information from the users, which is wrong. This is mainly motivated by proprietary software vendors who want maintain as much secrecy about their fuck-ups as possible, for obvious reasons.

Re:Of course it was irresponsible

[Mnemia]

I disagree. The script kiddy is the one who is a criminal, but the users who fail to maintain their machines are most definitely acting irresponsibly as well. No, it doesn't give a script kiddy the RIGHT to crack you if you don't patch your machine, but you're still stupid not to. People should use some common sense and try to protect themselves, if only so that they aren't a danger to others.

Your argument is like saying it's totally not my fault if I park my unlocked car with the keys in the ignition in a bad part of LA and someone steals it. Sure, that person was doing something wrong, but I'm still a moron to not take any precautions to avoid its theft. It's exactly the same thing here - yes, the script kiddies shoulder the majority of the blame, but if I'm not stupid I will try to protect myself since there is zero chance the script kiddies are going to go away.

In fact, people not maintaining their machines is even worse than this analogy because a cracked machine becomes a weapon against others. That's more akin to an airline failing to take any security precautions and then saying it's completely not their fault when someone hijacks their plane and flys it into a building.

Re:Of course it was irresponsible

[pjrc]

That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."

It's much more like the local newspaper publishing the limited routes the cops actually patrol, thereby allowing crooks to rob the places that aren't adaquetely protected. Sure, criminals will read the paper and know where they can strike, but the idea is that everyone who lives or does business in such an area is venuerable will learn that they are at risk and put pressure one the cops to clean up their act. One of the biggest factors in making a value judgement in a case like that is what level of effort was made with the cops before widely publishing their weaknesses.

Remeber that Andreas Sandblad contacted Microsoft about this problem on Oct 4 (Wired didn't even read the bugtraq posting they reported). That's six weeks ago... even longer than the 1 month period that Microsoft has suggested is necessary from discovery to disclosure. He published only after Microsoft said they didn't think it was a bug. Since Microsoft essentially claimed it wasn't a problem, the announcement needed to prove otherwise to have any chance of success.

One more quote....

You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things?

Are you suggesting that Microsoft's inaction and refusal to fix the problem when they first learned of it six weeks ago was not harmful?

You probably also believe the infamous exploding gas tanks on the Ford Pinto wasn't harmful, and the deaths and injuries were purely the fault of drivers hitting Pintos. Ford's "laziness" (cheaper to settle out of court with victims than the recall and improve the cars) when they knew of the problem and did not fix it probably wouldn't be an issue for you, would it?

Back to Microsoft... who didn't fix the problem when they learned of it 6 weeks ago... does their inaction ever become harmful in your world view? How about when systems are compromised on a small scale? What about when a virus/worm is released with the ability to exploit it? (and what if someone had made a big stink about it in the press and forced them to fix it before that virus/worm was written) It's all the faults of those hackers, and Microsoft's "laziness" (when they knew of the problem in advance) never receives any of the blame? Yet someone who attempts to force the issue with a high profile public announcement, only after first having made an attempt to get them to fix it, is somehow as guilty in your little world as the actual attachers and at the same time the vendor who refused to fix the problem with advanced notice is not to blame at all?

Re:Fight Fire with Fire

[fferreres]

In fact, it's very easy to rob a car, and the ones blamed are the thiefs, not Ford. Also, that's why you have insurance, I don't see Ford putting a lot of efforts in anti-theft technology.

With computers, it's a little different. You can't get insurance and the equivalent of "robbing a million cars in a day" is easy as writing a good worm. So Microsoft has to be more carefull, we are trusting our data and business to them, and they should show more caring for the customers.

We demand security, LESS features, ADDED security. At some point, people asked features, now they ask security. The ones asking for more features should know of that trade-off. They do not often link features with code harder to secure.

Re:Of course it was irresponsible

[ivan_13013]

...publicly stating there is a crucial problem is different than showing how to exploit it. I think giving very direct info on how to carry out said bug steps beyond the middle ground.

In that respect, it feels like the plan is to make MS's exploits do harm to people and ruin MS's reputation, so people will leave the platform...

Well, if they were to mysteriously state that there is a problem, without enough information to reproduce the flaw, you are not giving enough information for the people to protect themselves. (You can tell them what settings to lock down, or you can just tell them not to browse the web with IE, but that is not the same as letting them protect themselves)

The people responsible for keeping PCs secure want to get their hands on the exploit ASAP, so that they can try to put up barriers to stop this problem. If you keep the exploit secret so that they cannot TEST their work, they are just working blind!

I don't really think there is a "plan" like you describe. I think that BugTraq is just doing their duty by disseminating this information. Microsoft should have known at least two weeks ago, that they needed to patch this flaw which could affect millions of users of their products. Yet they still have not done so. By the time BugTraq posted it, most of the electronic intrusion experts throughout the world already knew about it.

-=Ivan

Re:He Gave Them a Month

[Wanker]

Here's an except from Sandblad's report (Nov 6):

(4) EXPLOIT:
============
The exploit uses a nonpatched "cross site/zone scripting" vulnerability published by Liu Die Yu 2002-10-01 to Bugtraq:
http://online.securityfocus.com/archive/1/293692
It could also be possible to use one of the many "cross site/zone scripting" vulnerabilities Greymagic found:
http://sec.greymagic.com/adv/gm012-ie/
Re cently I reported a new "cross site/zone scripting" vulnerability to Microsoft that could also be used. But since no patch is yet produced,
information about it will not be published.

I agree that the fundamental problem isn't that a "local" computer can do things like execute any arbitray command with arguments. (Well, to a point-- why a web browser needs to do this is another question.) However, these cross-zone exploits are so old and offer such a massive potential for misuse there's no excuse for waiting this long for a fix.

In short, yes, the right solution is exactly what Microsoft said. So do it!

Re:Of course it was irresponsible

[ichimunki]

Actually, the public's welfare was enhanced, because without a demonstration of how the Club doesn't work, this is just "Channel 5 says the Club sucks" vs. "The Club says the Club rocks". Now maybe the average consumer is willing to trust Channel 5 over every business they might report on, but personally I demand evidence when presented with an assertion as bold as "this device which is supposed to keep your car from getting stolen doesn't actually work at all".

Furthermore, there may be a good way to enhance the Club's effectiveness, but I wouldn't be able to figure that out if I didn't know what was wrong with it in the first place. BTW, turns out that many steering wheels are not that sturdy and a good saw will turn your Club into a useless piece of pipe in about 10 seconds. Knowing that the Club is useless saves me the cost of buying one and the time wasted putting it on the wheel and taking it off. Also, typically a good expose of this nature (and this is where the rubber meets the road) will at least provide tips for dealing with the situation now that we've debunked the false sense of security provided by various gadgets and doodads.

In this case, if there is no fix forthcoming, it's very good that I know about the vulnerability and have some evidence that it's real-- that gives me a solid reason to investigate an alternate browser (and maybe by looking at the exploit I can figure out what to have a proxy filter out, so that I can make my users safer without having to replace their browsers).

This is why Symantec acquired SecurityFocus

[Anonymous Coward]

As I suggested in the July thread on the acquisition topic, Symantec scooped up SecurityFocus as a means to put the brakes on the full disclosure movement.

This exploit is so severe it will no doubt cause the clueless masses to clamor in fear and demonize the full disclosure movement. It would not surprise me in the least if lobbyists for the likes of Microsoft leverage this news event to spin the next pro-Microsoft bill through the legislature.

By this time, the "top dogs" from the old SecurityFocus have no doubt been kerneled and firewalled by Symantec Jr. Exec's filtering their communication traffic both in and out, and managing their task lists. As soon as these guys realize their upcoming irrelevance in the brave new world that is now SecurityFocus, they will be presented with a choice: to a) burn through all the cash Symantec just handed them in litigation to regain control of the firm or b) pursue other interests, as long as none of those interests compete with Symantec, well at least for the next five years.

What a terrible brain drain for the security community.

I do not wish to minimize the efforts and contributions made by the founders of bugtraq...They were an essential catalyst to the full disclosure movement. Still, it is the community that brings life to the movement. IMO, it is time for the community to respond to this situation by establishing a new forum for full disclosure that is outside the influence of corporate interests.

I regret I have only my insight to contribute.

Not everywhere has decent net access

[Builder]

What about people who pay for net access? A lot of those people don't use the auto update because they are on slow connections and it is costing them a lot of money to be on the net.

A lot of people still pay per minute to be connected to the Internet and using the auto update tool over a 56K modem can take quite a few minutes. Plus, if you have to reload for any reason, you have to go through the whole process again. The autoupdate solution doesn't give you the files with instructions, so you have to run up the phone bill twice.

Re:Of course it was irresponsible

[Codifex Maximus]

Truly. The crackers already know so the posting of the exploit has no real negative effect. Better to let everybody know of the hole so they can be shocked into patching it.

If you look at the issue from the other side, you will see that the crackers would use the exploit and happily remain unseen. What you don't know *CAN* hurt you!

Re:Of course it was irresponsible

[Reziac]

After some thought, I concluded I'd rather have the exploit published in all its glory.

The script kiddies already have the info, and pass it around like wildfire, so it's not telling them anything they didn't already know. The newbies who join the fun because of a publicly-published howto won't amount to a drop in the bucket.

But having the code public does let me the user know what to look for, so if I see Suspicious Web Whatever, I can think to myself, "Self, that looks like Exploit X, tread with caution." And having a real example lets me check out what it looks like in the wild, so I can warn my clients to keep an eye out for it.

Re:Timlock puzzles

[braindead]

[publish the exploit within a timelock puzzle, give the key to the maintainer of the buggy software]

I don't grok why you'd want to do that. How is it better than sending the exploit to the maintainer and just announcing that you will make it public in a month or so? Isn't that the traditional procedure?

Are you afraid the publisher doesn't believe you'll make the exploit public?

Re:Of course it was irresponsible

[Blkdeath]

I don't see how this extended explanation helps the average person (those who are lock experts and hardcore burglars already know/know where to find out).

The general population has this habit of not believing things. There's an old addage that goes; "Tell a man there are a billion stars in the universe and he will believe you. Tell him a bench is covered in wet paint and he'll touch it." (Or something to that effect).

If I told people that I could disable their electronic car alarms, get around their club, hotwire their ignition switches and drive off with their car in under 2 minutes, they'd scoff. If I did it, they'd take note, and their false sense of security will quickly dissapear.

Likewise with computers; if you tell a person that the product they're using (web browser, web server, operating system, etc.) is insecure, they won't believe you. You could quote statistics, point to empirical evidence, and give them all the hard facts you could muster; but they'll scoff at you and retort "It's never happened to me, so I don't know what you're talking about." But if you go home and proceed to shuffle the files around on their hard drive and leave 'love letters' on their desktop they just might sit up and start paying attention.

I'm all for giving people practical lessons in their own ignorance. The more ignorant, and the more wilful and obtuse that ignorance, the more torture they should be put through.

In an ideal world people would take standard precautions with these extraordinarily powerful batches of silicon they're connecting to a T1-or-greater speed link with the potential to cause severe damage to any number of multi-billion dollar, multi-national computer systems (along with your average run of the mill corporation and home user machines) and/or trust in trained professionals to implement atleast rudimentary precautions for their computers (and home LANs), and perhaps (just perhaps!) take their advise with a little more than just a grain of salt. I've completely given up telling people that Outlook (Express) is an insecure P.O.S. because they just don't listen. Besides that, I've decided that I prefer a business where they keep coming in and occupying one of our benches at $35/hour while we eradicate their latest viral infection or backup any data we can recover before we format their drives and re-install Windows.

(For the record; for many of them, just one instance of being 'schooled' by malicious types doesn't always teach them. We have a lot of repeat customers in the virus / system recovery market)

Long story short; until you kick them in the pants, they just won't believe that it'll hurt.

Re:Of course it was irresponsible

[Fat Casper]

...it wasn't Ford's laziness that *causes* the explosions, it is just gross neglect that doesn't stop it from happening. I think publicly saying there is a problem like that is a good idea. Explaining how to exploit the problem and blow the tank up maliciously is exacerbating the problem and making *potential* harm into real harm.

Had I owned a Pinto, I would have been grateful to someone who told me under what circumstances my gas tank would explode. That would have been a more constructive announcement than a simple "Pintos blow up a lot."

To pull from other analogies here, "ACME rent-a-cops tend to sleep on the job" or "the police don't patrol the north end of town much" are similarly informative, accurate and constructive. The code was posted in the context of security, okay?

Spafford: general purpose machines are the problem

[Factomatic]

CERIAS' Gene Spafford [purdue.edu] says overpowered, complex, general purpose machines that can do way more than people need are a big part of the problem.

A lot of the attacks that we're seeing now are coming from systems that have been subverted, sometimes by automated agents -- worms, break-in toolkits, massive denial of service tools -- that are taking over home computers [and] small business computers, and are using those as platforms to launch attacks. That's a big threat because those systems are not run by people who really understand anything at all about security...

Read the rest of this interview [geartest.com] in which he discusses how increased, unnecesssary complexity combined with a lack of users' understanding of security vulnerabilities and issues, and manufacturers' lack of interest in building in security can make systems more vulnerable to attacks.

Re:Timlock puzzles

[Anonymous Coward]

Are you afraid the publisher doesn't believe you'll make the exploit public?

He's afraid the vendor will seek a court injunction to prohibit him from making the exploit public.