Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Honeymonkeys Discover Undisclosed Vulnerability 140

spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "
This discussion has been archived. No new comments can be posted.

Honeymonkeys Discover Undisclosed Vulnerability

Comments Filter:
  • by mrRay720 ( 874710 ) on Friday August 12, 2005 @07:45AM (#13302818)
    I have no idea what Honeymonkey is, what Windows is, or even who Microsoft are.

    BUT....Damn "Honeymonkey" is such a cool codename. I'm going to name my firstborn after it!
    • by elrous0 ( 869638 ) on Friday August 12, 2005 @08:29AM (#13303150)
      Damn "Honeymonkey" is such a cool codename.

      At last, my search for a new nickname for my penis is over.

      -Eric

    • Honeymonkey (Score:3, Insightful)

      by amcdiarmid ( 856796 )
      I assume that they are combining web-monkey with Honeypot. (not that they are somking anything.)

      Seriously, MS has set up a bunch of machines that actively surf the web trolling for vulnerabilities. I guess it's the "If we can't code securely, at least we can find the holes to plug." theory. Considering IE, it's not a bad idea.

      It would be nice if they shared the exploits with everyone, at least once a patch exists, though.

      OK, good job Microsoft: Now if you could implement a "least privileges" model by defau
      • Seriously, MS has set up a bunch of machines that actively surf the web trolling for vulnerabilities. I guess it's the "If we can't code securely, at least we can find the holes to plug." theory. Considering IE, it's not a bad idea.

        I'd have called them canaries.

        In the 19th Century, when miners went down a pit, they'd lower a canary down first in a little cage, and if the atmosphere was noxious, as it frequently was, guess what the canary did. It died!

        The canary's job was to go into the most dangerous, unple

        • Yeah, but using sheep for mine detectors is much more fun than a bird in a cage.

            If the bird dies, you get nothing.

            If the sheep dies, you get a new pair of Napoleon Dynamite sheepskin boots!

          I bet the guys back then were hunkered down, saying, "come on...just a little further...sniff it out buddy...that's right", meanwhile they were placing bets on how far the sheep would go. It sounds like a fun win-win situation!
      • "OK, good job Microsoft: Now if you could implement a "least privileges" model by default...."

        Windows Vista. It's called "User Account Protection".

  • by jtcedinburgh ( 626412 ) on Friday August 12, 2005 @07:46AM (#13302825)
    Aha, the new MS OS development team has been revealed: an infinite number of honeymonkeys at an infinite number of typewriters...

    Explains a lot...
  • by mikeophile ( 647318 ) on Friday August 12, 2005 @07:46AM (#13302827)
    Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

    I don't think I have a stronger word than DUH!
    • There's less of a "Duh" if it's an unpatched edition of XP with SP2. The wonders of Windows Firewall are supposed to portect you from nasties outside your box...
    • Located HERE - PDF WARNING [microsoft.com]..

      The approach we took was to collect an initial list of 5000+ potentially malicious URLs by doing a Web search for Windows "hosts" files [HF] that are used to block advertisements and bad sites, and lists of known-bad Web sites that host some of the most malicious spyware programs

      Kinda like testing condoms with hookers.. only your condom is made by MS...

  • Don't you want people to find and fix the vulnerabilities in the OS before it goes public? Or will this just turn into another Slashdot anti-MS circle jerk?
    • by Anonymous Coward
      So what they did, was perhaps not in your best interest.
    • by Anonymous Coward
      Is it a good thing that this vulnerability was found? Yup, positively!

      But as the HM project detected this vulnerability because it was being actively exploited by the bad-guys, *and* this vuln. was previously unknown, this is in fact a zero-day exploit.

      These are bad things in anybodies OS.
    • by shotfeel ( 235240 ) on Friday August 12, 2005 @08:29AM (#13303147)
      Now if they'd go one step farther and compile a database of sites that "attacked" and allowed access to it for use as a blacklist. We've got spiders walking all over the net compiling all kinds of databases, I'm surprised nobody's done one like that before.
      • I doubt they'd want to do this. As explained in the article, some of these sites seem to be "on the inside" - when a zero day vulnerability was found by one, it was shared with the others. This suggests they are part of one community (messageboard/mailing list/IRC room/Usenet group).

        By not telling the blackhats that they've been found out, Microsoft gains the ability to spy on their activities. This means the next time one of them finds a zero day vulnerability, Microsoft will know about it within hours w
      • They haven't, but others have [mvps.org], more or less. That's my personal favorite /etc/hosts file (works on Win, Mac, & Lin) but there are many others [google.com] to choose from.
      • Since users can't be depended on to keep their systems updated, there is a simple fix. MS could just have HM keep an updated list of malicious sites. Then IE could periodically download the list and block you from visiting them. This would prevent people from accidentally downloading viruses, spyware or Linux onto their machine.
      • Now if they'd go one step farther and compile a database of sites that "attacked" and allowed access to it for use as a blacklist. We've got spiders walking all over the net compiling all kinds of databases, I'm surprised nobody's done one like that before.

        Actually they (MS) searched the net, found what other people were using as their hosts file and then visited those sites. So this is actually the opposite of what you are suggesting. MS is using other people's host files to find out what they considered

    • Well, yes. I do wish them to find and fix the vulnerabilities of the OS before it goes public.

      That would avoid having vulnerabilities in the wild, such as the one refered to in the article, before the authors of the OS are aware of it.

      I want the Good Guys to find them first.

      KFG
  • by mikeophile ( 647318 ) on Friday August 12, 2005 @07:56AM (#13302906)
    The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries.

    Why not build a virtual machine into the browser itself?

    Sort of a special purpose virtual machine that has
    just enough of an OS to run the browser.

    If Microsoft refuses to remove IE from Windows, at least IE could be isolated from the rest of the operating system.
    • by johnjaydk ( 584895 ) on Friday August 12, 2005 @08:09AM (#13302998)
      Why not build a virtual machine into the browser itself? Sort of a special purpose virtual machine that has just enough of an OS to run the browser.

      You mean like Java ?

      MS has already killed that idea because it commoditized the desktop and broke their API lock-in.

    • Ah yes, pointless and idiotic redundency which only increases the size of code base, and thus possible bugs and exploits, all to fix a self induced problem which can be cured by reducing the amount of code.

      This is the sort of engineering "paradigm" that results in so much of our software being so fucked up.

      KFG
    • Why not build a virtual machine into the browser itself?
      Sort of a special purpose virtual machine that has
      just enough of an OS to run the browser.


      Because that's exactly the problem. IE is only that vulnerable beacuse it is integrated with every single feature of the operating system. So, to build a VM to support the browser would be to build the whole OS into it.
    • You either want an application layer firewall or a chroot jail for IE.

      Good news is, they have application layer firewalls... dunno about chroot on a windows core service.
    • IE7 will have a broker process that will control access to the outside system. IE won't be able to do much by yourself. I guess Microsoft already thought of that, a few years too late, though.
    • IE 7 in Vista can supposedly run in a "self-lock-down" mode that denies itself a lot of access, even more than a normal "limited user account". It's been mentioned in ieblog, just google it.
  • Is it me... (Score:3, Interesting)

    by OwlWhacker ( 758974 ) on Friday August 12, 2005 @08:08AM (#13302988) Journal
    or are Microsoft's buzzwords getting way too 'weird'?

    Obviously Microsoft copied the idea from the aptly named Honeypot [wikipedia.org].

    Honeypot makes sense.

    Why ever would anybody in their right mind come up with something as lame as 'Honeymonkey'?

    Is it because Microsoft is 'getting old'? It's like the old guy saying "In my day, we used to say 'Whizzo!' when something was really neat", and the teenager laughs, and comments that it doesn't sound half as good as 'cool'.
    • Re:Is it me... (Score:4, Insightful)

      by shotfeel ( 235240 ) on Friday August 12, 2005 @08:25AM (#13303116)
      If you read TFA, they explain it. Yes, they based the name on honeypot, but a honeypot just sits there waiting to be attacked.

      A honeymonkey goes swinging around the net looking for someone to attack it.

      Now if MS would compile a database of offending sites and allow me to use it as a blacklist for my browser, that'd be even better. Unfortunately they'd probably only make it available for IE.
      • Oh, so a honeymonkey goes swinging around does it? You say that almost as if it's normal for honeymonkeys to swing around.

        I can't imagine that there is any real attraction, seeing a monkey swinging through the trees, whereby people would line up to attack it. And how does it mix with honey?

        I suppose that if you dunk the monkey in honey then some people may want to grab it and suck it - only if they're ravenous, I would have thought.
      • So they took a perfectly good metaphor and blended it into nonsense. Yep.
      • Ok, here's how I see it:

        A honeypot sits there waiting for something/someone to attack it.

        A spider or bot runs around the 'net gathering stuff: Pages for search engine databases, email addresses to spam, whatever.

        So honeyspider or honeybot would have made a lot more sense than honeymonkey. WTF does a monkey have to do with the Internet? Other than "Punch the f@#$^%ing monkey to get absolutely jack shit."
      • Now if MS would compile a database of offending sites and allow me to use it as a blacklist for my browser, that'd be even better. Unfortunately they'd probably only make it available for IE.

        Which makes sense, as the large majority of the exploits only work on IE anyway.
      • "Now if MS would compile a database of offending sites and allow me to use it as a blacklist for my browser, that'd be even better. Unfortunately they'd probably only make it available for IE."

        Actually, what they would do is make it an active X control that silently overwrites your host file.

        I keed, I keed
  • Oh for pete's sake (Score:4, Insightful)

    by Hyksos ( 595814 ) on Friday August 12, 2005 @08:09AM (#13303003)
    Breaking news: Microsoft has found a security hole all by itself :P
  • Coincidence? (Score:3, Interesting)

    by Jump ( 135604 ) on Friday August 12, 2005 @08:10AM (#13303007)
    It strikes me odd, that this important security patch arrived *after* the genuine advantage update. After the genuine advantage update all our windows computers stopped making automatic updates and therefore the genuine advantage was not patched as quickly as possible. Manual interaction was required to accept the 'genuine advantage' update. I wonder how many users out there stopped watching their automatic update function to work correctly. What is the advantage of having automatic updates if you have to monitor them? What is advantage is meant in 'genuine advantage'? And why do they now publish this information, when many people out there will not have applied the patch simply because they believe they still have automatic updates running?
    • Re:Coincidence? (Score:3, Informative)

      by sriram_2001 ( 670877 )
      Genuine advantage is required only for non-security related updates. Security updates will keep streaming to your computer irrespective of Windows Genuine Advantage
      • Re:Coincidence? (Score:2, Informative)

        by Jump ( 135604 )
        Hi, at least with Windows XP it did not!
        And it has a valid license. Automatic updates
        worked until that 'genuine advantage' thing, when
        I had to run it manually (to install the new update wizard). Only after that the genuine advantage installed and only after that
        security updates have been installed.
  • "The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked,".

    This is just CmdrTaco's way of giving some credit to MS for actually showing some initiative...
  • From what I can tell is that Honey, is how they pay the one thousand monkeys working for one thousand years to create their operating system. Well I for one welcome our new Ape Overlords.
  • I guess this puts one more hole in the "security researchers should keep security holes to themselves" coffin. Obviously there's some fairly smart people out there in the black-hat community - if there's a flaw such as the recent issue with Cisco routers, they're gonna discover it eventually.
  • Nice'n'crunchy.
  • by arootbeer ( 808234 ) on Friday August 12, 2005 @08:41AM (#13303243)
    So Microsoft has a room full of computers that do nothing but automatically surf the "questionable" parts of the web? Anybody wanna guess how many hours a day that room is packed with employees just sitting in front of a computer "doing nothing"?
    • Actually, they aren't "computers" in the sense you describe. They're actually virtual machines running inside 1U rack mounted servers.

      And they don't have monitors. So, if you're sitting in front of them doing "nothing", then you're just watching the lights on the panel blinkulate and flashify.
      • And they don't have monitors. So, if you're sitting in front of them doing "nothing", then you're just watching the lights on the panel blinkulate and flashify.

        All I see now is blonde, brunette, redhead....
      • And they don't have monitors. So, if you're sitting in front of them doing "nothing", then you're just watching the lights on the panel blinkulate and flashify.
        ...

        I need to go back to sleep, I completely misread that as "flatulate".
  • I can't believe that people are lapping this up.

    The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published [sec-consult.com] on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).

    While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.

    It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.

    Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

    • by Amoeba ( 55277 ) on Friday August 12, 2005 @09:19AM (#13303579)
      Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.

      If you read the SecurityFocus article you'll notice that MS is claiming they found the first 0-day exploit for this vulnerability *in the wild*. You are absolutely correct that a proof of vuln was published by SEC-Consult. However, no known exploit yet existed to take advantage of the vuln. And the SEC-Consulting page does note that MS was finally able to reproduce the problem.

      You and I both know that it's a matter of semantics and the MS PR machine is in full effect here in the way this announcement was worded. However, that doesn't negate the interesting aspects of the honeymonkey approach. By actively trolling the net for "in the wild" exploits and vulnerabilities they're increasing the chances of finding and (hopefully) addressing security issues in a proactive manner.

      Despite the fact that MS is indirectly responsible for my paycheck from my day job, I've never viewed them as a particularly security-focused company and I'll be the first to admit their track record blows goats. But the honeymonkey project is a step in the right direction and could be a useful approach for other OS's and security-minded orgs [1]. It's a neat concept and I'm frankly surprised it's MS doing it.

      [1] I'm currently the moderator for SecurityFocus' penetration testing mail list. I don't get to see as much discussion of these types of things as say, the vuln-dev list, but it would be great discussion material to see if a similar approach could be utilized for pen-testing.

      • I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).

        Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary [sans.org]. I a

  • by dhasenan ( 758719 ) on Friday August 12, 2005 @08:42AM (#13303252)
    Even a monkey can find a flaw in Windows.
  • Security Risk (Score:3, Insightful)

    by CSHARP123 ( 904951 ) on Friday August 12, 2005 @08:44AM (#13303268)
    This is good. This should have been done by MS a long time ago and this should be an ongoing process. Everyone knows no OS is bullet proof on security terms. Better late than never.
  • bwahahaha (Score:2, Funny)

    by Anonymous Coward
    Honeymonkey? That's almost as bad as "Microsoft Certified Systems Engineer". Probably just as worthless too.
  • by hagrin ( 896731 ) on Friday August 12, 2005 @09:15AM (#13303549) Homepage Journal
    ... are reader responses to an article like this. Some people just refuse to see the trees I guess.

    If an indepedent, third party security company were performing these web site audits, the company wouldn't be admonished, but readers would still attack the "unfinished product" which was Windows XP unpatched. However, how can you fault a company that is trying to correct tens of years of security ignorance with new pro-active efforts?

    MSFT is basically performing external penetration testing of their software while security teams are writing vulnerability scanners and focusing on individual aspects of an application's design. In fact, one could argue that this is one of the more effective ways of performing security testing since exploits in the wild can exist in the wild for months before any security company diagnoses the vulnerability and this method will identify areas of the Internet that seem to disseminate these exploits between web sites.

    If you want to comment on the lack of security focus in the past, definitely. Are they playing a major game of catch up? Definitely. Should IE be so tightly meshed with the OS? Of course not. But can some of you just grow up and get past the MSFT bias and stop doing childish crap like making fun of the "honeymonkey" term or accusing workers of just sitting in the room not doing anything?
    • It would be, but they seem to be using data that was provided by other parties as to what sites have "malicious" self-install-while-i-look-at-the-site-even-though- my-box-is-patched.
      If they were doing actual research/work on these issues there would be a larger list of sites...
  • zero day exploit?! (Score:3, Insightful)

    by jurv!s ( 688306 ) on Friday August 12, 2005 @09:32AM (#13303702) Journal
    Microsoft's "monkeys" find first zero-day exploit

    How can you call it a zero-day exploit with a straight face when you found it in the wild??

  • Why do they need a whole own setup for this? Should think analyzing what must be constant attacks on their own servers would give plenty of clue of what's going on.

    Perhaps more extensive research into own source-code and a rethink of the security model in Windows would have yielded better results, blocking these attacks at the doorstep. After all, a more secure Windows would put these attackers out of business faster and more efficient, and be far easier to manage than such a hunt on the net where the att

    • rethink of the security model in Windows

      Please, enlighten me, what's wrong with the Windows security model?

      It's largely based on VMS, and uses Access Control Lists to secure many types of system resources, and it's got an excellent LDAP-based directory system for managing resources across machines and organizations (Active Directory), as well as the ability to delegate control over these resources on a fine grained level. It's got a great single-sign on domain model that allows users to access resource acro
  • Regardless what you think about Microsoft, what they are doing is a good thing and something the Linux communit should consider.

    Install a the newest beta of your distro of choice on whatever old hardware you have laying around and join it to a distributed network. Someone put together a list of "questionable sites". Monitor the file systems with tripwire or AIDE or something similar. Post the logs and such to the distributed network for review.

  • New Cert (Score:3, Funny)

    by Stanistani ( 808333 ) on Friday August 12, 2005 @10:45AM (#13304345) Homepage Journal
    How many courses would I have to take to become a
      Microsoft Certified HoneyMonkey
  • Wouldn't these sites eventually get smart enough to know the honeymonkey IP's and block them?
  • Wha? (Score:3, Insightful)

    by identity0 ( 77976 ) on Friday August 12, 2005 @01:15PM (#13305773) Journal
    In his book "In the beginning was the command line", Neal Stephenson wrote that some newspaper articles would be indecipherable to someone who had lived in a cave for the past 50 years, because it talks about "software", "operating systems", and "windows vs. apples".

    Now I am trying to figure out what someone who has lived in a cave since the Eisenhower era would make of this headline, "Honeymonkeys Discover Undisclosed Vulnerability".

    "Honey... monkey? Vulnerability? Undisclosed? uuuuh?" *HEAD EXPLODES*

    (Full text of In the Beginning... is on Stephenson's site [cryptonomicon.com])
  • Not published in the article is that the honeymonkeys were duped into revealing credit card numbers, costing Micro$oft hundreds of thousands of dollars.
  • Did anyone else see the dup article about honeymonkeys from CmdrTaco that was here around 5:15pm eastern time? I guess he just deleted it to prevent humiliation.

    I made a post there [slashdot.org] but it seems to be lost at this point.
  • if i RTFA correctly, their honeymonkeynet found a new 0day that was previously unknown? a vulnerability that has been out there for who knows how long and has been used to exploit an unknown # of surfers? i do recall a while back some MS spokesperson saying something about how patching is bad because their patches are reverse engineered into exploits and how if MS didnt release patches, then no one would be able to write exploits... i guess that argument has been thrown out the window (again).

If you have a procedure with 10 parameters, you probably missed some.

Working...