I don't participate in a lot of discussions; but vulnerability disclosure is
a topic that pushes my buttons a little.
I am NO fan of MS, and I won't even go down this road; but I think one point
that doesn't seem to be discussed in these conversation is that a quick
disclosure on a vulnerability discovery can hurt a lot more than the product
vendor.
Virus writers, hackers, and the many others who delight in causing misery
and overtime to us involved in security get these reports as well and can
start formulating an attack based on the vulnerability sometimes even before
the vendor sees it.
This seems counter productive to the security side to give attackers a
window of opportunity while the vendor is confirming the vulnerability,
getting a patch, testing the patch and then getting it released. This seems
of little benefit to the security world.
Before everyone starts in on the fact that without pressure the vendors
would sit on their collective behinds about patching - I'm just suggesting
that a compromise could be in order. I know it would involve silly things
like cooperation between vendors and security specialists - but who knows
stranger things have happened.
If a vulnerability could be disclosed directly to the vendor and then have
them put on the clock for say 10 days or two weeks; it would give them time
to narrow the gap between public disclosure and a patch. This would in turn
give less of a window for the exploits to be manipulated, and make things
better for those of us trying to keep these things out of our networks.
Now I realize that there could already be those manipulating this
vulnerability or bug in silence, but it seems to be the lesser of a problem
than potentially thousands of crackers working to take advantage of the
problem.
Just my two cents as well.
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: December 23, 2004 8:35 AM
To: ISNYC
Cc: focus-ms@securityfocus.com; 'Paul'
Subject: Re: Microsoft Vulnerabilities ARE being reported to Microsoft
Ever heard the expressed a bad/rushed patch can cause boxes to die?
Do you ever come out to web forums, newsgroups and what not and see the
impact of blaster, sasser, code red, etc? Help clean up after those messes?
For those eEye reported items... how do you know they are not working on
patches for those items? Patch testing takes TIME. Especially Internet
Explorer ones. I test patches before I roll them out and then look for
the "dead bodies" in the newsgroups when patches cause issues.
How about instead of "helping" Microsoft, how about you come on over to
patchmanagement.org listserver or the webforums and communities I hang
around and help patch and maintain networks, home systems, clean out
malware. You are adding more work for us to do out here. How about
helping Microsoft a little less... and helping computer users a little more?
All I'm saying is how about working with Microsoft...and give time for a
patch to be built on behalf of the folks that have no admin, no
knowledge, no clue to take alternative actions. My space is only aware
of windows update and if they are in the newsgroups, they might see my
posts about anything extra to get.
If you don't get communication back from them, ping me...they sure
respond to me on the secure@ alias when I forward stuff that I see on
listserves to them so I know there's someone checking that email.
Just my two cents.
ISNYC wrote:
Ohh. So you're the type to keep things in the closet.
Well.. I disagree.
He/Paul is complaining that MS is not responding to his bug reports.
(typical)
He/We are not attacking MS.
Were trying to help them, but they don't not want to help themselves.
There is countless 0days for MS that have been reported, without a
patch. (cough
** eeye ** cough)
So whats worse, you tell me?
1. Keep the bug in the closet, let a blackhat self discover it and
exploit it, And spread it in the private 0day world, and just let
blackhats hack away at the bug. Compromising thousands, possible
millions of pcs/server.
Or
2. Report the bug to the software vendor, then expose the bug on a full
disclosure list for everyone to read and see. Make it public. Then
users/admins can decide how to protect themselves and the compaines
they work for.
Ever hear the expression .. What you cant see Can Hurt you.
Take Care-
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Wednesday, December 22, 2004 4:26 PM
To: ISNYC
Cc: 'Paul'
Subject: Re: Microsoft Vulnerabilities ARE being reported to Microsoft
Let's not folks.
Do you folks have any idea of what impact you have on the world when
you
guys pull stuff like this? Forget hurting Microsoft... you hurt my
communities down here.
ISNYC wrote:
paul//
Do you really care what MS thinks?
My way of going around things....
1. Find the bug
2. Inform the software maker
3. Release the bug/vulnerability and a proof of concept(POC/exploit)
to a full disclosure list.
Paul... If you can compromise SP2, lets see it. Release a POC.
Take it from there.
Happy Holidays Everyone-
-----Original Message-----
From: Paul [mailto:paul@greyhats.cjb.net]
Sent: Monday, December 20, 2004 10:29 PM
To: focus-ms@securityfocus.com
Subject: Microsoft Vulnerabilities ARE being reported to Microsoft
If you came here looking for a vulnerability, you will be
dissapointed, because this is simply a message. Contrary to popular
opinion, I do disclose my vulnerabilities to Microsoft before release.
They do not resond to any of my emails so I assumed they either 1)
didn't care, or
2) were taking considerable action to patch these vulnerabilities. The
Microsoft statement that I do not disclose the vulnerabilities to them
is untrue and is probably just an attempt by Microsoft to make me look
bad because of their own incompetence. I will continue to work towards
a secure operating system because that is what we security
professionals strive to accomplish.
PS: Microsoft, I have found a way to compromise SP2 by writing a file
to anywhere on the victim's computer without user interaction. As
always, I will email you with the details of the vulnerability.
----------------------------------------------------------------------
-
----
-----------------------------------------------------------------------
----
----------------------------------------------------------------------
-
----
-----------------------------------------------------------------------
----
--
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Please note that Internet email is not always private, secure or reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email. Any opinion expressed in this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or proprietary
information that is intended only for use by the addressee. If you are not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email in
error, please delete the email and advise the sender of the delivery error.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
