Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Compromising pictures of Microsoft Internet Explorer!
From: Matthew Murphy (mattmurphykc.rr.com)
Date: Sat Jul 16 2005 - 20:05:23 CDT
> I do not meen to flame you, but you are an irresponsible disgrace to
> the hacking community. Do you not care about the customer? You never
> publicly disclose details to a vulnerability of this magnitude. This
> is an image vulnerability, for crying out loud.
Sure you do. You disclose the details of the vulnerability when the
vendor has a proven history of non-responsiveness, and the damage that
the vendor is able to do by stalling the release is most likely greater
than the damage that will result from disclosure of several non-critical
flaws. AFAICT, IE 6.0 SV1 merely crashes when faced with these issues.
According to Microsoft, it's not a vulnerability at all unless there's
an attack vector enabling code execution.
Mr. Zalewski's statement about the undue burden that Microsoft's
investigative processes place on the researcher is indeed accurate. The
only time I've had any success working with Microsoft was when the issue
was a straightforward code execution scenario. Oh wait... even then,
I'm blown off.
> What's the first thing they tell you to do when most vulnerability
> details are released? Disable active scripting. That doesn't work
> here. What are the innocent, ignorant computer users going to do?
> Disable images? I think not. You should be ashamed.
The point you miss, is that thanks to Mr. Zalewski's decision to publish
the details of this vulnerability ensures that AV/IDS signatures exist
for the portion of users who care to update them. Meanwhile, I can
afford to wait the six, twelve, eighteen, or twenty four months that
Redmond takes to patch IE issues. Or, maybe it will be a refreshingly
reduced timeline, only a month or two, since this is a supposedly
> I firmly believe that you are decieving us when you say you had a hard
> time with securemicrosoft.com <mailto:securemicrosoft.com>; in fact,
> I don't even think that you have ever once in your life reported a
> vulnerability to them responsibly. Otherwise, you would not have such
> harsh feelings about them. If the evil of the stereotypical Microsoft
> machine exists anywhere on the campus in Redmond, it will not be found
> in the building of MSRC, which is where your securemicrosoft.com
> <mailto:securemicrosoft.com> emails are directed.
...and I firmly believe that you have never had the experience of
attempting to triage a vulnerability that was anything less than
critical through Microsoft. If you have, as I have, you'll understand,
as I do, that it's possibly the closest thing to hell you'll go through
in your research work. The "evil of the stereotypical Microsoft
machine" isn't as much an evil as an ineptitude. Microsoft's current
processes have huge problems with efficiency, quality, and effectiveness
that have few parallels in the industry, and it isn't for lack of
resources. And aside from that, they require the researcher to provide
a full, complete assessment of impact. That's not feasible for a great
number of us, who are, after all, nothing more than volunteers.
I'm a college student with a laptop and a few reverse engineering
tools. If an issue is discovered that appears to permit some degree of
compromise of a customer's PC, I _should_ be able to count on the MSRC
to investigate the issue sufficiently to prove that damage is
sufficiently unlikely/impossible. Instead, the inverse is true, with
MSRC counting on me (the volunteer) to do the hours of research to prove
that a vulnerability exists. And if the impact is anything less than
remote code execution, prepare for at best a lengthy debate, at worst
your report being swept under the rug with a maintenance release that
never actually happens.
The response (in a few less words) that many researchers have to these
conditions is "F--- it!". And, in my experience, it's certainly
justified. Why am I volunteering my time to one of the world's largest
corporations, when they don't care enough about their customers to give
fairly obvious security issues their due diligence? After all, I don't
have their code.
Particularly given Redmond's tendency to take eternities to solve bugs
that are "responsibly disclosed" to it, I'm thankful that the action was
taken as it was, and not as you wish, for my "safety and protection".
If nothing else, Michal's report is further confirmation that Internet
Explorer is one of the modern world's greatest programming disasters,
and should be avoided at all costs, if you are a sysadmin intent on
keeping your systems safe.
> Come on man. I know you have talent. You are a good researcher of
> computer security. But if your talent is going to be wasted like this,
> you are nothing more to us than a script kiddie.
Sorry, but you have about as much claim to speak for "us" as this e-mail
speaks for you. Now, at least my AV/IPS systems can attempt to block
this attack. Sure beats sitting waiting, uninformed, while Redmond
deliberates over its delivery mechanism and release schedule. Also,
vulnerability information such as this has helped me make another
important decision: to quit using IE altogether. Until Internet
Explorer's code undergoes a significant paradigm shift from a system
component back to its proper place in network design as a user
application, and until Microsoft's security processes undergo
significant reform in the areas of quality, rapid response, and
researcher-developer collaboration, issues like this will keep coming up.
And, if Michal was so wrong, we should soon be asking ourselves the
question... where's the patch? After all, if Microsoft doesn't witness
active exploitation of the issue, the soonest patch we can hope for is
in the monthly cycle; that seems to be crucial in the effort to prevent
Redmond's patches from turning systems into electrically-powered boat
"Responsible disclosure" is only responsible if both sides act in that
fashion. Microsoft seems to rarely do so unless faced with a
significant peril if it does otherwise. As such, a decision by Michal
to report the issue privately to Redmond, while it takes its sweet time,
seems equally irresponsible.
I'm a firm believer in responsible handling of vulnerability
information. But I'm also a firm believer in holding people accountable
for their mistakes. Mistakes happen, but vendors have an obligation to
correct them. Microsoft has not corrected the fundamental failures of
its issue handling processes to date (as my recent experiences show),
and as such, I feel that there is no obligation (moral, ethical,
professional, or otherwise) to them on anyone's part.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature