lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Jan 18 20:39:05 2006
From: jasonc at science.org (Jason Coombs)
Subject: Re: Security Bug in MSVC

Dave Korn wrote:
>>Nice thinking, Donnie. This must be the "new class of vulnerability"
>>that was hinted at by Microserfs a few months ago... The attacks are
>>launched by way of source code distributions rather than binary code.

>   Why is this a terrible insecure microsoftism, when GNU make does exactly 
> the same?

Just after Donnie reported this issue to Microsoft (September) we 
started seeing Microserfs suggest that their security team was working 
on a never-before-encountered novel class of vulnerability, and the 
implication was that Microsoft's security competency had finally 
surpassed both the black hats and all other white hat groups -- since it 
would be politically valuable for Microsoft to be able to claim that 
sharing source code is an unsafe behavior, and since there have been no 
other vulnerabilities disclosed since that time which might have 
appeared to Microsoft to be entirely new and far-reaching, I suspect 
that this disclosure prompted those previous statements about work being 
done by Microsoft.

How many other attacks can you point to where Microsoft's development 
tools are exploited to specifically target the unwary programmer who 
still thinks it's perfectly safe to download arbitrary data from an 
untrusted source and then open it in a text editor? My guess is that 
Donnie got Microsoft thinking about this very risk, and they started 
talking internally about it being an entirely new class of 
vulnerability. Yes, if my supposition is correct it would be quite 
pathetic and give us another reason to laugh at Microsoft; but you can 
probably see how much benefit Microsoft is going to be able to milk out 
of this and related attacks that exploit bugs in programmers' tools that 
are launched by the simple act of opening or attempting to compile a 
source code distribution.

Source code is just as dangerous as binary code. Clearly, the only way 
to be safe is to rely on Microsoft's programmers to create and 
digitally-sign software for us. Go Microsoft. Yeah!

Regards,

Jason Coombs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ