lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: New MyDoom exploiting IFRAME

On Tue, 9 Nov 2004, n3td3v wrote:

> The worst problem with this is microsoft have not announced a patch
> for the exploit which the virii exploits, so this is wild in every
> description of the word "wild".

I never had strong feelings about Microsoft; I took their side on several
occassions. Weren't it for my favorable view of their HTML parser, the
IFRAME overflow would be likely not discovered by ned two weeks ago.

Now, the way they handled this flaw makes me want turn into a rabid
Microsoft basher. That's something.

The problem is known for over two weeks. It was, from the very beginning,
obvious how bad it can get. The vendor knew from day zero. An exploit was
released. Then a worm. With variants. And yet, the patch is STILL not even
planned for Thursday hotfix roundup. There are business customers that are
probably starting to feel uneasy about this.

Rather than releasing a patch, Microsoft so far had only initially denied
knowing of an exploit (which was a lie, regardless of what it origins were
- I myself sent it to SRC and got a confirmation from a live person). They
also criticized the discoverer for "irresponsible handling" of the flaw -
which couldn't be farther from truth, if you followed the story.

It is reasonable to expect that after CNN and other major news outlet ran
a story about the problem, they do feel a considerable pressure from big
customers - and yet, they fail to act. This would suggest that their
security response capabilities are *very* inadequate at best - they should
have the resources to fix an extremely critical problem like this by now,
regardless of how much QA is needed on a patch.

I suppose that either all the MSIE coders took a sick leave, or that this
is how SRC works. Perhaps Microsoft had taught the world to release
responsibly - that is, give them three to six months, sometimes more, to
prepare fixes and argue over the impact of an issue - getting to a point
where the evidence of their terribly inadequate handling of security
problems does not see the daylight, or is even turned into a PR advantage.

Do customers really benefit from a situation where "responsible
disclosure" and OIS policies are used to save money by making it easy to
under-fund or under-staff security programs, because in most cases it is
possible to convince security researchers to give vendors up to or over
six months to fix a problem? Doubtly so, because a frail balance is easily
destroyed by an accident such as this one - where no malicious intent came
into play, really.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-11-10 01:01 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ