RE: [Full-Disclosure] Microsoft Coding / National Security Risk

From: joe (mvp_at_joeware.net)
Date: 03/24/04

  • Next message: Magi Networks: "Re: [Full-Disclosure] New link - ISS 'Witty' Worm Analyzed" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 24 Mar 2004 08:06:38 -0500

    I am definitely not happy with the length of time it took to release the ASN
    fix (It didn't take 9 months to produce, it took 9 months to release. I
    think it was something like 2-3 months for the fix to be created and then
    several more months, I would assume for comprehensive testing (due to all of
    the possible impact points), for the release. Two-three months may also seem
    a bit long but I don't personally know the complexity of the issue they were
    correcting and neither do you. They weren't correcting a single
    self-contained program like W3SVC or Apache or netdom, they were correcting
    functionality in a core component used widely across the OS.

    If the next slammer virus came through and started formatting hard drives, I
    would say the same thing I did when the last one came through and that would
    be "How come you weren't patched with a patch that had been out that long?".
    It doesn't matter how fast MS produces patches if admins and users aren't
    getting them applied. The issue isn't simply one of technology, it is also
    one of process. A vast number of people don't want automatic updates of
    their systems either because they don't trust the source or simply don't'
    want their machines updating automatically but DON'T go back to do it in a
    conrolled fashion. They wait until someone says they need to go do it. I
    don't let MS update my PC automatically but I do make it a point to go back
    and check every couple of days to see if something has been released and I
    watch several notification streams as well. Most people will not do this so
    they either need to go with some form of automatic updates or unplug.

    MS sent many many people through the code. People outside are going through
    the code. Again this isn't one program that one person could go through and
    have a strong handle of. I don't think 10 more people could add much if any
    value. Not sure 100 outside people could. If this were the case we wouldn't
    be finding old holes in other open source now, we would only be finding
    stuff in the newly released code. I would however like to think that MS is
    working on better automated scans of the code to find holes, that would be
    more value than trying to find 10 excellent security programmers. I am
    someone who has access to the current source and have walked through large
    sections of it, it isn't like the holes jump out and say "HI, here I am".
    Also the code I have had a chance to walk through in the last 8 months is
    pretty decent, I definitely am not going, oh my god oh my god. It seems more
    rigorous than the code I have walked through say for Samba however that is
    an objective opinion and am not going to enumerate items I think one does
    better than the other.

    BTW, how many zero day exploit based worms/viruses have been beating up on
    MS in the last year or two... Not being flip here.

      joe

     

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Richard Hatch
    Sent: Wednesday, March 24, 2004 5:10 AM
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Microsoft Coding / National Security Risk

    Hi all,

    Microsoft have stated that to make the source code for Windows publically
    available would be a risk to National Security.
    Microsoft also took 9 months to produce a fix for the ASN.1 problem.

    As much as some people may regret it, Western civilisation runs on Microsoft
    software. Imagine the panic that would ensue if the next slammer worm
    infected 10 machines then formatted hard drives, or scrambled random parts
    of random files.
    This is not news, some old DOS viruses set file lengths to zero, rather than
    deleting files that could be recovered.

    So my idea is this:
    Take a team of really really good C/C++ coders with excellent security
    vulnerability knowledge and have them go through the source code for windows
    (starting with the core functionality and internet facing functionality
    maybe). Find these bugs (including methodical black-box testing against the
    binaries) and fix them.

    These people would be fully supported by Microsoft (including full access to
    all technical documentation, Microsoft technical advisors, etc), and backed
    by the NSA or other Government agency. Microsoft could impose whatever
    NDA's they want, but they should fund the bug hunt.
    Not only can they afford it, they created the problem code. Fresh insight
    into how Windows functions is required to identify the less obvious
    vulnerabilities.

    Microsoft Windows is not just another piece of software, it has become a
    fundamental part of businesses and governments.

    Oh, can anyone suggest a reason why disclosing the source to Windows would
    be a National Security risk, yet Microsoft is happy to provide the same
    source code to ceratin third-parties (I assume this means any company that
    has enough cash and signs the right paperwork).

    Folks, simply reacting to 0days just doesn't work.

    R. Hatch 

    ---
'The mirrors have grown vast and beautiful and very very *hungry*' 
The views and comments expressed in this email are the personal views and
opinions of the author and should in no way be considered an official
statement/release of QinetiQ.
Neither the author or QinetiQ can be held liable for actions taken based on
the information contained within this email.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Magi Networks: "Re: [Full-Disclosure] New link - ISS 'Witty' Worm Analyzed"

    Relevant Pages

    • Re: SVCHOST.exe & Auto update program causing CPU to run at 100%
      ... Michael. ... out with a fix for this as of 30 Apr, and I would recommend that you ... For those using Windows Server - Courtesy of Bobby Harter, Program Manager, ... WSUS, Microsoft, WSUS 3.0 was released on April 30th and is avaialble now on ...
      (microsoft.public.windowsxp.general)
    • RE: Users Can Not Paste
      ... Pack 4 for Windows 2000 should be helpful. ... Microsoft Online Partner Support ... |>A supported fix is now available from Microsoft, ...
      (microsoft.public.win2000.termserv.apps)
    • Re: Backup crashes my computer
      ... I just got an email from Microsoft. ... there is no fix to date for Windows Media Menter 2005. ... to crash when attempting a backup. ...
      (alt.os.windows-xp)
    • Re: Planning on buying Vista?
      ... same approach as Microsoft. ... no-cost fix, other than the cost of downloading it. ... Windows that obviously wouldn't be available at no-cost. ... the upgrade to any new version of Windows ...
      (rec.photo.digital)
    • Re: svc host message error? what can i do?- official response!
      ... only reinstall KB873333 after the "fix" is available. ... > But the main thing is not to miss the fix when it's available. ... and which you say yourself below that microsoft are ... >> Windows XP Error During Shutdown: ...
      (microsoft.public.windowsupdate)