[Full-disclosure] Re: Re: Security Bug in MSVC




Jason Coombs wrote in news:43CEA75C.5080009@xxxxxxxxxxx
> Dave Korn wrote:
>>> Nice thinking, Donnie. This must be the "new class of vulnerability"
>>> that was hinted at by Microserfs a few months ago... The attacks are
>>> launched by way of source code distributions rather than binary code.
>
>> Why is this a terrible insecure microsoftism, when GNU make does
>> exactly the same?
>
> Just after Donnie reported this issue to Microsoft (September) we
> started seeing Microserfs suggest that their security team was working
> on a never-before-encountered novel class of vulnerability,

And for some reason you assume that this was the often-before-encountered
and non-novel vulnerability that you had just reported, rather than any of
the presumably million-and-one vulnerabilities of varying levels of
seriousness or insignificance that they are routinely having reported and
dealing with?

>-- since it
> would be politically valuable for Microsoft to be able to claim that
> sharing source code is an unsafe behavior, and since there have been no
> other vulnerabilities disclosed since that time which might have
> appeared to Microsoft to be entirely new and far-reaching, I suspect
> that this disclosure prompted those previous statements about work being
> done by Microsoft.

Well, that's a massive assumption. For a start, there's nothing new about
it - remember the trojaned configure scripts? For a continuance, maybe
they're just still working on this whatever-it-is?

>and the
> implication was that Microsoft's security competency had finally
> surpassed both the black hats and all other white hat groups

Heh. Any possible reputation M$ might have been hoping to acquire for
"security comptency" has been *utterly* blown out of the water by the WMF
bug. After all, they had this big refocusing, after slammer, and audited
all their code and started putting security first and foremost, remember?
Heh, yeh, sure they did. It's a stunning indictment of the worth of M$'s
code audit that they had this accept-a-pointer-to-code-from-a-file design
flaw right out there in the open beneath their noses and they didn't even
see what was in front of them.

Presumably the rest of their audit can be assumed to have been equally
thorough!

> How many other attacks can you point to where Microsoft's development
> tools are exploited to specifically target the unwary programmer who
> still thinks it's perfectly safe to download arbitrary data from an
> untrusted source and then open it in a text editor?

Umm, perhaps if you think that Dev Studio is a "text editor", that would
explain your misunderstandings.

My question to you is, what kind of programmer doesn't know that building
code involves running all sorts of arbitrary executables with arbitrary
data?

And in any case, opening the data in dev studio *is* entirely safe. The
batch commands aren't executed unless you choose the relevant menu commands
or f-key to build the project.

Of course, you know perfectly well that it's safe to simply _open_ the
file, and you know perfectly well that DevStudio is FAR more than "a text
editor", so I must assume the above paragraph to have been dishonest
rhetoric/polemic rather than a serious line of argument.

> My guess is that
> Donnie got Microsoft thinking about this very risk, and they started
> talking internally about it being an entirely new class of
> vulnerability. Yes, if my supposition is correct it would be quite
> pathetic and give us another reason to laugh at Microsoft; but you can
> probably see how much benefit Microsoft is going to be able to milk out
> of this and related attacks that exploit bugs in programmers' tools that
> are launched by the simple act of opening or attempting to compile a
> source code distribution.

Well, you can't run *anything* with arbitrary data and expect to be safe.

Except, of course, a plain, no-features-no-frills ASCII text editor.

> Source code is just as dangerous as binary code.

Absolutely.

> Clearly, the only way
> to be safe is to rely on Microsoft's programmers to create and
> digitally-sign software for us. Go Microsoft. Yeah!

Well, I suppose it's conceivable that M$ are attempting a massive FUD over
nothing, but I think they'd want at least a *bit* more substance to back up
the pure hype...


cheers,
DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Re: Security Bug in MSVC
    ... started seeing Microserfs suggest that their security team was working on a never-before-encountered novel class of vulnerability, and the implication was that Microsoft's security competency had finally surpassed both the black hats and all other white hat groups -- since it would be politically valuable for Microsoft to be able to claim that sharing source code is an unsafe behavior, and since there have been no other vulnerabilities disclosed since that time which might have appeared to Microsoft to be entirely new and far-reaching, I suspect that this disclosure prompted those previous statements about work being done by Microsoft. ... My guess is that Donnie got Microsoft thinking about this very risk, and they started talking internally about it being an entirely new class of vulnerability. ... if my supposition is correct it would be quite pathetic and give us another reason to laugh at Microsoft; but you can probably see how much benefit Microsoft is going to be able to milk out of this and related attacks that exploit bugs in programmers' tools that are launched by the simple act of opening or attempting to compile a source code distribution. ... Not to mention that *knowledgable* Free Software/Open Source proponents won't even try to claim that source code distribution is inherently and automatically more secure. ...
    (Full-Disclosure)
  • Re: Open Letter/Challenge to Darth Gates
    ... > Microsoft Corporation ... > the new MVP source code entitlement program. ... > members of the Windows development team or not? ... > You are of course expected to sanitise the source trees - we don't want ...
    (alt.os.linux)
  • RE: [Full-Disclosure] Microsoft Coding / National Security Risk
    ... > functionality in a core component used widely across the OS. ... I think the Windows source code has grown to a size that is hard even ... > Microsoft have stated that to make the source code for Windows publically ...
    (Full-Disclosure)
  • Re: Does Microsoft Need a New Source Code for the Future?
    ... Vista is indeed tops with external security. ... that is well known and can be found on lots of pages on the Microsoft ... upon open source code anyway. ... operating system compared to Vista. ...
    (microsoft.public.security)
  • Re: Sound like busy days for anti-virus folkes ?
    ... And it was taken from a Linux computer. ... > ferociously downloading pirate versions of Microsoft ... > Thursday that parts of its valuable source code for its ... security experts feared ...
    (microsoft.public.security)