Re: How long?

From: SMiller@unimin.com
Date: 08/22/02


To: Mike Arnold <mike@midkaemia.fsnet.co.uk>
From: SMiller@unimin.com
Date: Thu, 22 Aug 2002 06:13:01 -0400


Mike Benham's man-in-the-middle SSL attack has turned out to exploit a
vulnerability in Windows security, not IE specifically. So the code of any
developer who relied on the security widgets that MS built into Windows is
vulnerable:( Historical exploits would probably result in stolen sign-ons,
CC#, etc., and while the breach might be discovered, the source would
probably remain secret.

                                                                                                           
                      Mike Arnold
                      <mike@midkaemia.f To: "Teodorski, Chris" <cteodorski@ppg.com>,
                      snet.co.uk> "Security-Basics (E-mail)"
                                                <security-basics@securityfocus.com>
                      08/20/02 05:33 PM cc:
                                               Subject: Re: How long?
                                                                                                           

On Monday 19 Aug 2002 4:28 pm, Teodorski, Chris wrote:
> Does anyone know what the typical (average) lag time usually is from the
> time a hole is announced by Microsoft till we see that exploit being
> exploited? How long before the head script kiddie developes a tool to
> automate the exploit?

Quite funny, but the term "script kiddie" usually means someone who takes
someone else's code and runs it without knowledge of it's technical
functioning. Call them what you will, they serve a valuable contribution to

security education.

Anyway on with a rant ... had a dull day at work :)

I'm a firm believer in the fact that, like it or not, the Black hats
generally are well ahead of the game. They are actively coordinating work
and
exploiting code every minute of every day. There may be the odd chance that

the security community finds these holes before they do, but chances are
they
have been using these for years in some cases.

Take for example, the SSL implementation "features" published recently. IE
5.0 I believe is the first version acredited (maybe spelt wrong, who
knows!)
with it. When was that released? At the end of the day, this is not a new
vulnerability (It is a new *published* vulnerability, but not a *new*
vulnerability). IE 5.0 was released in 1999 I believe. That's when the
Black
Hat community will almost certainly have been ripping it apart for
vulnerabilities. Probably even before that if - sorry, silly me - because
they had beta copies.

On average, yeah, Microsoft take a bloody long time to fix things. Complex
code? Maybe! Cheap PR? Almost certainly! The Open Source community,
however,
reacted decisively, effectively and more professionally in my opinion! But
why worry now, we've been living with it for most likely 3 years.

At the end of the day there are no easy solutions to this, and while I
would
like to blame Microsoft, it isn't solely their problem/issue. Until
customers
insist on documented, standardised levels of security before they choose to

pay for their products and insist on answers to difficult questions when
those standards aren't met then we will continue to have these problems.

I personally would rather take my chances on code I can compile and check
myself if I need to. Code I know will be patched with speed and efficiency
when a problem is known. And a community that tells you when, how and why
any
codebase may have been compromised. Instead of the corporate giant that
won't
even tell you what the problem is!

At the end of the day, people *choose* to pay for Microsoft products, and
they *choose* to accept the terms and conditions of the Micosoft patching
policy. Only *they* can change that. Until end users stop blindly following

the features, and instead look for security and stability, that's how it
will
be. I laugh at M$'s inability to patch their products in a timely fashion
because I have chosen not to use them unless I have to, other people have
chosen the opposite path, and good luck to them - it keeps me in a job
which
M$ may say justifies their existence! It's a vicious circle.

<end rant>

Mike

--

"In their capacity as a tool, computers will be but a ripple on the surface of our culture. In their capacity as intellectual challenge, they are without precedent in the cultural history of mankind." Edsger Wybe Dijkstra on Computers



Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter # 87
    ... Meeting IT Security Benchmarks Through IT Audits ... MICROSOFT VULNERABILITY SUMMARY ... Bypassing Windows 2000 Domain Password settings ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #75
    ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
    (Focus-Microsoft)