Re: Public announcements of SQL Security Vulnerabilities

From: BP Margolin (bpmargo@attglobal.net)
Date: 08/02/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Thu, 1 Aug 2002 20:29:43 -0400

Hal,

I'm sorry, but I just have to respond to your post ;-(

> Now, of course, the best way to address this problem is
> for the SQL Server group to find and close these holes
> before the hackers have a chance to exploit them. They're
> working on that.

Agreed, but I have to wonder if the hackers weren't publishing the security
holes, would Microsoft have become as security conscious as they, hopefully,
are now. From a different perspective, one can credit the hackers with
forcing Microsoft to acknowledge and address the problems that they've now
publicly admitted exists in their software.

> Ps: If I were a customer whose system was compromised
> because of the published exploit I'd certainly consider
> having my lawyers explore every avenue for taking it out
> of the hacker's hide. That's not easy, but I think they
> get too much of a free ride right now. The lack of
> personal consequences encourages them to be irresponsible.

I wonder how Microsoft would feel if every time that a virus exploits a hole
in one of their products, MS customers around the world sued Microsoft.

The reason that's it's "not easy" to sue the hackers is because the code
with the flaw was written by Microsoft, not by the hacker.

BPM

"Hal" <Hal_Berenson@despammed.com> wrote in message
news:07ae01c2397f$a818c2a0$9be62ecf@tkmsftngxa03...
> Neil has it right. The way this mostly works is as
> follows:
>
> - Hacker X finds a security problem in your product.
> They send email saying that they will publish the exploit
> in some rediculously short time like 48 hours. You send
> developers off to find/fix the problem and you send
> someone else to talk to the hacker and try to convince
> him (or her) to give you more time before going public.
> Usually you get a little more time, but not a lot of time.
>
> - You generate the fix and as soon as its out there the
> Hacker goes public with the exploit.
>
> Now I think that's irresponsible on their part, but
> that's the current culture. I would rather not see the
> exploits published, and if they are then it should be at
> least a week after the fix was made available. I don't
> recall hackers of the 70s publishing the exploits. I
> think we were a far more responsible bunch (and the term
> had generally positive connotations at the time).
>
> Now, of course, the best way to address this problem is
> for the SQL Server group to find and close these holes
> before the hackers have a chance to exploit them. They're
> working on that.
>
> Hal
>
> Ps: If I were a customer whose system was compromised
> because of the published exploit I'd certainly consider
> having my lawyers explore every avenue for taking it out
> of the hacker's hide. That's not easy, but I think they
> get too much of a free ride right now. The lack of
> personal consequences encourages them to be irresponsible.
>
>
>
> >-----Original Message-----
> > Chris - all you can do is thank your lucky stars that
> in most instances, the
> >people that find these exploits do allow MS to develop
> and publish a fix before
> >they post the exploit for everyone to see/use. MS can't
> stop them publishing
> >the information.
> >
> >> I would like some comments from my peers on a current
> situation.
> >>
> >> Somebody finds a security problem in MS SQL Server and
> informs Microsoft.
> >> Microsoft come out with a patch and announce it here,
> among other places
> >> too, with some details, severity level and a thank you
> to the company or
> >> individual who found the vulnerability. Next,
> sometimes within hours, a
> >> means to exploit the vulnerability is posted to a
> security web site giving
> >> much more detail and in some cases code to test out
> the exploit.
> >>
> >> Whilst I feel it is helpful, because I can now fully
> understand the
> >> vulnerability, it is putting some pressure on me to
> make a hasty decision
> >> about implementing the security patch. It can give
> little time for testing
> >> any SQL application, that might be affected, before it
> MUST be implemented
> >> in the Production environment.
> >>
> >> Does anyone have any comments to add?
> >
> > Neil Pike MVP/MCSE. Protech Computing Ltd
> > Reply here - no email
> > SQL FAQ (484 entries) see
> > http://forumsb.compuserve.com/gvforums/UK/default.asp?
> SRV=MSDevApps
> > (faqxxx.zip in lib 7)
> > or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
> > or www.sqlserverfaq.com
> > or www.mssqlserver.com/faq
> >
> >.
> >

Relevant Pages

  • [Full-Disclosure] Security Watch Essay (was: (no subject))
    ... Dominance of Microsoft Products Poses a Risk to Security." ... only to / by Microsoft Certified Professional Magazine Online ... by Que Publishing. ...
    (Full-Disclosure)
  • Re: Flaw in RPC Endpoint Mapper - NT 4.0 FIX
    ... Hackers may bring the server down but they ... It is not a national security matter. ... > This is not a direct link to 911, but I think the FBI needs to put pressure ... > on Microsoft to fix a major security FLAW on Windows NT 4.0. ...
    (microsoft.public.security)
  • Re: Vista wins the race!
    ... Microsoft fixes new faults in Windows ... Microsoft was so worried about the hole, which allowed hackers to break into ... critical security fix a week ahead of a regularly scheduled update. ...
    (comp.sys.mac.advocacy)
  • Re: Vista wins the race!
    ... 2007 Microsoft fixes new faults in Windows Associated Press ... Microsoft was so worried about the hole, which allowed hackers to break ... out the critical security fix a week ahead of a regularly scheduled ...
    (comp.sys.mac.advocacy)
  • Re: Flaw in RPC Endpoint Mapper - NT 4.0 FIX
    ... > The defect in question is a denial of service vulnerabity...not ... Hackers may bring the server down but they ... >> sensitive and concern about security issues. ... Microsoft is a signicant entity in the ...
    (microsoft.public.security)