And let's not forget Steve Ballmer's moronic statement on how security issues should be handled...
Posted on 11/11/2004 2:30:02 PM PST by Prime Choice
Microsoft is admonishing those who found the IFRAME vulnerability - the flaw exploited by the bofra virus - for the way they made it public.
Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.
The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.
In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.
On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.
"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."
The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.
And let's not forget Steve Ballmer's moronic statement on how security issues should be handled...
I tend to agree with MS on this. Others in the business that find flaws in someone's software shouldn't make it public for the very reasons stated. It is sad to hear a bunch of whiners that can't do the great things that MS has done.
If Microsoft put a bounty on each security flaw found, and made it a substantial sum, Windoze would soon be hackproof.
Sorry, but Microsoft has a point. Simply releasing info about a security breach before a fix has been found is irresponsible. There ought to be a "decent interval" between the discovery of the breach and its public revelation. I think a month is about right. The discoverer should first notify the software maker, then promise to hold off for at least a month before announcing the problem. This strikes me as a reasonable compromise that protects the public's right to know about the problem, but also minimizes the risk that the problem will be exploited by some scummy computer vandal.
1. Microsoft makes shoddy software, putting consumers at risk.
2. Independent group spanks Microsoft for doing things as enumerated in #1.
3. And the members of the independent group are the "bad guys."
Maybe that's the way it is in the old Soviet Union. Here in the U.S., it's called free market capitalism. If Microsoft can't manage its own malware, it should get out of the business.
On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?
Keep in mind that this is coming from a user that has spent at least 4 hours so far - holiday time - cleaning up my kids computer.
Oh, the irony!
LVM
"There ought to be a "decent interval" between the discovery of the breach and its public revelation."
Go back and read the story. You have your facts all wrong.
A tool found the crash and the guy asked for help in determining why. Someone else found th actual problem. It was a colaborative discovery. Neither person alone found or published the exploit. It was readily replicatable every time you pointed this tool at a microsoft browser.
Microsoft STILL has not published a fix.
Had this been Nozilla, or Opera, or Konqueror browser the fix would be in WIDE distribrution already.
"On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?"
Billy G has promised that's not going to happen anymore.
They STILL take way too long to get a fix out.
The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code. Its like buying a car with the Engine compartment welded shut. Might look like a fuel problem, but could be a gummed up carborator, but there is nothing I can do but call the factory and wait for them to fix it.
I guess we should all switch to Linex?
MS code is very robust, and of course has some problems, (as all software does) but in the interests of us slubs that have to use it, others should not publish the flaws, (so AssH*les can abuse us) but instead let MS know so it can be corrected.
Yeah, that will give the people who actually know about it time do their exploits undisturbed.
Good point. Still, the people working on the problem would have done better to carry on their discussion on a private e-mail list rather than in public. In all fairness, many private bug hunters would not think to do this. But it's the right way to investigate a security problem.
"I guess we should all switch to Linex? "
Its LunUx not linex, and you might try it some time, you will be astounded. Go buy Novel's SuSE 9.2 personal edition for $30. It will knock you socks off with how easy it installs, and how much ROCK SOLID software in includes for the price.
Sorry, but in my current business Those other mispelled and unheard of software packages, (that I am sure also have bugs) will not handle my aps.
According to Microsoft, trying to figure out what makes their software crash is a crime.
Really?
What apps are those?
I can run Micrsoft Word, Excel, PowerPoint, Visio, Outlook and Internet Explorer. I can run QuickBooks. I can run Photoshop for Windows. I can run VB-created apps.
And I only use Linux.
If you've had a transition expert come in and he's determined that your apps will not run under Linux, then fine.
Otherwise you are speaking of things of which you have no knowledge.
And with all the money they make, you'd think they could afford a decent security audit of their crapware.
koniace: The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code.
----------------------
"great things" ... Yeah, riiiight...
The only great thing about Microsoft is the arrogance of their marketing people -- and the gullibility of the sheeple who buy into their bu||$#!t...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.