MS Asks Google To Delay Fuzzer Tool 205
eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."
Microsoft losing their edge? (Score:3, Insightful)
Microsoft is the last among browser makers to react to the vulnerability. Everybody else has released patches to address some, if not all of the holes.
Seems the IE team is so small, they can only do is development on IE9; perhaps there is no other team. Maybe they're all working to make the latest Windows Mobile platform a rousing success.
Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.
Security through blissful ignorance... (Score:4, Insightful)
Browse at your own risk... (Score:5, Insightful)
Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:
1) Set up a rogue access point with open access and SSID name similar to the venue..
2) Set up a rogue DNS.
3) Set up a redirect page that installed demo software...
One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.
Adding any apps increasing your exposure.
The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.
Re:Security through blissful ignorance... (Score:5, Insightful)
From the co,puterworld link:
MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.
Re:When (Score:2, Insightful)
Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.
Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.
Re:Microsoft losing their edge? (Score:5, Insightful)
Re:Microsoft losing their edge? (Score:4, Insightful)
They'd only start slapping a Beta tag on everything like Google does. That would buy them a few years of delays. Then they'd lobby to get the law modified so their liability was limited to the price of the software. Then they'd say the kernel is what costs and the rest is free bundled stuff. At every stage they'll lobby and start lawsuits to delay things. Eventually its 15 years later and you've got some silly obscure law that protects nobody unless they've got the money to fight a massive software company (something the US DoJ doesn't have).
Re:Security through blissful ignorance... (Score:5, Insightful)
Right, which is why most users are overly concerned about "credit card theft" when most infections are about spamming the shit out of people; and a large number of people who succumb to identity theft are actually taken by malware that installs itself as an "anti-virus" program but secretly records your bank transactions.
It's like walking through Baltimore City alone at night. As much as people are terrified by it, not everyone is out to kill you; that said, if you walk through Baltimore City alone at night regularly, you'll meet someone who is out to kill you. Paranoia is when you think they're all out to get you; rational sense is when you realize, no, they're not, but there's a significant risk of encountering someone eventually and it only takes one knife to stop your heart.
Re:Microsoft losing their edge? (Score:5, Insightful)
Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.
Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.
Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.
Re:Microsoft losing their edge? (Score:4, Insightful)
According to the timeline [coredump.cx], Microsoft too has also released patches for some but not all the bugs. This final delay appears to be because they had problems reproducing the crashes, which I think is probably due to the nature of this tool which makes reproducing the exact circumstances difficult. I can sympathise because I have had to find hard to reproduce bugs is the past.
Still I think that is correct that it should be all made public now, considering that the bad guys have already got the code.