Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Google Microsoft Security Technology

MS Asks Google To Delay Fuzzer Tool 205

Posted by CmdrTaco from the i-need-somebody dept.
eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."
This discussion has been archived. No new comments can be posted.

MS Asks Google To Delay Fuzzer Tool More

MS Asks Google To Delay Fuzzer Tool

Comments Filter:

  • Re:Can't blame him (Score:4, Interesting)

    by Securityemo ( 1407943 ) on Monday January 03, 2011 @12:17PM (#34744322) Journal
    Yes. There's a list right at the bottom link of other browsers it managed to break, including firefox and opera. It apparently works by stressing the garbage collection mechanisms through creating and destroying DOM objects/references; I don't know what that means really, but he's written a step-by-step of the mechanisms that seems easy enough to follow.

  • Re:Microsoft losing their edge? (Score:3, Interesting)

    by hedwards ( 940851 ) on Monday January 03, 2011 @12:30PM (#34744470)
    Probably the only way that this will change is if the laws are changed to make them liable for their own incompetence. As it is software developers can release software without the ability to return it for a refund or any particular guarantee that it does what they claim it to do. Meaning that you could very well end up in the situation where you've paid for software that's badly broken and they're not liable, going to give you a refund or fix it.

  • Re:Microsoft losing their edge? (Score:4, Interesting)

    by _Sprocket_ ( 42527 ) on Monday January 03, 2011 @12:40PM (#34744600)

    Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.

    There was a point in time (not too long ago by normal standards - ancient history "Internet time") when Microsoft was very slow to respond to any security issue. That was very much in the Bill Gates era. The concept of full disclosure comes from that time. The subject of disclosure has been beat to death around here more than once so we'll avoid going down that path. However, some of the intents of the "full disclosure" concept is to shame the vendor and warn the user. Even "responsible disclosure" rules tend to have some breaking point where the bug gets exposed without vendor consent.

    This is less of a turning point than a reminder of where we've been before.

  • Re:Browse at your own risk... (Score:5, Interesting)

    by bluefoxlucid ( 723572 ) on Monday January 03, 2011 @01:20PM (#34745000) Homepage Journal

    Sitting in a Starbucks is a low-risk method because it's hard to trace. Hell, you can load automated software onto a hand-held PDA (iPaq? I ran Linux on one...) to do all the raping and infecting. The packets can be tagged with a different MAC address than your real device, making it physically untraceable; it's all in your pocket, and can auto-connect to wifi and do whatever, so picking you out of a crowd is harder than "find the suspicious person" since you just carry it around and don't go out sniping.

    This works for MP3s and child porn and whatever the hell else too, btw. Assuming you know where and what to search (I assume torrents for MP3s, who knows for kiddy porn), you could have an automated program do all the relevant searches and store the results. When you get home, pop the device out and browse through the cached results... pick what you want, and next time you're out it'll find those things and download them.

    For the obvious flaw, you can ban your own Wifi network and your neighbors', or have the program automatically search for certain networks (yours, your neighbors', etc) and decide you're "too close to home" and shut down. You could even have a separate daemon that handles wifi, and when it sees you're "too close to home" it prevents any wifi connections at all.

    There's a lot of "I can have this here with me, but never physically do anything while connected to the network, and never use my own network" that can be done to hide your online presence. The same can be done for chatting on forums, sending e-mail, etc. The only thing you can't hide that way is real-time chat like instant messaging or IRC, because you have to twiddle the device; but for answering a forums post or blogs, you can have a program smart enough to deal with phpBB and V-Bulletin and Wordpress... it could let you record what you want to post, who to reply to, which post ID to reply to, the works... then when you're out somewhere, post.

    Basically you're interacting from an alternate reality, one where you're pulled out of the real world; that interaction is transferred into the real world physically somewhere, but you're not present at that point and there's no cable running from there to here to draw a path to you. You'd have to use an innocuous device (a PDA most likely, bought in cash) and download the software from a MAC-shifted device on a public link to have absolutely zero trail (i.e. no evidence that you're even capable of this), but it'd be doable. Completely. It'd make for some interesting shit... maybe I'll write a sci-fi novella about the idea.

  • Re:Microsoft losing their edge? (Score:3, Interesting)

    by msauve ( 701917 ) on Monday January 03, 2011 @01:48PM (#34745296)
    The market disagrees with you, as customers continue to purchase, and MS continues to profit from, their software offerings. Pricing is only relative to the market. From a purely economic perspective, it might be overpriced if by reducing the price they get greater profits from an increase in sales. But, I suspect that MS is pretty sharp about finding the price points which maximize profit.

    "I paid over a hundred bucks for XP"

    In fact, you disagree with yourself, unless you're claiming that MS somehow forced you to buy it. You had a choice, you chose to pay. If you would have paid "over a hundred bucks"+1, then it was underpriced for you. Ferraris are overpriced for me, but not for the market, since they're still a profitable business.

  • Re:Any release over a holiday is a dick move! (Score:4, Interesting)

    by 99BottlesOfBeerInMyF ( 813746 ) on Monday January 03, 2011 @03:08PM (#34746156)

    According to this dude's timeline [coredump.cx]. He contacted them on December 20th, and got a real reply the next day.

    You fail to note that the contact in December was a reminder that he was releasing the tool. He sent them the original crash reports in July and then more detailed info in August. MS security researchers were apparently unable, unwilling, or just too lazy to do the work to replicate the bugs or contact Mr. Zalewski for the next four months until he reminds them twice more in December about the issues.

    By December Mr. Zalewski was no longer wiling to give MS extra time, not because he was looking for publicity, but because he had real indications that the exploits were already known to other parties and the situation had become one that needed immediate action on the part of users and sys admins to defend themselves pending a fix from MS. I have to disagree with you about him being a dick. He was very responsible on this one, even when dealing with a vendor that ha an abysmal track record of making timely fixes for periods lasting years, right until there is public disclosure.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close