MS Asks Google To Delay Fuzzer Tool 205
eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."
Microsoft losing their edge? (Score:3, Insightful)
Microsoft is the last among browser makers to react to the vulnerability. Everybody else has released patches to address some, if not all of the holes.
Seems the IE team is so small, they can only do is development on IE9; perhaps there is no other team. Maybe they're all working to make the latest Windows Mobile platform a rousing success.
Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.
Re: (Score:3, Interesting)
Re:Microsoft losing their edge? (Score:5, Insightful)
Re: (Score:2)
Hey, we are paying for "gitmo" (aren't we?)... may as well get some use out of it!
Re:Microsoft losing their edge? (Score:4, Insightful)
They'd only start slapping a Beta tag on everything like Google does. That would buy them a few years of delays. Then they'd lobby to get the law modified so their liability was limited to the price of the software. Then they'd say the kernel is what costs and the rest is free bundled stuff. At every stage they'll lobby and start lawsuits to delay things. Eventually its 15 years later and you've got some silly obscure law that protects nobody unless they've got the money to fight a massive software company (something the US DoJ doesn't have).
Re: (Score:2)
Far worse, the big proprietary players would do that but the small shops and free software would all fold up or leave the U.S. because they couldn't afford the legal fees.
Re: (Score:3)
That would only serve to drive the cost of software up. Is it not best to allow the free market to work? Those who want the guarantees can pay for it, while those who are willing to take the risk can use the software for less, perhaps even free.
I am certain that if you passed the appropriate amount of money in Microsoft's direction, they would be more than happy to accept liability for IE. Personally, I do not want to pay for that level of service.
Re: (Score:2)
How could anyone whine about the cost of software going up. Right now it's at rock bottom to purchase consumer software, more expensive software across the board would be a good thing assuming the money goes to the right people (haha).
Re: (Score:2)
The added costs would go to people like insurance companies who would assume more risk on behalf of the vendor for errors in the software. A lot of open source software projects would come to an end, because who wants to be liable for errors in the work they provide for free? Let the market decide. If liability is important, people will pay for it.
Um, you're kidding. (Score:2)
Re: (Score:2)
Get real, Microsoft's software is WAY overpriced. ALL of it is way overpriced; at least, for an average Joe buying the software outright at a computer store.
I paid over a hundred bucks for XP, upgrading from 98. I really felt ripped off. Not only did a lot of my old software no longer run, Microsoft "disabled" the app that came with my CD burner, saying it was "unstable". I'd had no stability problems with 98. What was worse, every morning when it booted it informed me that it had disabled this software, wh
Re: (Score:2)
Accepting a refund is different than assuming liability for a mistake in the product. I am not against refunds on software. Though I do realize it is a difficult problem to solve in the world of piracy.
Re: (Score:3)
Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".
Re: (Score:2)
Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".
Why didn't it say that on the box? You don't see "no returns, no gurantee" until you've paid for the POS and seen the EULA.
They have "lemon laws" [carlemon.com] for cars, why can't we have laws like that for software?
If I sell you a bucket of paint, but the bucket is empty, that's fraud.
Re: (Score:3, Interesting)
"I paid over a hundred bucks for XP"
In fact, you disagree with yourself, unless you're claiming that MS somehow force
Re: (Score:2)
Because there is no market. The customers don't have any choice. Where ever you go you will get Microsoft Windows and your "market" will drop support if you use anything else then Microsoft Windows. Many OEMs are going so far that they even will drop the warranty if you dare to install something else on your computer then Windows.
The government, the schools, the employers support this monopoly. Because they are all dependent on Microsoft Windows. The government and the schools failed to implement open stand
Re: (Score:2)
www.apple.com HTH! HAND!
"Plus you need Microsoft Word and Excel to get your work done or to communicate with the government. Plus you need Windows to play the games out there. You even need Windows to pay your taxes."
You're fabricating things. My in-laws do all those things, and don't even have a computer.
Re: (Score:2)
No, I had no choice, thanks to the Sony rootkit my daughter installed. It completely trashed Win 98, and I had lost the reg # for it.
I specifically bought it to run the Windows programs I already had. Had I known that Windows wouldn't run Windows programs, I'd have just wiprd the drive and installed Linux, rather than running it dual-boot.
Re: (Score:2)
Re: (Score:3)
What free market? You mean the market where I can go to Mediamarkt and get 99% of the computer, laptop with Windows 7? Or the free market in Saturn where 99% of the computer and laptop are with Windows 7? Or the free market at best buy where 99% of the computer and laptop are with Windows 7? Or maybe the free market with Dell, Hp, Samsung, Lenovo?
To what market I go if I don't wish to buy a computer or laptop with a more secure system?
A free market can only work if there are many vendors, which are competin
Re: (Score:2)
Surely the GP's proposal would, at least on one understanding, be beneficial to the functioning of the market?
There are, to my mind, two constructions of what the GP said. The first is the narrow suggestion that customers should be eligible for a refund if software doesn't match the designers claims. Given that the existence of a free market relies on the dissemination of accurate information, preventing the creator of software from making exaggerated claims to sell their product would seem entirely consist
Re: (Score:2)
People continue to use IE because liability from Microsoft is not a concern to them. Those who are concerned are not using IE. The free market works just fine here.
Re: (Score:2)
Re: (Score:2)
How about only having liability on code which cannot be inspected? Though the lobbys would never allow that to pass.
Re:Microsoft losing their edge? (Score:4, Interesting)
Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.
There was a point in time (not too long ago by normal standards - ancient history "Internet time") when Microsoft was very slow to respond to any security issue. That was very much in the Bill Gates era. The concept of full disclosure comes from that time. The subject of disclosure has been beat to death around here more than once so we'll avoid going down that path. However, some of the intents of the "full disclosure" concept is to shame the vendor and warn the user. Even "responsible disclosure" rules tend to have some breaking point where the bug gets exposed without vendor consent.
This is less of a turning point than a reminder of where we've been before.
Re:Microsoft losing their edge? (Score:5, Insightful)
Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.
Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.
Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.
Re:Microsoft losing their edge? (Score:4, Insightful)
According to the timeline [coredump.cx], Microsoft too has also released patches for some but not all the bugs. This final delay appears to be because they had problems reproducing the crashes, which I think is probably due to the nature of this tool which makes reproducing the exact circumstances difficult. I can sympathise because I have had to find hard to reproduce bugs is the past.
Still I think that is correct that it should be all made public now, considering that the bad guys have already got the code.
MS's edge has always been cash and inertia (Score:3)
There are exceptions, like their entry into the gaming arena, but don't forget their primary nature.
When (Score:3, Funny)
Re: (Score:2)
Yes, lets have the UN send one of its famous "Stern Letters Of Warning" to China that they've been very naughty and shouldn't do what every other nation or its citizens doesn't already do.
Re: (Score:2)
China has a permanent seat on the UN security council.
That being said, they have the ability to veto any substantive resolution designed to address their intrusion into Google's computer systems.
Re: (Score:2, Insightful)
Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.
Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.
Re: (Score:2)
Something as serious as a trade embargo or similar would require somebody very powerful to push it, if not more than a few. And normally, powerful people want to keep the status-quo. That is, making goods in China for pennies and selling it for a huge profit somewhere else.
No, it will take something so serious that it directly impacts the fatcat's wallets before something like that happens.
Re: (Score:3, Informative)
Re:When (Score:4, Informative)
which? (Score:3)
And, consequently, if they fuck up with say, a huge housing bubble or some such, it'll mean we have to share the pain.
Re: (Score:2)
When they saw people investing in housing, they reacted with a new build scheme that put up masses of new flats ready for use at almost any price level, which dropped the value of existing housing. It didn't entirely stop a fashion for housing investment, but nobody's fooled into thinking that it's a m
Re: (Score:2)
If there was an embargo against them, dumping the currency would have no extra effect whatsoever and it would be a very sensible retaliatory move.
Re: (Score:2)
Actually, if they did something that devalued the USD, it would hurt them badly. If the USD goes down, US goods would be cheaper to the rest of the world, so our exports would increase, and it would decrease the buying power of the dollar for imported goods.
If anything, China wants to see the USD stronger... the more the dollar's worth, the cheaper its goods and services are to the US (and world) market by comparison.
Re: (Score:2)
Re: (Score:2)
Except for wheat and soy, what do we make to export?
Re: (Score:2)
Yup. And buying our debt is a means of doing that. If people didn't snatch it up, then we'd have to increase interest to convince people to grab it. That would drain the US dollar. They'll prop it up until they are done with us, then they'll collapse our economy by just not buying anymore. At this point, the US economy would collapse from n
Re: (Score:2)
If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.
Not a chance. China would NEVER destroy their CASH COW.
Re: (Score:2)
But why would the hit to the US be worse than that to China? Because the US is a service economy. When one person loses their j
Re: (Score:2)
China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude. Let's face it: China got us by the balls, and they are ready to squeeze [telegraph.co.uk] them.
A few things
1. "Nuclear option" as mentioned in that link is more descriptive than you give it credit for. Just as we could not have nuked the soviet union without getting destroyed ourselves, so too would China be bringing about mutually assured economic destruction with such a move.
2. How would the Euro be affected?
3. Ready to squeeze? You might use a more recent article than 2007 when making such a claim. I mean, it IS interesting how this will affect Hillary Clinton's chances of getting elected and a
Re: (Score:2)
This would trash the Chinese economy as well, crashing the Asian and American markets simultaneously.
Re: (Score:2)
If it's going to devalue the US dollar and the Euro, go for it. That means that their value is going to decrease against the Chinese currency and other eastern european, asian, and south american currencies. Increasing exports from the US and Eurozone countries. Which is exactly what the US and Europe need.
Besides, it'll never happen. It will mean that those Chinese investments that are all dollar-based will go up in a puff of smoke.
Re: (Score:2)
Re: (Score:2)
Who cares? The economy doesn't depend on that shit.
You obviously don't understand the basics. Yes, the economy depends on that shit. Any form of trade or investment is a part of the economy. And seeing how we contribute to perhaps a trillion dollars a year (I don't know the numbers, so this is just a wild guess) to China's GDP... all of that money is a part of our economy and that much money is a HUGE part of our economy, and if we were to eliminate it then there goes Wal-Mart. There goes dollar stores. There goes much of our electronics industry. There goe
Re: (Score:2)
Any form of trade or investment is a part of the economy.
When you're shoving the money out of the country as fast as possible, you're doing more harm than good.
A trade embargo with China is not a thought to be taken lightly.
Slavery is not to be taken lightly.
Re:When (Score:4, Informative)
A trade embargo with China is not a thought to be taken lightly.
Slavery is not to be taken lightly.
That right there invalidates all your arguments, because that says you've been absorbing all the stupid propaganda and sensationalism about Chinese working conditions. Just because they don't make $50k a year doesn't mean they are slaves. Most of them are quite happy with their jobs.
Yeah, 14 Foxconn employees committed suicide in 2010. That's out of 920,000 employees total. So that's about 1.5 suicides out of every 100,000 employees. Wanna guess what the suicide rate in the United States was in 2007? 11.5 out of 100,000. That's EIGHT TIMES the suicide rate at Foxconn. And the suicide rate in all of China was 6.6 in 2008. One could argue that Foxconn, in fact, IMPROVES workers lives. Of course that's not necessarily true, because correlation does not imply causation, but that data is enough to make a big huge news story worthy of being approved by Slashdot's elite editorial team with which to draw a bunch of sheep to hark the benefits of working for Chinese electronics manufacturers.
Do some of your own research before believing the bullshit and comparing Chinese laborers to slaves.
Re: (Score:2)
First, nobody mentioned Foxconn until you brought it up. Second, what you're failing to point out is that
When the #1 cause of death in your major cities is lung cancer (and the #2 cause of death nationwide), you have a very real problem.
Re: (Score:2)
When the #1 cause of death in your major cities is lung cancer (and the #2 cause of death nationwide), you have a very real problem.
FASTSTATS - Leading Causes of Death [cdc.gov]
The #2 cause of death in the United States is cancer by several hundred thousand deaths per year, and Lung Cancer is by far the leading cause of cancer-related deaths, and smoking is by far the leading cause of lung cancer cases. There are also lots of smokers in China. Damn near EVERYBODY in China smokes cigarettes... approximately 25% of their population if I remember correctly, while only somewhere around 8 or 9% of Americans smoke... but we have the same exact lung
Re: (Score:2)
The economy doesn't depend on that shit.
That's a pretty big statement to make. Imports from Asian companies with deliberately depressed exchange rates have kept inflation artificially low for a long time. A trade embargo would increase the cost of doing business for domestic companies which had to buy more expensive components and equipment and the cost of purchases for consumers who had to buy more expensive goods manufactured elsewhere. It would mean massive inflation over a very short period of time, which would be compounded by the expense of
Re: (Score:2)
It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.
Re: (Score:2)
It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.
Very true. Tommy Hilfiger, Ambercrombie, etc etc, "it has a name that makes me street-cool," that crap is all garbage with a huge premium for the name and "current style" to make you cool. Even The Gap does it.
What you want are the mid-range business/casual outfitters. Land's End, Polo, and the like, the people that nobody gives a shit about but that try to win you over with "quality and style." The so-called "style" is "not looking like shit" but it's not going to pretend to net you "street-cred."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think there are actually two points of thought in that post.
It's a shame paragraphs weren't invented.
Re: (Score:2)
What, exactly, do you expect? Institute a trade embargo with China?
Ah, you've finally discovered the devious strategy by Microsoft to exact revenge on Apple.
Security through blissful ignorance... (Score:4, Insightful)
Re:Security through blissful ignorance... (Score:5, Insightful)
From the co,puterworld link:
MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.
Re: (Score:3)
For what your software costs, its performance is abysmal.
Last I checked, IE was free.
and horribly overpriced at that!
Re: (Score:2)
But the OS you need to run it isn't.
Re: (Score:2)
It's only free if you devalue your soul. ;)
Re: (Score:3)
I think I'd call it more "security by bliss" (from 'ignorance is bliss") Really they're not so much taking advantage of users' ignorance, but rather that they don't care. As long as their computer is functional, most users don't care if their machine is participating in a botnet and DDoS'ing or spamming.
Re:Security through blissful ignorance... (Score:5, Insightful)
Right, which is why most users are overly concerned about "credit card theft" when most infections are about spamming the shit out of people; and a large number of people who succumb to identity theft are actually taken by malware that installs itself as an "anti-virus" program but secretly records your bank transactions.
It's like walking through Baltimore City alone at night. As much as people are terrified by it, not everyone is out to kill you; that said, if you walk through Baltimore City alone at night regularly, you'll meet someone who is out to kill you. Paranoia is when you think they're all out to get you; rational sense is when you realize, no, they're not, but there's a significant risk of encountering someone eventually and it only takes one knife to stop your heart.
Re: (Score:2)
That seems a bit over the top, even for the anti microsoft crowd here on Slashdot.
Microsoft doesn't sell computers, and they make very little on OEM versions of Windows installed in the factory.
Browse at your own risk... (Score:5, Insightful)
Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:
1) Set up a rogue access point with open access and SSID name similar to the venue..
2) Set up a rogue DNS.
3) Set up a redirect page that installed demo software...
One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.
Adding any apps increasing your exposure.
The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re:Browse at your own risk... (Score:5, Interesting)
Sitting in a Starbucks is a low-risk method because it's hard to trace. Hell, you can load automated software onto a hand-held PDA (iPaq? I ran Linux on one...) to do all the raping and infecting. The packets can be tagged with a different MAC address than your real device, making it physically untraceable; it's all in your pocket, and can auto-connect to wifi and do whatever, so picking you out of a crowd is harder than "find the suspicious person" since you just carry it around and don't go out sniping.
This works for MP3s and child porn and whatever the hell else too, btw. Assuming you know where and what to search (I assume torrents for MP3s, who knows for kiddy porn), you could have an automated program do all the relevant searches and store the results. When you get home, pop the device out and browse through the cached results... pick what you want, and next time you're out it'll find those things and download them.
For the obvious flaw, you can ban your own Wifi network and your neighbors', or have the program automatically search for certain networks (yours, your neighbors', etc) and decide you're "too close to home" and shut down. You could even have a separate daemon that handles wifi, and when it sees you're "too close to home" it prevents any wifi connections at all.
There's a lot of "I can have this here with me, but never physically do anything while connected to the network, and never use my own network" that can be done to hide your online presence. The same can be done for chatting on forums, sending e-mail, etc. The only thing you can't hide that way is real-time chat like instant messaging or IRC, because you have to twiddle the device; but for answering a forums post or blogs, you can have a program smart enough to deal with phpBB and V-Bulletin and Wordpress... it could let you record what you want to post, who to reply to, which post ID to reply to, the works... then when you're out somewhere, post.
Basically you're interacting from an alternate reality, one where you're pulled out of the real world; that interaction is transferred into the real world physically somewhere, but you're not present at that point and there's no cable running from there to here to draw a path to you. You'd have to use an innocuous device (a PDA most likely, bought in cash) and download the software from a MAC-shifted device on a public link to have absolutely zero trail (i.e. no evidence that you're even capable of this), but it'd be doable. Completely. It'd make for some interesting shit... maybe I'll write a sci-fi novella about the idea.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You mean the "Internet" doesn't cache all communication so that they can be pulled up easily by dumping the cache on someone's webcam to get the feed sent 3 weeks ago like they say on NCIS?
(Sorry, I always have a laugh when they start doing that...)
Re: (Score:2)
MS denied accusations (Score:4, Funny)
On FF block pop up windows (Score:2)
Didn't work for me until I turned off the 'block pop-up windows' in Tools-Options-Content.
So I'll keep that window pop-up blocker turned on I guess.
Rather misleading... (Score:2, Informative)
Dup, and they didn't ask "Google" anything. (Score:3)
Re: (Score:2)
Zalewski? (Score:2)
Enough with Polish jokes! (Score:2)
Polish Google security white hat Michal Zalewski
-What's your name?
-Zalewski
-Zalewski? Is that Polish?
-Yes.
-Are you trying to do some Polish humor?
-That's..
-SHUT UP!
-That's just my name..
-SHUT UP! I don't appreciate racial slurs! I think them dumb Pollacks have been ridiculed enough!
Fuzz stuff!! (Score:2)
Once again, it's clear that fuzzing is really useful for testing security. Not that it's a be-all/end-all, but people developing secure software should be using fuzzers. It's unfortunate that this fuzzer's "design can make it unexpectedly difficult to get clean, deterministic repro"; without deterministic repros, it's often really hard to find and fix the problem.
Re: (Score:2)
Had you read this link [blogspot.com] from the posting, you would have seen that it does. In fact, the last entry, for Opera, says the following:
Note that with Opera, the fuzzer needs to be restarted frequently.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They must pay a fortune in support costs if their IT folks can't look stuff up on blogs. Self-correcting in the end.
Re: (Score:2)
Re:Can't blame him (Score:4, Interesting)
Re: (Score:2)
Each HTML document loaded into the browser window becomes a document object. Elements such as forms, images, anchors and links are all represented through DOM model.
While I've re-written plenty of html on the fly using this very model I've never stopped to see if the newly created points were accessible. I'm sure there are other techniques they are using or they could simply copy data in and out of an element vigorously.
This isn't too surprising since I have managed to crash browsers before and where there
Re: (Score:2)
Definitely can't blame him. Considering Microsoft's track record for investigating serious security concerns in it's operating system and browser series, and the total number of people using these products across the world, he acted properly.
Re:Article is dupe (Score:4, Informative)
Re: (Score:2)
Re:Any release over a holiday is a dick move! (Score:4, Interesting)
According to this dude's timeline [coredump.cx]. He contacted them on December 20th, and got a real reply the next day.
You fail to note that the contact in December was a reminder that he was releasing the tool. He sent them the original crash reports in July and then more detailed info in August. MS security researchers were apparently unable, unwilling, or just too lazy to do the work to replicate the bugs or contact Mr. Zalewski for the next four months until he reminds them twice more in December about the issues.
By December Mr. Zalewski was no longer wiling to give MS extra time, not because he was looking for publicity, but because he had real indications that the exploits were already known to other parties and the situation had become one that needed immediate action on the part of users and sys admins to defend themselves pending a fix from MS. I have to disagree with you about him being a dick. He was very responsible on this one, even when dealing with a vendor that ha an abysmal track record of making timely fixes for periods lasting years, right until there is public disclosure.