Microsoft: Watch out for rogue code

[SDK]

Microsoft has urged customers to apply its latest security patches, after several companies published "proof of concept" attacks that exploit the flaws that the updates fix.

In a notice posted to its Web site late Thursday, the software giant highlighted proof-of-concept documentation, or sample software code to illustrate how a flaw might be used to attack a system, from two security software makers: Finjan Software and Core Security Technologies.

While Microsoft said it backs the disclosure of vulnerabilities and proof-of-concept code, a common practice in the IT security industry, it criticized the companies for publishing their test code mere hours after security patches had been released for the reported flaws.

"Microsoft will continue to support and advocate responsible disclosure, because we find it to be a vital tool to effectively identify and remedy security issues," the company said in its notice. "Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk."

Shortly after some of Core's proof-of-concept work was aired, an individual modified some of the code to create an actual threat, Microsoft said. The malicious code could expose computer users who have not yet installed its updates to attack, it said.

The software maker rapped Finjan, which reported a critical issue in Office XP, for posting its proof-of-concept code on the same day Microsoft issued a security bulletin to resolve the issue.

It said Core, which reported a critical issue in the PNG (portable network graphics) processing technology present in Microsoft Windows and MSN Messenger, also published proof-of-concept code on the Web the same day an advisory was released to address the problem.

The Redmond, Wash.-based software giant believes that the two security companies ignored an unspoken law among researchers to wait "a reasonable period of time," before publishing their work. Microsoft said those generally accepted industry practices give its customers more time to test, download and deploy necessary security updates.

Neither Finjan nor Core immediately responded to calls seeking comment on the Microsoft announcement. However, in a previous interview with CNET News.com, Finjan CEO Shlomo Touboul defended his company's practices around reporting Microsoft's vulnerabilities.

"People need to know that they have to be careful--and without education, people won't be careful," Touboul said. "I wouldn't say we are scaring people. I don't believe in panic, but in very calculated behavior."

Source : http://news.zdnet.com/2100-1009_22-5573195.html
Link : http://www.microsoft.com/security/incident/im_info.mspx

That was quick. I'm a fan of full discosure but releasing a proof-of-concept code is not a good idea at all. It's just running after trouble for a bit of publicity.

[Jonesy69]

I tend to see it the other way around. If there is proof of concept floating around for a fully disclosed vulnerability it puts everybody on the hot-seat to fix it. However you look at it they should wait at the very least a week or so from the patch to the release of the code. Releasing it on the same day is cutting it a little close. But then again, were back to the getting put on the spot argument. I'm gonna stop now, I thought I could formulate my thoughts into a really well put statement but...

/me's drunken

[jinxy]

That was quick. I'm a fan of full discosure but releasing a proof-of-concept code is not a good idea at all. It's just running after trouble for a bit of publicity.

Some times the only way to get a patch released is to publish a proof of concept.

Having said that, personaly, I do not believe in full disclosure. At least to the whole world. Although I do believe in the nead to know..........................Unless there is a clear and present threat. Then it would seem to me, to be every one for there self.

[TheSpecialist]

That was quick. I'm a fan of full discosure but releasing a proof-of-concept code is not a good idea at all. It's just running after trouble for a bit of publicity.

Oh my god! Proof of concept code! How dare they! They should have tested it more to make it easier for me to use! What? Huh? Did someone mention publicity while posting it all over and bitching about it? Awsome! Now that makes sense.

[SDK]

Originally posted here by Jonesy69
I tend to see it the other way around. If there is proof of concept floating around for a fully disclosed vulnerability it puts everybody on the hot-seat to fix it. However you look at it they should wait at the very least a week or so from the patch to the release of the code. Releasing it on the same day is cutting it a little close. But then again, were back to the getting put on the spot argument. I'm gonna stop now, I thought I could formulate my thoughts into a really well put statement but...

/me's drunken

That it. You put everyone on the hot-seat for a bit more publicity because you get more publicity pushing the code the day M$ release the patch that a week after. Security is now more marketing that anything to me..

[nihil]

I can see Simon's point, in that the code was published too soon.

I certainly wouldn't like to roll out a fix to 12,000 desktops without testing it on a few "reference boxes" first. You could be looking a several days there?

On the other hand, there have been a number of cases of MS issuing a fix, and people reverse engineering it to attack unpatched machines. So all this has really done is made exploit generation somewhat easier for the less talented? I suspect that those with the neccessary skillset probably wouldn't want to use someone else's concepts anyway, due to their peculiar (perverted) pride?

From my reading of the article it seems clear that the patch was issued FIRST. What I personally object to is people issuing POCs without giving the software provider adequate opportunity to investigate and address the issue. CERT seem to have a 28-day rule I believe?

just my £0.02

[dmorgan]

I think that you SHOULD wait a reasonable period of time to release a POC. This just gives skiddies a zero day exploit. And that is more of a threat than giving the select few who know what they are doing a POC. I gotta admit it, I agree with MS on this one. If you're gonna publish a 'responsable' vulnerability, then do it responsably, give MS a time to make a patch

[zencoder]

I tend to agree with both nihil and dmorgan on the apparent lack of professional courtesy, but Imma play Devil's Advocate on this one.

WHEN did Core really notify Microsoft of the vulnerability? WHAT was Microsoft's initial response and handling of the notification? I know from experience that F-Secure has been one of the better companies about keeping these alerts under wraps until the Vendor can work out a solution. There was a Java 2 SE problem announced in December or early January a few weeks (probably 4 or so) after an updated version had been released by Sun. The announcement indicated that F-Secure had identified the problem and notified Sun almost a year previously.

But what is a security company to do when a vendor expresses disinterest or doesn't agree with the information? What sort of rules or accepted 'code of behavior' applies in this case?

I mean, Microsoft would never arrogantly disagree with anyone regarding potential threats to their software, but other software companies might!

I'd be curious to see a complete timeline of events, including detection, notification, acknowledgement, and 'action to resolve' by all parties involved.

[jinxy]

Finjan Software and Core Security Technologies.

Who the hell are they......?

Ironic and sceptical grin on >jinxy's face.

They looking for recognition and acceptance within the security field?

[TheSpecialist]

A good question right now is, what do any of you *******s know about handeling things like a professional or skill-set for that matter. I mean you've got dmorgan over here yelling "zero-day" right after reading an article about it.

They looking for recognition and acceptance within the security field?

And who the **** are you and what the **** have you ever done, dumbass? You, me, & AO as a whole.... the words no one & nothing comes to mind.