How long before MS deals with these issues?

[BioHazzard]

Shouldn't the senario read

1. MS finds an exploit (or bugtraq) but doesn't publish full information. And since they are the only ones with full information, the finer details are left out.

2. Kiddies sit back and continue using old programs for older exploits out a few years ago (while MS come up with a new version of Windows)

3 ???

4. No one gets hurt because the finer points are removed from the scripties accessable toolkit (and by the time they figure it out there is already a new version of windows out for those customers who want to be "on the cutting edge" or "ahead of the security game")

[Und3ertak3r]

To support PST's comments..

The smaller the army that attacks the better defended.. less informed the attacking army the better armed..

I am mixed about the announcment of M$ Bugs.. .. I like to know to help me defend.. But I don't want to many Blackhats knowing.. so as to reduce my potential for problems..


cheers

[gore]

Originally posted here by pooh sun tzu
They learned this with their OOB on XP and 95. Don't disclose full information until a patch is ready, because it is *that* many less scripties trying to exploit a hole not yet fixed and fully understandable. Good conversation by the way. So while I agree with you on making it public information and releasing a patch, don't forget that MS won't release information until they release a patch. Good, Bad? Seems to be working, even if that means it is coming in slow

Security by obscurity....Nice.

Seems to be working?

Not hardly.

Last nigh on TechTV, I watched as they interviewed the guys that found the hole. He said it was the worst voulnerability he had ever seen to date with Microsoft.

But then again, "This just makes Windows stronger because it is the most tested"

****ing Bill Gates. What does he know about software, he was the one who came up with the whole "Sharing is bad" Idea in the first place. Thus some good came of it when people were like "Alright, **** you to then" and made GNU. I hate Microsoft as a company. I can't stand them. Windows, that's ok, for a desktop. But I still think Bill is an ******* caring only about money, and trying to live down that reputation that most cheerleaders also have (Being easy )

So, while everyone runs around trying to update Windows, and stick up for Microsoft, I will sit here, on my Slackware Linux box, and get some actual work and play done.


Oh, almost forgot!


Look at this:

Within the last few weeks at our company we have been doing testing to
find out total number of patched machines we have against the latest
Messenger Service Vulnerability. After checking few thousand computers
we have found several hundred were still affected even though patch has
been applied. We have scanned with Retina, Foundstone and Qualys tools
which they all showed as "VULNERABLE", however when we scanned with Microsoft
Base Security Analyzer it showed as "NOT VULNERABLE". This was at first
confusing; one would think an assessment tool released by the original
vendor would actually be accurate. On the flipside it really didn't make
sense to us why would three different commercial scanners show as vulnerable
if they are truly patched. So we decided to do the ultimate test. We
ran messenger service exploit against the machines that MS Base Analyzer
showed as "Not Vulnerable" and 3rd party vulnerability scanners that
showed as "Vulnerable". Results were as expected, machines were exploited
and Microsoft Base Analyzer failed to detect the vulnerable machines
properly.

We have concluded that, although the patch was installed on these machines,
the patch management script failed to reboot those few hundred systems,
therefore these machines were vulnerable until the next successful reboot.
After a successful reboot all 3rd party tools showed the machines as
not vulnerable and the exploit tool did not successfully exploit the
machines. 3rd Party tool assessments were accurate the machines were
truly vulnerable prior reboot.

Had we trusted Microsoft Base Analyzer we would still be vulnerable.


To prove this, I have captured screen shots and converted them in pdf
format for your viewing pleasure. The screenshots shows exact same scan
conducted with Foundstone tool and MBSA.

Screenshots: http://www.elusiveworld.com/scanshots.pdf


I would love to see if there are any more like us out there who encountered
this problem. If you had similar problems our recommendation to you do
not fully depend on MBSA, since the tool is just as buggy as the company
itself.

Questions comments email me at dotsecure@hushamail.com
or Aim: Evilkind.

Nice to see how Microsoft also makes Windows seem more secure. ****ers.

[pooh sun tzu]

I'm only going to respond to one part of your post gore, because the rest of it is trollbait and I simply won't bite.

Security by obscurity... nice

Security through means of obscurity is by all means a valid step towards security. By no means it is a singular solution, but that in conjunction with other security solutions is the only logical step. You can't set aside possible steps towards a more secure network just because of a coined phrase. If there is an extra step that will help, by all means use it, but not as a singular solution..

[RoadClosed]

WHo's running around updating windows? It's a small patch, did my entire domain in about 3 keystrokes. ... Click Click Boom.

Windows is infinitely more complicated than linux, that's both parties strong points. Linux is very popular because of GNU, without it there wouldn't be a platform to stand on with regards to it's scale and popularity. I love em both.

[Tedob1]

Date Reported:
September 10, 2003

Vendor:
Microsoft

Description:
A remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software and gain the highest possible level of access (SYSTEM).

Severity:
High

Remote Code Execution:
Yes

Software Affected:
This vulnerability affects core services in the operating system.

Operating Systems Affected:
Windows NT 4.0 (all versions)
Windows 2000 (all versions)
Windows XP (all versions)
Windows Server 2003 (all versions)

Estimated Number of Vulnerable Machines:
300 Million

Status:
Patch in progress.


On this we’re talking about 154 days since its been reported. Well past the acceptable mark.

Its out there. It exists.

Now let us say you are the one who discovered it and that you’re extremely concerned about the security of the machines of others. I mean that’s your business. That’s what you get paid to do and you want to do it well. Your well aware there are many out there who are more concerned with finding things like this to satisfy a cult type herd instinct or are just plain criminals and are hard at work looking for the same things you are.

Someone else will find it if they haven’t already. Real black-hats, the one’s that make their living stealing info do not believe in full disclosure. It only closes doors that they have open to them. They are quite happy keeping it a secret.

Windows is not open source so how do you write a patch for it?

IMO your only recourse is to threaten to release it if they don’t fix it and you’d better follow threw if you want to remain credible. Lets face it ms is a corporation of the worst degree. If given an eternity that’s how long they’ll take.

Full-disclosure is a tool to protect us.

[steve.milner]

I think the point made here is that it shouldn't take M$ 6 (3) months to release a patch....

I can understand the concern of M$ - release q quick fix to a major problem and then have to relase the fix to the fix, and finally the fix to the fix to the fix :- This results in public ridicule - M$ must be cretins!

When *nix does it no one comlains since it's open source to start with and the developers aren't getting paid - So AFA *nix IC known vunerabilities can be published quickly and patched quickly without the worry that people will say "Now you've released a patch to a patch" .....

M$ have been slated, here at AO included, for this behaviour.

People need to grow up enough to allow M$ (and others) to make mistakes while trying to serve the best interests of their customers.

Then vunerability information can be released as it is known, with the sure knowledge a patch will be quickly available. Even if that patch isn't perfect, because soon a patch to that patch will be released.

All that is required is for everyone to stop ridiculing M$ for making mistakes, whilst trying to do the 'right thing'.

Today for fedora I've downloaded 12 new versions of parts of the system, all released in the last 48h.

Why - dunno - It never made the news, becuase that's the way it is. If that had been M$ there would have been an outcry!

Steve

[Tedob1]

steve if you think that keeping the fact that there are enormous holes in its security a secret serves the interests of the customers ill have to disagree. As a customer “I” want to know if there’s a real danger that a professional hacker can break in here and clean us out. How many of us will look like **** to our bosses after telling them that "we are secure". we're up to date on all of our patches and as hardened as we can be. After im hacked do you think ill be able to blame microsoft?

If they weren’t worried that they might loose some sales in the interim they would recommend some work arounds or areas to pay special attention to. Hell even tell me to take my servers off line or disconnect my network from the internet or continue on knowing the risk. But the key word here is “knowing”. They’ve put me out on a limb of a termite infested tree without telling me the dangers. While its true there is always a chance of this happening “IF” a hole is discovered by someone. To not tell of a discovered hole to me is a bit criminal in itself.

I don’t care about anyone else’s OS problems as much as my own. Im working a windows network which the company I work for paid and keeps on paying real big bucks for. Its my right to take offense at what ms is doing because their doing it directly to me.

If a PoC were released on this. We as security people would have a workaround in place before the skiddies found a shell code that will work with it and have somebody compile it for them.

[moxnix]

For the sake of this discussion, lets say I am a park ranger. My job is to keep the park safe from hazards to the public that use it.
One day I find a pit on the edge of a large path that could injure someone if they were to fall into it. This pit is off to one side of the path that not many people would use, so I cover this pit with branches and leaves so that no one will see the pit and malicously push someone else into it....untill I can find time to come back out and fill this pit in. Just call me 'Microsoft'.

[pooh sun tzu]

Monix, I feel that doesn't apply at all for this situation in particular. You see, while the pit already has a preset method of fixing it for repairs (filling it up, etc), they can begin repairs immediatally. where as MS has to actually research the exploit and then fix it on unknown methods.

However, the larger point I am trying to make is, I don't see people purposly going running and jumping into the pit to get the park ranger fired, where as I do see scripties jumping into the no-solution-yet pit and getting the admins in deep ****.