An open letter to the Security Community:

On December 12, 2004, in Rants, by

Stop surfing, browsing and using any sort of Internet viewing software.

Seriously.  Right now there are several unpatched browser vulnerabilities and one “blast through the POPup blocker”.  The sky is definitely falling.


And why do we have these unpatched vulnerabilties that are being discussed in detail with no patches?  Because someone believes that it’s more responsible to disclose it to the community of folks that then turn it into worms and what not than to responsibly disclose to the vendor and WAIT for an appropriate time for us to test and apply patches. 



  • Nicolas Waisman disclosed a paper on WINS vulnerability – patch is not yet released
  • eEye while stating on their web site that they practice “responsible disclosure“ have released technical details about an vulnerability the same day as the patch is released [approximately 12 hours last time] with usually enough technical details to begin the clock ticking.
  • http-equiv-at-excite.com has regularly disclosed before allowing for a patch.
  • Liu Die Yu, in reading his essay on the Microsoft Security Resource Center titled “Die slowly this time MSRC explained“, apparently believes that going after the MSRC with verbal abuse is the noble thing to do.

These are just a view of the examples of businesses and individuals that make us more IN-secure out here.


I can hear you now say if the Evil Empire  well if they’d only write better code“.  Wake up folks.  In the book Practical Cryptography the authors state that bridge builders have a finite threats to deal with.  Gravity, water, weather.  Software coders have an infinite amount of threats, including, but not limited to, all of us pesky end users still running as local administrator around here.  [And while those say that it’s hard to run as user mode, I would argue that for the vast majority, that if it were not for the insecure requirements of the applications we are running, we COULD run as user mode most of the time as many of us have no need to install software on reoccuring basis]


I’m tired of my security, my patching, being influenced by someone not even willing to use their real name. 


I’m tired of security firms that don’t sell products in the small business server space that say they holding Microsoft responsible when all they do is end up hurting my community.


Patches hurt me in my community in two ways.


Firstly they hurt me when I don’t know about them.  When all I do is go to Windows update and that’s not enough to fully protect me.  [Granted, these days on the Internet, most “gunk” traveling the wire is tuned for XP and 2k and thus even when USAToday stuck us out there with only a strong password to protect us and netbios ports exposed, we stayed up].


Secondly, they hurt me when I apply them and they do harm.  Granted, this is happening less often, but there are still the rare times that they cause issues.  Rare is one time too many for me.


I’m sure there are folks that will tell me I’m kidding myself that the exploit is only coded “after” the patch comes out, that is, it’s already been out in the exploit community and the mere release of the patch alone gives the folks out there the opportunity to reverse engineer an exploit.


But folks you are missing something.  Down here, my community is not specifically targeted.  We’re road kill.  We get hit with the worms, the blasters, slammers.  We don’t get hit with the specifically targeted attacks.  Ryan and Kevin stuck us out there to get hit by a MACK truck.  They weren’t specifically hacking us.


So to those folks that think you are being noble, that you are holding Microsoft responsible, that you are making sure they do secure coding?  You hurt me and my community more.


Remember that we don’t buy your products.


We don’t know who you are down here if you are seeking fame.


We just get affected by what you do.


Remember that.  You hurt us most.


For the record, Opera is patched, Firefox has a workaround, but I’ll stick stick with IE because I can group policy it and I have not heard of these actually being exploited…. yet.

 

12 Responses to An open letter to the Security Community:

  1. Tony Su says:

    Well Susan,

    I could almost agree with you, but there’s plenty of blame to spread around.

    You’re aware of a recent blowup involving me on a List involving a Security Issue which I had periodically submitted to Microsoft for over 3 years without any kind of response or acknowledgement that someone would look at it or that something would be done.

    Just silence. For 3 years. And, probably for the very reason the blowup on the List happened, because very knowlegeable people in their minds felt it was an impossibility and didn’t have the imagination to believe the impossible was possible.

    I can also point out that it may be a matter of opinion how serious vulnerabilities are when they exist. A pet example I feel stands out is the possible Man in the Middle attack on a standard TS session. It’s highly unlikely. It’s extremely difficult to pull off. The circumstances for an attack to be successful shouldn’t exist. But, it’s only highly improbable and not anywhere close to impossible. And, it should not be overlooked that the consequence is <full system compromise>. And this all adds up to a stretch how Microsoft officially classifies this vulnerabiltiy, as "Medium."

    Personally, I feel that anything that means total system compromise no matter if the attack is difficult has to rate higher than "Medium." I also don’t like the fact that I have not seen Microsoft recommend how it’s possible to configure to address this issue, MS just acknowleges the issue and leaves it at that.

    I feel comfortable discussing this latter issue publicly in some detail because it’s been discussed publicly aplenty already and it’s no mystery but I won’t detail the other because I don’t think it has been discussed as much publicly yet.

    As for Microsoft’s responsibility, I won’t give MS as quick a pass as you might but I do temper criticism because IMO it’s important to balance "What the Consumer Wants" because if nothing else MS is doing exactly that… delivering a product based on Marketplace Consumer demand for a wide array of functionality a non-technical User can manipulate for a certain price. When the Marketplace changes, demands better security and either pricing, competition or regulation changes, then MS will have to adjust or face the consequences.

    There is no doubt that if the architecture was fundamentally sound we would see fewer problems and for that reason like many other analysts I eagerly await Longhorn and fuller integration of dotNET, leaving behind COM and its issues.

    I frankly also disagree that a multitude of threats is an excuse for being a perpetual victim, and I hope that Longhorn will deliver on its promise in better internal validation of processes and data, modularization and decreasing the attack surface to something manageable. Surrenduring to failure is simply lack of imagination and poor design and should not be acceptable.

    IMO, but that’s just me.

    Tony

  2. Susan says:

    Tony, I"m assuming you are referring to the issue where you claimed that the default install of SBS caused it to be a mail relayer? You and I know that this was not then nor is it now a security issue.

    Your claims that the standard way that SBS was set up was a relayer just was not of merit.

    During those three years you could have submitted your findings to secure@microsoft.com at any time if you felt that it was not getting the attention it should have, but you did not.

    Even now you recommend a methodology to server publish Exchange that is highly dangerous, unsupported and untested.

    We regularly question Microsoft on their rankings on the bulletins and as they say they give a "consensus" view. There are times I personally rank something higher than they do because of my network.

    Again, if you disagree with the bulletin information, the email address of secure@microsoft.com is the place to communicate.

  3. This is a thorny issue that has been discussed for more years that I have been alive (I think). Whatever view you take the, unfortunate, reality is that it won’t stop. Education may mitigate some of it but there are some benefits to disclosure, for example, nessus, snort, oval and virus signatures, which on some occasions (not enough) provide the temporary barrier required to roll out the patch. I do think Tony has a point about core architecture however. I don’t want to start an OS war, but have a look at the number of vulnerabilities and patches for FreeBSD and Debian stable. Then have a look at their excellent patching systems (ports and apt for example). Makes one think.

  4. Susan says:

    But put together a Windows kind of OpenBSD that has features over security and you get….. Windows and you are patching.

    As even Dr. J has said, the most secure system [beside the server encased in concrete at the bottom of a trench] is OpenBSD with a command line.

    Course I’d be sitting in front of it going… okay nice…but where’s the GUI and the wizards folks!

    🙂

  5. Susan says:

    …and until we get the corporations to kill off NT and 9x… we’re stuck with architecture that’s 10 years old.

  6. Oh I also forgot to mention the obligatory:

    1) The release of an exploit often encourages people to patch. (hmmm)

    2) An exploit is usually easily reverse engineered from the patch.

  7. Susan says:

    1) The release of an exploit often encourages people to patch. (hmmm)

    I would argue that the community is getting better on this

    2) An exploit is usually easily reverse engineered from the patch.

    True, and I acknowledged that. But there is no need for folks like eEye.com to publish such DETAILED disclosure statements to effectively give the map, the keys to the MACK truck and make sure the tank is filled to the brim with diesel before sending the community on it’s way.

  8. Matt Gibson says:

    The one point that you seem to keep making, and I totally disagree with is the "Down here, my community is not specifically targeted. We’re road kill." Hardly ANYONE gets specifically targeted. When I can just point a vulnerability scanner at a class B network, and come back with all the machines that will be "hackable", there’s no need to target specific businesses. And think of how many small law firms are running SBS. Just because you think your network is below the radar, doesn’t mean all SBS networks are.

  9. Susan says:

    Keep in mind that when "I" define targeted, I mean that Dr. J [aka Jesper Johansson] is not sitting on the other side of my RJ45 connection specifically doing pen testing on my SBS box. That’s being targeted.

    I define "targeted" like the big guys.. Ford, Microsoft, Gap, The Whitehouse.gov web site, military. That’s targeted. We’re hit along with others, the Code Red/Nimda/Blaster attacks, the SMTP auth attacks but I would argue we’re "bot-ed" down here, we don’t have one human being on the other side of our RJ45 thinking to themselves "hmmmm…..I’m going to hack into that SBS box".

  10. Jim Harrison says:

    The facts of Tony’s 3-yr-old complaint are as follows:

    No less than three teams (MSRC, SBS and ISA) have examined Tony’s claims multiple times over the last three years.

    Each time he made formal notice as opposed to posting in a newsgroup or other public forum, it was taken seriously and examined in the context of the issue as described.

    Fortunately for the SBS / ISA users, no actual vulnerability was either demonstrated or found. Had there been any such vulnerability, it would have been addressed in accordance with Microsoft Security directives.

    since no vulnerability was demonstrated then or since, no response from Microsoft is to be reasonably expected.

    HTH,

    Jim

  11. Rick Magill says:

    As someone who has worked in this industry for (close to) 30 years and who is charged with the IT operations for a midsize organization I have to say I disagree totally with you. Your attitude amounts to ignorance is bliss and does your clients an absolute disservice.

    I f you are that tired and annoyed with having to deal with these issues perhaps it’s time for a career change.

    (Mn I need new glasses… I can’t pick out your verification image at all… at least not yet)

  12. Tony Su says:

    At the risk of throwing more fuel on the fire of this thread, it should be noted that all parties to evaluation of exploits be aware of the perspective and position of all other parties…

    – Some parties only want assurance that they are secure. They don’t want to know the details, they only want to be assured that when they deploy it won’t be compromised.

    – Some parties wish to know when they are not secure. They might assume that no single Vendor can provide a complete Security solution so they might want to know details so that they can fill in the gaps current solutions may not address.

    – Some parties believe the standard at which a vulnerability should be addressed is if it can be described theoretically in detail. This description must be based on known, provable methods and describe how an exploit can be constructed even if a working example is not created. Note though that without a working example this leaves the analysis open to criticism.

    – Some parties believe the standard at which a vulnerability should be addressed is if a working example can be created. This is certainly proof positive, but is akin to locking the barn door after the animals have escaped. By the time this stage is attained, it should be assumed that <many> people across the world have done the same thing whether the vulnerabilty or exploit is publicized or not because all the ingredients for the exploit will be widely known and discussed by then. In other words, if this is the standard it should be assumed that a very large number of computers have been compromised by the time a patch is released although the true number may never be made public.

    Security is never an easy topic to discuss whether you’re talking about computing security, Homeland Defense security and is even fundamental to the arguement whether Open Source or Closed Source is more secure. There is probably no simple answer what standard should be set in any situation which protects the interests of all or even if it’s not possible and only compromises are possible.

    Then, it should be noted that it is never in the interest of any Vendor to say their products are not secure, so it is proper business to set policies and standards which are reasonable to the business evaluating security which make good business sense… but note that the self-interest of the vendor may not always be completely consistent with the interests of any other party.

    I want to close by emphasizing that I’m not criticizing any Vendor at all but am pointing out that every person or party must determine for itself/himself what they need to do to feel comfortable about security.

    Tony