Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Microsoft Butting Heads with Bug Busters

By Miniluv in News
Sun Jan 21, 2001 at 01:42:14 AM EST
Tags: Security (all tags)
Security

Microsoft is publicly butting heads with a Bulgarian software security "expert" about his short disclosure deadlines regarding vulnerabilities in their software. This story at Security Focus discusses the stormy relationship between Microsoft and Georgi Guninski.


The current brouhaha is regarding a vulnerability in the skinnability feature of Media Player 7. Georgi Guninski notified Microsoft of the bug on January 11 and went public just 2 business days later via BugTraq.

This isn't the first time the vendor and freelancer have butted heads. In fact, the community has, at times, criticized Guninski for this very issue. Michael Aldridge, a lead product manager at Microsoft, was quoted as saying, "It is simply not possible for any vendor -- even Microsoft -- to develop a high-quality patch in only a few days. Our focus is making sure we deliver a complete patch and that does take time and testing." Certainly he has a point with a statement like that, and it's not in dispute that the community is best served by complete and timely patches.

BugTraq is probably the premier location for security professionals and crackers alike to share information about vulnerabilities in products and techniques. Back in November of 2000 there was a short but fiery debate centering around yet another of Georgi's disclosures and the growing trend of narrowing notification windows. This thread highlights some of the issues surrounding short notification windows, their potential harm, and one individual in particular who some feel is targetting Microsoft, and Internet Explorer in particular, as a way of garnering favor for his employer, rival Netscape Communications.

Georgi Guninski has always claimed, and continues to claim, that he does his best to work with Microsoft when a vulnerability is discovered, and also claims they have an outstanding report from him since July 2000 which has still not been patched. "I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," says Mr. Guninski.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
How long should you give a vendor?
o 1 day 13%
o 1 week 54%
o However long they ask for 2%
o My sources say...not likely 9%
o What is the airspeed velocity of an unladen swallow? 20%

Votes: 96
Results | Other Polls

Related Links
o Microsoft
o This story
o Security Focus
o This thread
o Netscape Communications
o Also by Miniluv


Display: Sort:
Microsoft Butting Heads with Bug Busters | 17 comments (10 topical, 7 editorial, 0 hidden)
Poll (4.00 / 3) (#1)
by enterfornone on Sat Jan 20, 2001 at 07:27:24 PM EST

I said a day, but I don't see why they shouldn't go public at the same time they tell the vendor. Crackers aren't going to wait around for MS to develop a patch, if there is a vulnerability I want to know about it now so I can choose to not sue that application or leave it up and wait for the patch.

If Guninski knows about the vulnerability who's to say that someone who is less honest doesn't know about it too. At least if it's out in the open everyone is working with the same information.

--
efn 26/m/syd
Will sponsor new accounts for porn.
Re:Poll (4.00 / 1) (#5)
by UrLord on Sat Jan 20, 2001 at 08:22:47 PM EST

This may sound like security through obscurity but just because one person has this doesnt mean anyone else does. There should be a time before the vulnerability is made public to give those vendors a chance to patch the application because 0 day exploits aren't all that common and not always easy to find. If there is no patch being made the information on bugtraq can be used to create an exploit.

Ok maybe for more widely used daemons and the like there should be less time between sending the information to the vendor and then to bugtraq, but there should be some time. If the vendor is doing what they should be doing a patch shouldnt take too long. I believe the last local root exploit in OpenBSD took less than 24 hours to release. So a BIND or apache vulnerability should be 24-48 hours and with something trivial like M$ media player the information can wait a little while longer.

If this sounds like rambling sorry, keep getting distracted by work...

We can't change society in a day, we have to change ourselves first from the inside out.
[ Parent ]

He is justified. (4.00 / 8) (#10)
by Signal 11 on Sun Jan 21, 2001 at 01:46:33 AM EST

He's justified for stinging Microsoft. This is the same corporation that supported the DMCA to try to censor public disclosures of vulnerabilities via click-wrap licensing, and then later cut off distribution of their own internal vulnerability disclosures from BugTraq and every other list - citing copyright, and side-stepping fair use provisions by invoking the DMCA.

Microsoft deserves every bit of scorn it gets from the security community - they're not interested in fixing bugs, they're interested in saving ass. As a customer, if you don't take the responsibility for being up front about your product's shortcomings, I both welcome and encourage people like Georgi giving me this information promptly - "rules of engagement" be damned.

When my ass is on the line because I use Microsoft products, and Microsoft isn't responsible in its dealings with people who identify and report these kinds of problems, I'm going to do two things: Try to limit my use of Microsoft products as much as possible, and locate alternative sources of information outside of Microsoft to keep my system secure and up to date.

Support Georgi - Microsoft has shafted the community too many times after they (we?) have offered the symbolic olive branch. All bets are off now.


--
Society needs therapy. It's having
trouble accepting itself.

Show the times... (3.66 / 6) (#12)
by Miniluv on Sun Jan 21, 2001 at 03:49:10 AM EST

Show me examples of when Microsoft has refused to respond within a reasonable time period with a patch. Most Microsoft vulnerabilities are patched within 5 business days, and I would consider that a pretty good turnaround.

Nobody is perfect when it comes to security. I can think of a patch Sun took almost 5 months to release, and it was against a library that allowed all kinds of local root exploits. I'm sure if we combed bugtraq there'd be plenty more where that came from.

I tried not to editorialize too much in the story, but frankly I'm against people going public straight from ground zero. Doing that gains nobody anything except perhaps the malicious crackers who're seeking out zero day exploits. Giving MS 5 days to respond can only benefit everybody if there's a patch up on their site from day 0 of exploit release.

For a great summation of my views on full disclosure, read the RFPolicy and Bruce Schneier's essay in the security focus guest feature area entitled "Closing the Window of Exposure: Reflections on the Future of Security". I'd link to that but SecFocus is really hard to deep link into for those essays, it may also be up at Counterpane Systems.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

RE: Show the times... (none / 0) (#14)
by Signal 11 on Sun Jan 21, 2001 at 12:35:54 PM EST

I can't dig up any information right now - it would take a few hours to grep through the bugtraq archives to find enough relevant information to prove my point. It's difficult to quantify reputation.

~ Signal 11


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]

Microsoft's reputation (5.00 / 2) (#16)
by roystgnr on Sun Jan 21, 2001 at 04:00:27 PM EST

Show me examples of when Microsoft has refused to respond within a reasonable time period with a patch. Most Microsoft vulnerabilities are patched within 5 business days, and I would consider that a pretty good turnaround.

I agree that their recent behavior has been good, but they have earned their bad reputation. Check out the string of TCP,UDP,IP denial of service bugs (ping of death, teardrop, syndrop, newtear, etc.) in their networking stack between 1997/98. Most of the exploits for these affected a bunch of different operating systems, but the response time difference was drastic. Alan Cox got one kernel patch out within literally hours (and the fix corrected not only the first of the bugs but nearly all the later ones), whereas by the time Microsoft had one bug fixed, exploits for the next would have been out for weeks. There was a period of time literally months long where you could remotely crash (or kill the network stack of, or render grossly unstable, depending on the bug) any Windows computer on the internet.

[ Parent ]

True (3.66 / 3) (#17)
by Miniluv on Sun Jan 21, 2001 at 09:28:15 PM EST

They did have a period of time when they were doing several things wrong. First of all the refused to acknowledge bugs until they had large customers screaming about the results of the bugs. Second, they took their time issuing patches instead of rushing things out the door. And finally they failed to keep people up to date on what status was on various issues.

You must also say that in the past 2 years, since those incidents created a firestorm of bad press about MS and security, they have done a lot to clean up their act. Patches are released in a fairly timely fashion these days, and security bulletins are easy to find and read on their website.

No vendor is 100% perfect, and MS is better than some, worse than others, but they are trying these days. I don't see how it's productive to hold a few incidents against them, despite their best efforts to improve. It might make a name for a person in the security world, but is that the sort of name a person should want to have?

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

I'm not entirely comfortable with this. (none / 0) (#13)
by hjones on Sun Jan 21, 2001 at 11:54:10 AM EST

I really think Georgi should have given them at least a week, just to be fair. If Microsoft is really that lax, then they wouldn't have had it fixed in a week. In which case he could have published then, and been entirely above reproach. As it is, he's given Microsoft ammunition needlessly.
"Nietzsche is dead, but given the way of men, there may still be caves for thousands of years in which his shadow will be shown. And we -- we small-minded weaklings, we still have to vanquish his shadow too." - The Antinietzsche
[ Parent ]
Finding bugs (3.00 / 2) (#11)
by dvNull on Sun Jan 21, 2001 at 02:44:35 AM EST

Well I have discusses with other people if publishing bugs before patches are available compromises or at least enables others to compromise security problems with those bugs.

Sure, more people know about the vurnerability, more people are going to try to exploit it, but many others will be aware of it.

If it is kept in the dark cause the big corp doesnt want to fix it immediately and doesnt release any info on how to counter this bug till there is a patch available, then some of the people who want to exploit it will most likely find out about it, and the regular user will still be in the dark.

Just my $0.02


If you can see this, then the .sig fell off.
Microsoft at it _again_. (3.40 / 5) (#15)
by arcade on Sun Jan 21, 2001 at 01:34:23 PM EST

This is as the article states not the first time Guninski and MicroSoft is butting heads. It happens every two months. MicroSoft fail to realize that even though Georgi isn't cooperating as much as they want - he is still doing them a favour. They can scream and shout as much as they want. He has discovered a bug - and should be commended for it.

The facts:
- Georgi found a bug
- Georgi reported the bug
- Two days later, he reported it to the public.

Further facts:
- Finding bugs causes more secure software.
- More secure software is a Good Thing.

Thus, Georgi has done a Good Thing.

Microsoft can scream as much as they want about him putting their customers at risk. At the end of the day, he has made their customers systems _more secure_.



--
arcade
Microsoft Butting Heads with Bug Busters | 17 comments (10 topical, 7 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!