Geekable.com

Microsoft proves responsible disclosure doesn't work

2010-07-21T08:42:07Z

I find that when I try to discuss "responsible disclosure" with otherwise rational people, they get defensive and claim I'm "imputing motives". So let's show how the inventors of "responsible disclosure" have proven that it doesn't work, without resorting to name-calling or motive-imputing.

We're going to use the method of modus tollens. If you can't handle that, then you should probably stop reading right now.

Microsoft is the pioneer of "responsible disclosure", and they lay out how it works here:

The responsibility for Microsoft's products rests with Microsoft alone, and we take that responsibility very seriously. However, there has traditionally been an unwritten rule among security professionals that the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it.
This serves everyone's best interests, by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious users while the update is being developed. After customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.

Microsoft is asserting that "responsible disclosure" is P->Q, where P = "the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it" and Q = "customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious users while the update is being developed".

We can easily demonstrate ~Q. Here are a couple of examples:

January 21, 2010, 3:40PM
Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.
The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update. The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.
The patches are included in the critical MS10-002 bulletin.
The vulnerability used in the attacks (CVE-2010-0249) was privately reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

(Source: Microsoft Knew of IE Zero-Day Flaw Since September)

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-0249.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of limited attacks attempting to exploit the vulnerability.

(Source: Microsoft Security Bulletin MS10-002)

When this security bulletin was issued, had this vulnerability been publicly disclosed?
While the original report was reported privately to Microsoft, the vulnerability [CVE-2010-0806] was later disclosed publicly by a separate party.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of attacks attempting to exploit the vulnerability.

(Source: Microsoft Security Bulletin MS10-018)

So we have two separate examples of ~Q from 2010 alone!

Thus, using modus tollens, and claims and evidence solely from Microsoft, we can demonstrate that ~P, or in other words, the discoverer of a security vulnerability does not have an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it.

Sadly, even Google, who is rather forward-thinking in terms of its policies for dealing with third-party security researchers, can't even come to accept ~P, and instead is trying to fix responsible disclosure. Good luck with that.

I gots my magic underpants

2009-09-06T02:08:52Z

John Gruber, as well as a good friend, have challenged my claim that 10.0.23.1 is known to be vulnerable. It's true, I don't have definitive evidence of this claim. (If someone would give me a valid Secunia login, or buy me a copy of Immunity Canvas or Core Impact, I could clear things up a lot faster.)

But we can infer quite a bit from a timeline of known events:

August 25, 2008 -- Adobe is notified of the bug known as CVE-2009-1864, which will eventually be patched in 10.0.32.18.
February 24, 2009 -- Flash Player 10.0.22.87 released.
April 9, 2009 -- Adobe is notified of the bug known as CVE-2009-1868, which will eventually be patched in 10.0.32.18.
May 4, 2009 -- The special Snow Leopard build of Flash Player 10.0.23.1 is built. (Source: creation date of the plugin on 10.6.0)
May 11, 2009 -- Adobe tells the discoverer of CVE-2009-1864 that they expect the bug to be fixed in an August release.
May 22, 2009 -- Flash Player 10.0.23.1 is codesigned. (Source: creation date of the code signature)
July 22, 2009 -- Adobe released an "oh shit the sky is falling" advisory that says that a bug by the name of CVE-2009-1862 is being exploited in-the-wild on Windows.
July 23, 2009 -- Adobe locks down information about this bug in their bug tracker. Apparently Adobe knew about this bug before, but didn't classify it as a security bug until it was a security disaster out in-the-wild.
July 30, 2009 -- Adobe releases an out-of-band patch for Flash Player due to the severity of the 0-day threat. This patch, 10.0.32.18, also resolves 8 other multi-platform vulnerabilities, and three Windows-specific vulnerabilities.
July 31, 2009 -- Apple builds Darwin 10.0.0, the kernel inside Mac OS X Snow Leopard 10.6.0, internal version number 10A432. (Source: uname -a)
Early August 2009 -- Apple designates 10A432 the "golden master" version that will ship on the retail discs.
August 12, 2009 -- Apple starts seeding 10A432 to developers.
August 28, 2009 -- Snow Leopard is available to the general public.

If you read that timeline and immediately conclude, "10.0.23.1 is clearly as secure as 10.0.32.18", then my response is:

Put your Spongebob Squarepants underroos on and go back to bed, and don't worry, because nothing in the big bad world is going to harm you.

The more mature way to read this is "Apple screwed up".

Don't call it a comeback

2009-09-05T04:52:14Z

John Gruber's latest piece of Apple apologetics concerns the fact that Apple shipped a known-vulnerable version of Adobe Flash Player on the Snow Leopard DVD. He has the gall to ask those of us who consider this a bad thing,

But what exactly should Apple have done differently?

Gruber apparently considers the possibility of postponing the release of Snow Leopard in order to coordinate with Adobe to be unreasonable. If postponing Snow Leopard is out-of-bounds, then I have another suggestion:

Apple could have posted a security advisory.

This is not unprecedented, of course. Companies routinely issue recalls and then post press releases so that the public is properly informed of the risk to which they've been subjected. Banquet alerts customers when they ship tainted pot pies, Starbucks alerts customers when they ship dangerous coffee bean grinders... hell, Microsoft even posts advisories when their customers are vulnerable to 0-day attacks for which no patch is available.

If you compare Apple's product security page to Microsoft's, you quickly see how important Microsoft considers informing its customers. (Yes, I realize that they've come a long way, but they deserve a bunch of credit.) Microsoft gives customers advance notice that security patches are coming, gives a reasonable amount of detail about what gets patched in each update, and as noted before, does their best to alert customers of appropriate mitigation steps when they know about critical problems that haven't been fixed yet. Apple's product security page is a joke in comparison. This is one of many instances where Apple's inclination towards utter secrecy seriously harms their customers.

(For another oranges-to-oranges comparison, consider the response of both companies to the Kaminsky DNS vulnerability. Microsoft worked with Kaminsky and other vendors, and released a patch and advisory within three months. Apple didn't get around to fixing the issue until two months after the Microsoft patch.)

Here's an example of the advisory Apple could have published prior to the release of Snow Leopard:

Apple has recently become aware of several vulnerabilities in the Adobe Flash Player browser plugin, which ships with Mac OS X Snow Leopard. Adobe has released version 10.0.32.18 of the Flash Player to address these vulnerabilities. Unfortunately, this release came too late to be integrated into the shipping version of Mac OS X Snow Leopard. If you install Mac OS X Snow Leopard onto your existing Mac OS X volume, your system will contain the vulnerable plugin even if you previously installed the appropriate patch.
At the time of writing, Apple had no knowledge of any existing exploits for the vulnerabilities patched in Flash Player 10.0.32.18. However, given the prevalence of automated analysis tools, it is not beyond the realm of imagination that such exploits could exist. Depending on your (or your organization's) tolerance for risk, you may find it necessary to mitigate this issue. Several options exist, including:

Turning off web plugins in your browser, until Apple tests and releases a patch for the vulnerable plugin
Downloading and installing Flash Player 10.0.32.18 from Adobe.com
Apple is currently in the process of testing Flash Player 10.0.32.18. It will be available via Software Update once Apple feels it meets our standard of quality for software patches.
You can keep track of the latest developments by reading http://www.apple.com/support/security.

As Gruber acknowledges, "Flash, whether we like it or not, is part of the system". What Gruber fails to acknowledge is that when Apple adds a piece to the system, it accepts the responsibility of keeping customers safe from any vulnerabilities in that new piece. If Apple expects to be taken seriously as a vendor of secure software, it needs to grow up and communicate with its customers.

Lazyweb request

2008-01-22T03:48:51Z

What's the fastest way to discover new bands that I will most probably like, given that I listen to They Might Be Giants, Rufus Wainwright, Rooney, and Jon Brion disproportionately?

Myth, myth! (Yes?)

2008-01-21T18:31:49Z

File under "if you repeat it enough times, and have Oliver Stone film a fictional instance, people will start to believe it":

...The story quotes Ted Sampley, a Green Beret in Vietnam whose web site has led the charge for some veterans against Kerry. Sampley says, "I truly believe that John Kerry's testimony before Congress [against the Vietnam War] had a big role in people who were supposedly peaceniks spitting on vets and calling them baby killers when they got home."
There are two problems with Sampley's "belief" as reported by the Plain Dealer. First, guilt by association is always a weak argument, and more likely a smear tactic that is unfair to the subject. America has learned this before, during the Palmer Raids of WWI, the McCarthyism of the Cold War, and now during the Ashcroft era of the War on Terror and the Patriot Act.
More important, however, is that the charge is simply not rooted in reality. It is both unfair to Senator Kerry and to the Vietnam-era peace movement. The fact is, there is absolutely no record of any peace activist taunting or spitting upon returning veterans. It is myth, and like most myths it is hard to dislodge.
In 1995 sociologist Thomas Beamish and his colleagues analyzed all peace movement-related stories from 1965 - 1971 in the NY Times, LA Times, and SF Chronicle (495 stories). They found no instance of any spitting on returned troops by peace movement members, nor any taunting. Indeed, they found few examples of negative demonstrations involving returning troops of any kind, or even of simple disapproval of returning soldiers. Three years later, sociologist Jerry Lembcke conducted a similarly exhaustive study for his book, The Spitting Image, with like results. He discovered war protesters being spat upon by war supporters, and hostile acts toward Vietnam veterans by conservative, pro-war groups like the VFW, but no taunting or spitting on returned veterans by peace movement members. Returned veterans and in-service GIs were welcomed in the peace movement, and many assumed leadership roles. Yet the myth endures...

We're number one! We're number one! (At death)

2008-01-13T02:01:05Z

Paul Krugman has an interesting look at the performance of U.S. health care here. But the most insightful part is down in the comments:

“so why do we feel that our health care in the U.S. is so much better than those other countries?”
Because people in the USA have had it drilled into them, over and over again, that we are the best country in the world, at absolutely everything, and that we have nothing at all to learn from anyone, ever.

Calm them down

2008-01-12T17:51:37Z

I used to think Whoopi Goldberg was my favorite View-member, but now it looks like Joy Behar wins:

I think I'm going to get in trouble for this, but you know what? I have a theory that you can't find any saints anymore because of psychotropic medication. I think that [in] the old days, the saints were hearing voices, and they didn't have any thorazine to calm them down. Now, that we have all of this medication available to us, you can't find a saint anymore!

When we all know

2008-01-12T15:32:52Z

You have to love these dumb-ass articles about "millennials" written by old fogeys:

Young IT employees pose a challenge to many managers who say the Millennial generation holds employers up to unrealistic expectations and makes unreasonable demands for their services.
Millennials -- employees between the ages of 18 and 31 -- represent the top challenge for IT managers, according to survey results released Thursday from Atlantic Associates, an IT staffing company.
Atlantic Associates polled more than 100 Massachusetts executives on the challenges they face and more than 50% of respondents described those teen and 20-something employees as the "toughest generation to manage." Generation Xers (ages 32 to 42 years old) placed second with 17% of respondents saying they pose a management challenge.
Jack Harrington, co-founder and principal of the staffing firm, says the problem between employers and the younger generation just entering the workforce can be traced back to the employees' upbringing or an easier way of life for children in the United States today.
"The issue managers are facing is with retention, not hiring. That means the work environment is not living up to the employee's expectation," he says. For instance, many younger workers expect to get an office immediately or be paid at a rate higher than entry level.
"Millennials are coming in with high expectations and are disillusioned about the reality of a work place. They feel they should be rewarded and start at the top, when we all know you have to work your way up. They have been raised to be rewarded often and when you get into the workforce those rules change a bit," Harrington says.

Whoa whoa whoa... do we all actually know that you have to work your way up? Doctors and lawyers start out making a substantial sum of money... so why can't IT experts?

The most illuminating section comes later:

"To reach a good working balance, Millennials will have to change their ideas somewhat, but the work environment will also change to appeal to these very in-demand employees," he says.

And the truth comes out. IT experts are highly in-demand. IT experts know this, and in return demand a high salary and nice perks. Employers resent young adults making more than they did at that age, and complain about the situation to the press.

This is another example of conservatives loving the labor market right up until it screws them over.

(For more on fogeys insulting young adults, see here.)

This means something...

2007-12-11T01:14:32Z

I suggest everyone go out immediately and watch the YouTube video entitled, "Kissing Hank's Ass".

I suspect that this video is an allegory for something, but for the life of me I can't figure out what.

Hope you enjoyed the game

2007-12-11T01:12:47Z

Dear Female Gender,

I give up. You win.

Sincerely,
Jeff

Zebulon

2007-11-30T04:28:10Z

Rufus Wainwright plays a brand-new song here on French radio.

(Don't forget to buy his new CD and DVD next week! Support him so he keeps making wonderful music!)

Unsane in the membrane

2007-11-30T02:56:16Z

Allan Odgaard:

Seems the infamous Logitech Control Center is back to wreak havoc.
They released a 2.4 update on the 20th of November and a week later a “mate error” thread surfaced on the mailing list, I have received a dozen support emails about the problem, and if you look at the comments for LCC at VersionTracker or MacUpdate, you’ll find that a lot of users are reporting problems with this update.

Wha-wha-whaaaa? That's impossible! Logitech Control Center doesn't use Application Enhancer anymore, so it HAS to be objectively better! Right? ;-)