What incentive does HexView have to NOT publish the exploit? They probably want money and attention, and this way they at least get attention.

Would Microsoft have offered HexView money/attention/fame for keeping quiet about the bug?

Microsoft's stated policy is to credit the party who originally reported a vulnerability when a Security Bulletin is published BUT only if they wait until Microsoft publishes the Bulletin before releasing exploit details. So the answer to your question is YES, Microsoft would have offered fame to HexView if HexView had acted responsibly. However, HexView chose to forfeit that opportunity. When the Bulletin is published for this vulnerability, Microsoft will not be crediting HexView at all.

This isn't the first time Secunia's Tom Kristensen has pulled this stunt by overhyping a security flaw as a "threat." He's so anxious to make a company look bad — within 24 hours! — that he breaks his own company rules for disclosure. Thus, Secunia = No Credibility.

I wouldn't say that they have NO credibility... although their credibility is certainly limited these days, and it is certainly true that they hype threats.

This nonsense about going public 24-hours later is retarded. I mean let's think about it... American business operates on an 9-5 schedule, so if the complaint is filed at midnight to MS (Pacific Time, US)... then there's only 8 out of 24 hours available for them to sufficiently review and research the issue, which of course they're going to do before confirming, denying, or patching an issue. You don't start developing a fix before you fully understand what the issue is.

What would be more appropriate for Secunia is a 1-week policy to replace its 1-day policy. That gives the vendor (Microsoft or otherwise) plenty of time to receive, review, and release appropriate information.

There

https://www.immunitysec..../2005-April/001719.html

are

http://www.milw0rm.com/id.php?id=938

already

http://www.securityfocus.com/bid/13132/exploit/

exploits.

"Once you accept that 0day exists, you need to look into
secondary layers of defense that actually work. Whining about the amount
of exploit information available to the public is missing the point."

That is apt...

None of your links are relevant to the vulnerability being discussed on this page. Your "0-day" exploits are zero days from the time Microsoft released patches and bulletins. That's not so bad.

We're talking about a vulnerability in msjet40.dll which was disclosed (along with exploit details) by HexView within 24 hours of first notice to Microsoft. HexView was apparently insulted that they received an "automated" response message within the first 24 hours (as opposed to maybe a personal phone call from Bill Gates?). In HexView's opinion, lack of a massive response from Microsoft within 24 hours was an indication that Microsoft intends to ignore this vulnerability for years; therefore, HexView felt there was no difference between waiting 24 hours and waiting several years.

I have personally contacted Microsoft about security issues, so I am familiar with their response practices. In every case, I felt that automated and/or form-letter style messages were only used minimally, as a way to keep me posted about status when there was nothing else substantial that Microsoft was ready to say or ask.

This has nothing to do with 0-day exploits or with helping users protect themselves. HexView is simply a publicity wh***.

" In every case, I felt that automated and/or form-letter style messages were only used minimally,"

First of all that statement makes no sense.

And so what if they are a publicity wh***? Any company that advertises is a "publicity wh***." Security companies make money on their ability to detect and protect their customers. This is part of the business. I am tired of Microsoft whining about it changing because black hat hackers don't wait-- they act.

If Microsoft can't respond within 24 hours to a vulnerability then they have a serious procedural problem and therefore so does it's customers. 0day exploits are a dime a dozen and MS needs to put more resources into that e-mail box, not whine about how they need more time. They make billions a month, I think they can hire lackeys to read through mailboxes, even script it so that every security company or individual out there gets their e-mail immediately shuffled to the top and investigated. I can easily see a one hour response using this method...

24 hours might (just maybe) be adequate notice when a few versions of a standalone program are involved. In this case, the vulnerability was found in the Jet engine, which is commonly associated with Access but is also distributed with literally dozens of Microsoft products including operating systems, as well as thousands of 3rd party applications. If you count all the versions and localized editions, there are literally THOUSANDS of product SKUs which might be affected. EVEN IF Microsoft could create all the patches in 10 seconds, merely TESTING every possible product to identify the ones affected would take far, far more than 24 hours.

In HexView's advisory, they state "All tests were performed using ... (version 4.00.8618.0). We did not test earlier versions, but it should be
assumed that all earlier releases of the library are also vulnerable."

Sure, it's fine for HexView to ASSUME without testing, but everyone is going to expect that Microsoft's response will include definitive identification of versions affected.

If you look at a recent Microsoft security update such as MS05-023 (for Microsoft Word), you see that Microsoft mentions special considerations needed for patching the Vietnamese, Indonesian, and Malay versions of Word 2003. These considerations don't apply to other localized editions, nor to Word 2000 or Word 2002. Folks, you can't cover all the bases like this, without spending serious time on research, testing, documentation, and review when preparing these security bulletins.

Open Source fans like to cheer when their products are patched "within hours" but are those products even available in localized editions? If so, are the patches for localized editions available at the same time (and any special considerations fully documented)? Ha! You're lucky if there was any current documentation for the product to begin with. And which Open Source products ever have patches released for 5-year-old versions? Red Hat has been known to drop all support for products sold less than a year ago! People will argue that with billion$ in the bank, Microsoft should rightfully be held to a far higher standard, but 24 hours to respond to a vulnerability which potentially affects thousands of SKUs is absurd. I believe strongly in disclosure, but HexView's timing is simply criminal in my opinion.

They were not asking for a fix within 24 hours, they were just asking for a human responce saying that they were working on the problem and would have a patch in the next two or thee weeks, etc.

That is not too much to expect, and it is important for customers to know about a problem to protect themselves.
Not that this realy effects me, as I am running Linux at the moment.

2005-04-12: Multiple Vendor loopback (land.c) Denial of Service Vulnerability
2005-04-11: Linux Kernel Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities
2005-04-11: Linux Kernel Bluetooth Signed Buffer Index Vulnerability
2005-04-11: Linux Kernel Elf Binary Loading Local Denial of Service Vulnerability
2005-04-11: Linux Kernel SYS_EPoll_Wait Local Integer Overflow Vulnerability
2005-04-11: Linux Kernel Multiple Vulnerabilities
2005-04-11: Linux Kernel EXT2 File System Information Leak Vulnerability
2005-04-11: Linux Kernel Multiple Local Buffer Overflow And Memory Disclosure Vulnerabilities
2005-04-11: Linux Kernel PPP Driver Unspecified Remote Denial Of Service Vulnerability
2005-04-11: Linux Kernel Netfilter Memory Leak Local Denial of Service Vulnerability
2005-04-11: Linux Kernel SYSFS_Write_File Local Integer Overflow Vulnerability
2005-04-11: Linux Kernel Futex Local Deadlock Denial Of Service Vulnerability

right... nothing to worry about here... And that is just the past few days....

And I keep hearing in these forums that Linux is better than MS. I don't see it. I would really like to see it, but don't.

They all made by human. So no big difference. Do you really think guys in Ms are stupid? I don't think so.

James
http://www.du818.com

You'd think there would be a better communication channel. MSDN has ladybug to communicate between developers and the different teams. The security team should setup an interface so that security customers like HexView and Secunia can contact them easier. The security team gets hundreds or thousands of emails a day that they have to wade through. That means companies like HexView and Secunia, who are known to MS to find generally valid sources of bugs/exploits, have to wait in line like everyone else. MS needs to setup a security site that customers can log into to report security flaws. Still monitor the email for possible bugs but if a trusted company reports something through the interface they could at least bump the priority on it.

...this has been addressed. For a minute I thought I was alone in thinking the info was released prematurely. While I do agree that making the flaw public will speed up the resolution, what would you expect? Imagine someone finds a vulnerability in a specific bank's security system, and makes the flaw public. Heck I'd do everything in my power to fix it before the end of the day, but which risk is higher? Like the article mentions, Blaster and Sasser, two of the biggest viruses ever, were exploited due to a known vulnerability. Perhaps if the details of the exploit had remained unknown the attackers would not have known to utilize the vulnerability--yet the same could be argued to say we should never report problems so no one finds them. This obviously is not the right way to do things. I'm with MS on this one--fix the problem before announcing the specifics is the best compromise.

And what if the company takes 2 years to fix that flaw, should you wait that long to announce the security issue? I agree that 24 hours is not enough time to wait for a response, maybe a week, and then if there is not response, go for it and make it public. If the company responds, and says "Hey, wait, we're working on it and we will keep you updated" then that's reasonable to wait even longer, but clearly that was not the case.

OK, you 2 are finally an example of people that think before they type. I commend you on that. Also, its refreshing that people are not blasting Microsoft for the problem first, then realizing they aren't perfect. I believe Microsoft to be the best in the business when it comes to software, but are they perfect? NO! But they are way better than everyone else.

I agree they release the security flaw long before the problem can be corrected. Car manufacturers get plagued with this, and I do realize lives are at stake if a car overheats or potentially blows up, but overall they issue critical fixes and mail them to customers and let them know they need to be fixed immediately, if you don't, well that's on you.

Security companies are not unlike other companies, they want a name for themselves, but there is a very fine line between being just a tattle tale or whistle blower, and reviewing problems and making them known to the manufacturer.

I am sorry, but I work in IT, 24 hours is *NOT* enough time to get anything done. It takes several hours just to receive information in some case, everyone forgets, we are *NOT* all on the same time zone. MS is 3 hours behind the east coast, which is where most information is derived from. Sending a simple email to MS customer service, isn't sufficient either..they need a hotline. 10 to 1 odds says these companies won't go to any extra effort to ensure the information is given to the proper people at MS.

Some of this security information is important, maybe there needs to be a panel that can investigate issues, verify they exhist, and determine a risk factor (kinda like the MPIA does for motion pictures for ratings systems). Just because 1 company deems it important, doesn't mean the rest of us give a hoot. This is what causes panic in this country, needless hysteria.. Everything is not an emergency. We have anti-spyware programs, we have anti-virus, and we have backup. Chill out. If you aren't keeping up with ALL 3, you need to be hacked, maybe the next time you will find it more important to protect yourself.

Knowledge is a wonderful thing, but let's be real, preparation is the key. there are things you can do to prepare.. They are so simple.

Don't open unsolicited email
update anti-virus daily
be proactive cleaning up the machine
and be vigilant.
And stay on main stream websites.

And if you are not sure, consult an expert...

If you have a program you don't recognize, delete it.

I agree.

LOL... what you suggest is wise, yet blasphemous.

Surely you don't expect END USERS to ... actually ... know how to use and protect their own computers, do you?!

I mean, that's what us admins and support people are for... the user breaks the computer through ignorance, and they come yelling or crying to us to fix it for them, so they don't have to learn something for themselves. It's the way the world works.

No, really I agree with your stance... the best way to stop security threats is have competent, trained users that know how to be preventative in their defense not reactive.

HexView admits that they received a response from Microsoft. They called it an "automated 'thank you'" which they interpreted as "the vendor does not want to cooperate." These are exact quotes.

Yesterday, I personally emailed Microsoft to report a mistake in Security Bulletin MS05-023 (basically some text which the author obviously copied & pasted from another article but forgot to change certain important numbers). I received a response exactly 20 hours, 5 minutes, and 3 seconds later. Yes, the response was template-style and started with "Thank you for contacting..." but it was signed by a real person's name and it paraphrased/summarized my issue (proving that a real person had reviewed it, at least initially). It also gave me a tracking number.

I have contacted Microsoft about security issues several times before, and the response practices have always worked like this. Therefore, I am sure that this is exactly the type of "automated" response that HexView received. In my opinion, this is a reasonable first response. What else can Microsoft say, until after they have a chance to research the issue further and also to prioritize it among the many valid/bogus submissions they receive?

So you think that "24 hours" is plenty of time for a company to research something and respond back to you in an educated way?

There is no way that a company can respond to you in 24 hours and know exactly what kind of problem this is. Perhaps they can't replicate the issue on their end.. maybe it takes them 26 hours of time to replicate the issue, but by then you've already issued your security bulletin.

How is this fair to the company? They have an auto-responder to tell you their server received the message.. to expect a human response within 24 hours from a place like Microsoft who is bombarded with millions of emails a day is absolutely asinine.