Posted on 08/09/2005 9:11:18 AM PDT by theBuckwheat
Microsoft's "monkeys" find first zero-day exploit Robert Lemos, SecurityFocus 2005-08-08
Microsoft 's experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month.
Known more formerly as the Strider Honeymonkey Exploit Detection System, the project uses automated Windows XP clients to surf questionable parts of the Web looking for sites that compromise the systems without any user interaction. In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.
Honeymonkeys, a name coined by Microsoft, modify the concept of honeypots--computers that are placed online and monitored to detect attacks.
"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by Web sites on the Internet."
...
The honeymonkey project, first discussed at the Institute of Electrical and Electronics Engineers' Symposium on Security and Privacy in Oakland, California in May, is the latest attempt by the software giant to detect threats to its customers before the threats become widespread. The honeymonkeys consist of virtual machines running different patch levels of Windows. The "monkey" programs browse a variety of Web sites looking for sites that attempt to exploit browser vulnerabilities.
(Excerpt) Read more at security-focus.com ...
'Known more FORMALLY'
Geez.
But Microsoft's expertise has long been in fixing mistakes and explaining obtuse problems, not preventing them. Stick with what you're best at!
Why not auto block these sites?
I might just interject that UNIX is the only OS whose vulnerabilities led to the complete shutsdown of the internet.
Has it been patched? Yes.
So what is the problem with a company that offers free patches for a minimum of seven years after the last sale of an OS version?
Are you saying that every distributor of software is forever responsible for exploits, despite offering free fixes.
Microsoft would be more interested in plugging the vulnerability itself, since the sites could just relocate.
IE 7 will be released soon (rewrite), and Microsoft has been very responsive in issuing patches for (repairing) IE 6. All one needs to do is enable automatic updates, or visit the Windows Update web site once in a while.
I think it's more appropriate to place the blame where it really belongs - on the hacker, not the victim.
Also, she said some unscrupulous employees of large corporations sell their companies' surplus XP license keys to unsuspecting buyers on eBay. I suppose everyone's happy until MS discovers the key is part of a corporate license and it's not running on that corporation's PC.
Bump!
Sure, fix the exploit, but in the mean time, have something that mods the hosts file to send these sites to 127.0.0.1
Well... there are a few reasons they (M$) probably wont do it themselves... but you can do it yourself. Just read http://www.mvps.org/winhelp2002/hosts.htm - this method works great! I do it to every machine I build/touch.
Unless hatred of Microsoft happens to be a religious thing, as it is for some....
That was nearly 20 years ago, when the entire internet was UNIX machines. (BTW, the bug was in a program (sendmail), not the OS.) The failure of Microsoft to learn from the mistakes of UNIX, which had a 20-year head start, is an embarassment.
Shhhh ... this is a fact which the Anti-Microsoft zealots don't want anyone to know.
They would blame mugging victims too if they applied the same logic.
Jealousy makes people act in strange ways.
BTW: I am NOT talking about anyone whoi dislikes Microsoft, that's their choice. I am talking about the ones who go to every thread where MS is mentioned and immediately begin the same old tired put downs. Examples: "Micro$oft", "Bill Gate is Satan", "MS is crapware". You know, the usual.
Unfortunately, this is just too easy a thing to do. A site can relocate easily and begin their attacks again.
If a bug in a program takes down the entire OS, which is what happened with the sendmail worm, then your OS has a problem. All the machines that crashed as a result of the worm crashed because they fell victim to what was effectively a fork bomb, and that's not a sendmail problem.
I agree, computing for the masses is a painful effort. MS hasn't really done a whole lot IMO to make it any easier or less painful in regards to vulnerability.
I'm not that computer literate, but know enough to use an anti-virus program and spyware killer. Even then though, I find that some sites are still able to get malicious crap through.
Informative article though. Thanks for posting.
Cheers!
It's impossible to create Maginot Lines of code. The malicious will always find a way to exploit code. A vulnerability isn't a vulnerability until it's exploited....
Thanks for this! I'll be trying it out this weekend at home.
Cheers!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.