Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft complains about 'irresponsible' security revelation (Redmond Whine Alert)
ZDnet UK ^ | 11/10/2004 | Dan Ilett

Posted on 11/11/2004 2:30:02 PM PST by Prime Choice

Microsoft is admonishing those who found the IFRAME vulnerability - the flaw exploited by the bofra virus - for the way they made it public.

Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.

The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.

In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.

On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.

"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."

The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.

Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.


TOPICS: News/Current Events
KEYWORDS: crapware; microsoft; trojans; viruses; worms
Navigation: use the links below to view more comments.
first 1-2021-4041-45 next last
Microsoft pulled this same idiotic crap when the vulnerability behind Code Red was discovered in 2001. My suggestion to the shills in (and for) Redmond is that they shut up and fix their shoddy software.

And let's not forget Steve Ballmer's moronic statement on how security issues should be handled...


1 posted on 11/11/2004 2:30:02 PM PST by Prime Choice
[ Post Reply | Private Reply | View Replies]

To: Prime Choice

I tend to agree with MS on this. Others in the business that find flaws in someone's software shouldn't make it public for the very reasons stated. It is sad to hear a bunch of whiners that can't do the great things that MS has done.


2 posted on 11/11/2004 2:32:50 PM PST by stockpirate (Tagline is hung over from the election parties.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prime Choice

If Microsoft put a bounty on each security flaw found, and made it a substantial sum, Windoze would soon be hackproof.


3 posted on 11/11/2004 2:32:52 PM PST by Yo-Yo
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prime Choice

Sorry, but Microsoft has a point. Simply releasing info about a security breach before a fix has been found is irresponsible. There ought to be a "decent interval" between the discovery of the breach and its public revelation. I think a month is about right. The discoverer should first notify the software maker, then promise to hold off for at least a month before announcing the problem. This strikes me as a reasonable compromise that protects the public's right to know about the problem, but also minimizes the risk that the problem will be exploited by some scummy computer vandal.


4 posted on 11/11/2004 2:34:41 PM PST by ArcLight
[ Post Reply | Private Reply | To 1 | View Replies]

To: stockpirate
So let me make sure I got this right:

1. Microsoft makes shoddy software, putting consumers at risk.
2. Independent group spanks Microsoft for doing things as enumerated in #1.
3. And the members of the independent group are the "bad guys."

Maybe that's the way it is in the old Soviet Union. Here in the U.S., it's called free market capitalism. If Microsoft can't manage its own malware, it should get out of the business.

5 posted on 11/11/2004 2:35:59 PM PST by Prime Choice (Hey-hey! Ho-ho! Arlen Specter's gotta go!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ArcLight

http://www.freerepublic.com/focus/news/1277761/posts?page=5#5


6 posted on 11/11/2004 2:36:26 PM PST by Prime Choice (Hey-hey! Ho-ho! Arlen Specter's gotta go!)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ArcLight
I agree with you.

On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?

Keep in mind that this is coming from a user that has spent at least 4 hours so far - holiday time - cleaning up my kids computer.

Oh, the irony!

LVM

7 posted on 11/11/2004 2:45:21 PM PST by LasVegasMac ("5 times ain't sh!t - My Daddy won here 10 times" DEjr)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ArcLight

"There ought to be a "decent interval" between the discovery of the breach and its public revelation."

Go back and read the story. You have your facts all wrong.
A tool found the crash and the guy asked for help in determining why. Someone else found th actual problem. It was a colaborative discovery. Neither person alone found or published the exploit. It was readily replicatable every time you pointed this tool at a microsoft browser.

Microsoft STILL has not published a fix.

Had this been Nozilla, or Opera, or Konqueror browser the fix would be in WIDE distribrution already.


8 posted on 11/11/2004 2:49:48 PM PST by konaice
[ Post Reply | Private Reply | To 4 | View Replies]

To: LasVegasMac

"On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?"


Billy G has promised that's not going to happen anymore.
They STILL take way too long to get a fix out.

The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code. Its like buying a car with the Engine compartment welded shut. Might look like a fuel problem, but could be a gummed up carborator, but there is nothing I can do but call the factory and wait for them to fix it.



9 posted on 11/11/2004 2:54:11 PM PST by konaice
[ Post Reply | Private Reply | To 7 | View Replies]

To: Prime Choice

I guess we should all switch to Linex?

MS code is very robust, and of course has some problems, (as all software does) but in the interests of us slubs that have to use it, others should not publish the flaws, (so AssH*les can abuse us) but instead let MS know so it can be corrected.


10 posted on 11/11/2004 2:57:57 PM PST by stockpirate (Tagline is hung over from the election parties.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: konaice
"There ought to be a "decent interval" between the discovery of the breach and its public revelation."

Yeah, that will give the people who actually know about it time do their exploits undisturbed.

11 posted on 11/11/2004 3:05:59 PM PST by glorgau
[ Post Reply | Private Reply | To 8 | View Replies]

To: konaice

Good point. Still, the people working on the problem would have done better to carry on their discussion on a private e-mail list rather than in public. In all fairness, many private bug hunters would not think to do this. But it's the right way to investigate a security problem.


12 posted on 11/11/2004 3:07:29 PM PST by ArcLight
[ Post Reply | Private Reply | To 8 | View Replies]

To: stockpirate

"I guess we should all switch to Linex? "

Its LunUx not linex, and you might try it some time, you will be astounded. Go buy Novel's SuSE 9.2 personal edition for $30. It will knock you socks off with how easy it installs, and how much ROCK SOLID software in includes for the price.


13 posted on 11/11/2004 3:10:21 PM PST by konaice
[ Post Reply | Private Reply | To 10 | View Replies]

To: konaice

Sorry, but in my current business Those other mispelled and unheard of software packages, (that I am sure also have bugs) will not handle my aps.


14 posted on 11/11/2004 3:13:12 PM PST by stockpirate (Tagline is hung over from the election parties.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Prime Choice
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."the vendors best intrests in COVERING UP the flaw so they can keep selling the crap.
15 posted on 11/11/2004 3:16:19 PM PST by ChefKeith (Life is GREAT with CoCo..........NASCAR...everything else is just a game!(Except War & Love))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prime Choice
Microsoft's assumptions are:
  1. A vulnerability that is not announced is not being exploited.
  2. Their users are helpless until a patch is released.
Nonsense.
  1. Never assume that a vulnerability that is not announced is not being exploited.
  2. Users can render themselves protected by switching to another browser or by using IE with extra caution. These are a reasonable options and I have a right to know that I need them without delay.

16 posted on 11/11/2004 3:34:33 PM PST by ScuzzyTerminator
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prime Choice

According to Microsoft, trying to figure out what makes their software crash is a crime.


17 posted on 11/11/2004 4:20:17 PM PST by E. Pluribus Unum (Drug prohibition laws help fund terrorism.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: stockpirate
Sorry, but in my current business Those other mispelled and unheard of software packages, (that I am sure also have bugs) will not handle my aps.

Really?

What apps are those?

I can run Micrsoft Word, Excel, PowerPoint, Visio, Outlook and Internet Explorer. I can run QuickBooks. I can run Photoshop for Windows. I can run VB-created apps.

And I only use Linux.

If you've had a transition expert come in and he's determined that your apps will not run under Linux, then fine.

Otherwise you are speaking of things of which you have no knowledge.

18 posted on 11/11/2004 4:26:31 PM PST by Knitebane
[ Post Reply | Private Reply | To 14 | View Replies]

To: stockpirate
MS code is very robust, and of course has some problems

And with all the money they make, you'd think they could afford a decent security audit of their crapware.

19 posted on 11/11/2004 4:31:48 PM PST by Prime Choice (Hey-hey! Ho-ho! Arlen Specter's gotta go!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: konaice
stockpirate:  It is sad to hear a bunch of whiners that can't do the great things that MS has done.

koniace:  The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code.

----------------------

"great things" ...      Yeah, riiiight...

The only great thing about Microsoft is the arrogance of their marketing people -- and the gullibility of the sheeple who buy into their bu||$#!t...

20 posted on 11/11/2004 4:34:26 PM PST by TXnMA (Still glad to be back home in God's Country!!!)
[ Post Reply | Private Reply | To 9 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-45 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson