Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Security Bug in MSVC
From: Jason Coombs <jasonc () science org>
Date: Thu, 19 Jan 2006 09:38:52 +1300

Dave Korn wrote:
Nice thinking, Donnie. This must be the "new class of vulnerability"
that was hinted at by Microserfs a few months ago... The attacks are
launched by way of source code distributions rather than binary code.

Why is this a terrible insecure microsoftism, when GNU make does exactly the same?

Just after Donnie reported this issue to Microsoft (September) we started seeing Microserfs suggest that their security team was working on a never-before-encountered novel class of vulnerability, and the implication was that Microsoft's security competency had finally surpassed both the black hats and all other white hat groups -- since it would be politically valuable for Microsoft to be able to claim that sharing source code is an unsafe behavior, and since there have been no other vulnerabilities disclosed since that time which might have appeared to Microsoft to be entirely new and far-reaching, I suspect that this disclosure prompted those previous statements about work being done by Microsoft.

How many other attacks can you point to where Microsoft's development tools are exploited to specifically target the unwary programmer who still thinks it's perfectly safe to download arbitrary data from an untrusted source and then open it in a text editor? My guess is that Donnie got Microsoft thinking about this very risk, and they started talking internally about it being an entirely new class of vulnerability. Yes, if my supposition is correct it would be quite pathetic and give us another reason to laugh at Microsoft; but you can probably see how much benefit Microsoft is going to be able to milk out of this and related attacks that exploit bugs in programmers' tools that are launched by the simple act of opening or attempting to compile a source code distribution.

Source code is just as dangerous as binary code. Clearly, the only way to be safe is to rely on Microsoft's programmers to create and digitally-sign software for us. Go Microsoft. Yeah!


Jason Coombs
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]