Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Security Bug in MSVC
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 19 Jan 2006 14:54:03 -0000

Jason Coombs wrote in news:43CEA75C.5080009 () science org
Dave Korn wrote:
Nice thinking, Donnie. This must be the "new class of vulnerability"
that was hinted at by Microserfs a few months ago... The attacks are
launched by way of source code distributions rather than binary code.

  Why is this a terrible insecure microsoftism, when GNU make does
exactly the same?

Just after Donnie reported this issue to Microsoft (September) we
started seeing Microserfs suggest that their security team was working
on a never-before-encountered novel class of vulnerability,

  And for some reason you assume that this was the often-before-encountered 
and non-novel vulnerability that you had just reported, rather than any of 
the presumably million-and-one vulnerabilities of varying levels of 
seriousness or insignificance that they are routinely having reported and 
dealing with?

-- since it
would be politically valuable for Microsoft to be able to claim that
sharing source code is an unsafe behavior, and since there have been no
other vulnerabilities disclosed since that time which might have
appeared to Microsoft to be entirely new and far-reaching, I suspect
that this disclosure prompted those previous statements about work being
done by Microsoft.

  Well, that's a massive assumption.  For a start, there's nothing new about 
it - remember the trojaned configure scripts?  For a continuance, maybe 
they're just still working on this whatever-it-is?

and the
implication was that Microsoft's security competency had finally
surpassed both the black hats and all other white hat groups

  Heh.  Any possible reputation M$ might have been hoping to acquire for 
"security comptency" has been *utterly* blown out of the water by the WMF 
bug.  After all, they had this big refocusing, after slammer, and audited 
all their code and started putting security first and foremost, remember? 
Heh, yeh, sure they did.  It's a stunning indictment of the worth of M$'s 
code audit that they had this accept-a-pointer-to-code-from-a-file design 
flaw right out there in the open beneath their noses and they didn't even 
see what was in front of them.

  Presumably the rest of their audit can be assumed to have been equally 

How many other attacks can you point to where Microsoft's development
tools are exploited to specifically target the unwary programmer who
still thinks it's perfectly safe to download arbitrary data from an
untrusted source and then open it in a text editor?

  Umm, perhaps if you think that Dev Studio is a "text editor", that would 
explain your misunderstandings.

  My question to you is, what kind of programmer doesn't know that building 
code involves running all sorts of arbitrary executables with arbitrary 

  And in any case, opening the data in dev studio *is* entirely safe.  The 
batch commands aren't executed unless you choose the relevant menu commands 
or f-key to build the project.

  Of course, you know perfectly well that it's safe to simply _open_ the 
file, and you know perfectly well that DevStudio is FAR more than "a text 
editor", so I must assume the above paragraph to have been dishonest 
rhetoric/polemic rather than a serious line of argument.

My guess is that
Donnie got Microsoft thinking about this very risk, and they started
talking internally about it being an entirely new class of
vulnerability. Yes, if my supposition is correct it would be quite
pathetic and give us another reason to laugh at Microsoft; but you can
probably see how much benefit Microsoft is going to be able to milk out
of this and related attacks that exploit bugs in programmers' tools that
are launched by the simple act of opening or attempting to compile a
source code distribution.

  Well, you can't run *anything* with arbitrary data and expect to be safe.

  Except, of course, a plain, no-features-no-frills ASCII text editor.

Source code is just as dangerous as binary code.


Clearly, the only way
to be safe is to rely on Microsoft's programmers to create and
digitally-sign software for us. Go Microsoft. Yeah!

  Well, I suppose it's conceivable that M$ are attempting a massive FUD over 
nothing, but I think they'd want at least a *bit* more substance to back up 
the pure hype...

Can't think of a witty .sigline today.... 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]