Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Office 0day
From: Valdis.Kletnieks () vt edu
Date: Mon, 25 Jun 2007 17:59:41 -0400

On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said:

*Proposition*

Microsoft is a 280+ billion dollar corporation. Why don't/can't they have a
standard ransom fee for security flaws?

0day Remote OS flaw: $1,000,000
0day  IE explorer flaws that give administrative shells: $200,000
0day (other flaws) that affect other products (ie office): $200,000
etc..(these fees could be much higher)

If other places are offering $20K for a 0day, why should Microsoft offer
10 times that, when they can probably make the sale offering only $25K?

Remember - Microsoft isn't there to make good software. It's there to
make a profit.

Provided the person who discovered the vulnerability gives a full working
patch, Then Microsoft could patch the hole right away and people could
update.

Yes. They could.  But if they've bought exclusive rights to the exploit, why
should they?  Remember why the concept of "full disclosure" started in the
first place - because if a vendor is the only one who knows about a hole, they
have little to no motivation to actually *fix* it.

        (yes i know lots of people don't update but at least it is a start,
and then legally they would be so liable). Maybe this concept isint new and
I am just in the dark about it.

There's companies in the security arena buying 0days, been happening for
years already.

Why does'nt Microsoft (or any company) do this? 

There's plenty of companies that make a living fixing the problems in the
Microsoft products (IDS and A/V and all the rest), and they've been doing it
for a while.  It would be a *bad* idea for Microsoft to get caught doing that,
as the instant they shell out some money for a 0day, they lose most of their
plausible deniability.  It's hard to argue "We didn't know about that bug until
the public posting on the XYZ-L list on Dec 3" if the other side's lawyers find
records of buying a 0day for the hole back in early April.

Something to keep in mind is that security is *always* about tradeoffs,
especially when you're a vendor.  You're probably *not* interested in shipping
a massively hardened secure system - only a few sites are truly paranoid
or require that sort of thing.  Windows XP will end up selling hundreds of
millions of copies - the amount of security in those will end up being the
amount of security that hundreds of millions of Joe Sixpack customers are
willing to actually *pay* for.

Since Microsoft is a for-profit corporation, their security team is charged with
reducing the *total* cost of the security - the expense of actually auditing
any existing code, and writing new code to stricter standards, *plus* the
costs of fixing bugs once they escape, *plus* the costs of keeping customers
happy when a security bugfix changes an API and production software breaks,
*plus* the PR costs of following your planned decision.

Which is a better bet for Microsoft - spending $15 million on a big PR and
advertising campaign that announces the 'New Secure Attitude', or spending
$50M on quietly fixing the broken software?

                                                  And also has Microsoft ever
been held criminaly liable for negligence in a criminal case for not
patching a flaw leading to a security breach?

Making a *criminal* negligence case stick would be *exceedingly* hard to do,
as you'd have to find a district attorney who wanted to try to press charges,
and it's hard to make it stick against a corporation - the legal standard
really *does* approach "the defendant knew or should have known that their
behavior was likely to result in somebody literally getting hurt or killed".
(One web site gave the hypothetical examples of a canoeing tour operator that
takes kids who are beginning canoers out on a lake, without life preservers,
when stormy weather is forecast, or a company releasing toxic chemicals that
they should have known would end up in a town's drinking water).

It would be a lot easier to make a case for civil liability for the negligence,
but then you'd have a *big* problem - by using a non-pirated copy of Windows,
you presumably agreed to the EULA, where you disclaimed most of the obligations
you would normally have.  And *at best*, you'd only be able to pin them with
"contributory negligence" - Microsoft could *easily* argue that the webmaster
or sysadmin or whatever *should* have known that "software is hackable" and
taken additional precautions of their own.

A number of pretty clever people have been looking at this, and it's pretty
generally agreed that the test case you'd want to see in court would be a
non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or
otherwise attacked from compromised Windows boxes, such that the compromise
allows the attacker to remain anonymous/unfindable.  And even then it's not
a clearly winnable *practical* suit to battle - if the plaintiff company
only lost $250,000 due to the DDoS, and the attorney is doing it for the
semi-standard 30% of the award, and it will take more than $75K worth of
legal just to get the case rolling, it becomes difficult to get the lawsuit
moving.  So you'd need either a non-Microsoft shop that lost millions of
dollars due to the DDoS, or a law firm that wants to rack up *lots* of
pro bono hours..

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]