[Full-disclosure] Microsoft's Real Test with Vista is Vulnerabilities
n3td3v at gmail.com
Tue Jun 27 16:13:51 BST 2006
On 6/27/06, Gadi Evron <ge at linuxbox.org> wrote:
> Vista, the solution to all our problems: Microsoft portrays Vista as
> anything from the end of software vulnerabilities to the end of spyware.
> In my opinion, that is irrelevant as both problems are not going to go
> away. They are part of how software systems and the Internet work, and
> that's that. The Bad Guys with their ROI won't give up that easily.
> What is going to happen though is that creating and exploiting these would
> become more difficult.
> *Vista is not the Holy Grail or some "silver bullet". It is a test for
> Microsoft. It will be a clear indication of how far Microsoft has advanced
> in the realm of developing secure software, if at all*.
> How so...?
> In the past I posted claims that stated Microsoft has advanced
> considerably in recent years, and today, it has become very difficult
> to find vulnerabilities in Microsoft products. Naturally this doesn't
> apply to Internet Explorer. :)
> Their code is very professional and heavily reviewed. Unless you spend
> significant resources and time on the task, you are not likely to find
> even Denial of Service vulnerabilities, not to mention Code Execution
> vulnerabilities in their code.
> When you do find one, the vulnerability will most likely be a logical
> flaw. Microsoft has no problem committing incredible resources to code
> However, we need to take into account the Excel case:
> Last December Noam wrote of eBay bids on an Excel 0day vulnerability,
> which later on were also announced on the Full-disclosure mailing list.
> The issue of bidding for exploits on eBay lead to a heated discussion and
> many blog entries.
> In the coming months after that, Microsoft announced in it's monthly
> security patches release (Patch Tuesday a.k.a. Black Tuesday) several
> Excel vulnerabilities.
> In this last month, it happened again.
> Then the first (but not last!) of the Excel 0days was disclosed. Here is
> what Juha had to say about it.
> What does this mean, and how does this work with what every decent reverse
> engineer will tell you: Microsoft's code is very professional.
> The answer is divided into two:
> 1. QA.
> 2. Untouched code-base.
> Microsoft is basically using legacy code that has been reviewed and
> attacked countless times by countless people since Windows NT if not, in
> some cases Windows 3.1 (gdi32.dll anyone?).
> Is it any wonder new vulnerabilities are so difficult to come by? Everyone
> in the industry has been trying for, at the very least, over a decade. We
> can't tell if their code is that good due to their ability.
> Excel on the other hand is code-base which didn't in the past receive that
> same kind of scrutiny very often. When the kiddie on Full-disclosure and
> eBay issued his challenge, what happened was that many people started
> aiming at Excel.
> Much like it often happens with vendor advisories with little to no details, new
> vulnerabilities were found other than the one the kiddie (whoever or
> whatever he really was) supposedly found.
> Several patch releases with official bullet-ins, several 0days... fun,
> ain't it? Not related you say? Maybe.
> So.. yes. Microsoft's code is very professional, but we can't really rank
> their ability on it due to the immense efforts by everyone outside of
> Microsoft to do their QA for them.
> When Vista comes out, regardless of all the cute security features it will
> have. some of which will raise the bar for security researchers, it
> *WILL* have vulnerabilities.. and not too long after the release.
> The amount of vulnerabilities and their complexity will tell us more of
> Microsoft's real ability with security today, than anything else.
> Microsoft can claim Vista is the Holy Grail all they like, and indeed,
> some of these security features are intriguing... in my opinion though,
> the real question is what Vista will show us:
> 1. It's a new untested code-base out for play.
> 2. Microsoft supposedly learned a thing or two since Windows 95.
> Your guess is as good as mine and the results of this test will be very
> Gadi Evron.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Gadi Evron isn't a home made hacker, so I can see where his above
comments are coming from, an academic background, with a social
background that amounts upto office staff professionals looking after
their own backs where profit comes before security.
It will always be as easy _or_ as difficult to find Microsoft product
vulnerabilities, depending on your outlook on the situation.
Nothing you say on Full-Disclosure (or on your web log) is going to
change the industry and the way underground hackers operate (the folks
that count are the home made hackers, not the manufactured hackers
from the universities.), or the trends and techniques underground
hackers are using.
Theres queues of vulnerabilities for Microsoft Vista right now in the
underground, where hackers are waiting for the public release of the
product, before releasing the code.
It would make little of no sense for the underground to release
Microsoft Vista advisories to Full-Disclosure right now when half the
planet isn't using it as their primary operating system ---yet.
Hackers good and bad want maximum impact and exposure, even if its a
whitehat disclosure. Thats why I know in my opinion, there isn't a
lack in vulnerability detection in Microsoft products (including
Vista) by home made hackers, it is just a holding back period we're in
right now, where the underground are keeping a low profile to insure
they (the hackers) have a good backlog of vulnerabilities to hurt
Microsoft with in the first 6 to 12 months of Vista going prime time.
If we made disclosures right now it would be a waste of time in the
eyes of the underground elite.
Call it calm before the storm, and I believe thats whats going on right now...
Give it time and Bugtraq, Full-Disclosure, n3td3v and milw0rm will be
a wash with Microsoft Vista vulnerability disclosures, where you Gadi
Evron (with your other manufactured hackers and security professionals
buddies) will be eating your words, and i'll personally make a post to
the security community to showcase all your comments about Microsoft
Vista being the most secure ever operating system when the
vulnerabilities start flowing.
Full-Disclosure is hosted and sponsored by Secunia.