Microsoft: Watch out for rogue code

Microsoft has urged customers to apply its latest security patches, after several companies published "proof of concept" attacks that exploit the flaws that the updates fix.

In a notice posted to its Web site late Thursday, the software giant highlighted proof-of-concept documentation, or sample software code to illustrate how a flaw might be used to attack a system, from two security software makers: Finjan Software and Core Security Technologies.

While Microsoft said it backs the disclosure of vulnerabilities and proof-of-concept code, a common practice in the IT security industry, it criticized the companies for publishing their test code mere hours after security patches had been released for the reported flaws.

"Microsoft will continue to support and advocate responsible disclosure, because we find it to be a vital tool to effectively identify and remedy security issues," the company said in its notice. "Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk."

Shortly after some of Core's proof-of-concept work was aired, an individual modified some of the code to create an actual threat, Microsoft said. The malicious code could expose computer users who have not yet installed its updates to attack, it said.

The software maker rapped Finjan, which reported a critical issue in Office XP, for posting its proof-of-concept code on the same day Microsoft issued a security bulletin to resolve the issue.

It said Core, which reported a critical issue in the PNG (portable network graphics) processing technology present in Microsoft Windows and MSN Messenger, also published proof-of-concept code on the Web the same day an advisory was released to address the problem.

The Redmond, Wash.-based software giant believes that the two security companies ignored an unspoken law among researchers to wait "a reasonable period of time," before publishing their work. Microsoft said those generally accepted industry practices give its customers more time to test, download and deploy necessary security updates.

Neither Finjan nor Core immediately responded to calls seeking comment on the Microsoft announcement. However, in a previous interview with CNET News.com, Finjan CEO Shlomo Touboul defended his company's practices around reporting Microsoft's vulnerabilities.

"People need to know that they have to be careful--and without education, people won't be careful," Touboul said. "I wouldn't say we are scaring people. I don't believe in panic, but in very calculated behavior."

[simcity1976]

hmm

Core Security Technologies and Finjan Software did this for publicity, which is rude and dangerous. They lack commonsense not waiting until systems affected could be patched.

Yah Right....

Sure wait until Microsoft patches it. The problem is unless the information is released to the public Microsoft takes their sweet time, does nothing at all or tries to convince people that it isn't a bad threat.

Microsoft has brought this on themselves first for not doing patches faster. Frankly the company should come to a complete stop so they can fix any problems reported. And then make matters worse because as they said in this article they rely on others to do their security testing for them.

Which also means that if these other companies waited Microsoft would fix the problem when they are ready and take credit for it. What are the other companies supposed to do wait until Microsoft gives the ok only to be made to look like fools for taking credit for finding a problem that Microsoft already fixed? You could bet that the ok would be months after the fix was in.

No I think these companies are doing the right thing. If Microsoft doesn't want to get the blame for all of these problems and the problems that comes from these security holes then Microsoft needs to start doing a better job in the development department instead of trying make other companies do all of the work for them and then Microsoft take the credit.

I for one think a lot less of Microsoft because they can't even find their own security holes. They have to have other companies with better testers and programmers do it for them. I don't think you can get much more lame than that. And, that is what Microsoft wants to guard against people thinking they are a bigger joke than they are. They don't give hoot one about the security of our systems. If you think otherwise your a fool.

Robert

[lameth]

riiight

He believes in calculated behavior? Good, I think this is the second time this guy has done something like this. I hope Microsoft exercises a little calculated behavior in the form of whether or not to withdraw whatever licensing agreement they have with this guy.
It's bad enough there are security holes in windows. The general public really doesn't need bozos like this publishing proof of concept code before most it guys get into work to patch their systems.

[Ubber geek]

calculated behavior

http://www.analogstereo.com/subaru_forester_owners_manual.htm

Unspoken Law

Microsoft shouldn't be pointing a finger to the two companies who published the code. Everyone knows Windows is a sieve anyways. Besides, if Microsoft was really concerned about the speed in which people apply updates, it should make Windows Update so that it indicates there is an update available when an update gets published...not three days later which is the case that a lot of systems report "Updates Available". Microsoft seems to like to scatter new update notifications likely to ease the load on their download servers...

[aabcdefghij987654321]

Ignorance hurts

Such a large percentage of the internet is composed of MS based machines that if MS tried to send the updates to everyone all at once (as you suggested) then the internet connections to MS would be too jammed for anyone to get through and the patch would take even longer for everyone to get it.

The criticism for releasing POC code hours after the fix becomes available is valid but then you get into yet another debate about how long to wait before it would be ok to publish such code.

It should also be understood that the description of the problem plus examining the old code vs the new code is enough for many people to recreate the POC code on their own and because of that it's quite possible that a miscreant could create a working exploit and have it running before the "delayed" announcement containing POC code.

Regardless, the author of any virus/trojan (not the author of a POC unless they make it a complete virus) is still wholly and completely the person to blame for their actions.