Matasano Chargen - Latest Comments in Month of VersionTracker Bugs

Re: Month of VersionTracker Bugs

Xune — Thu, 18 Jan 2007 08:43:57 -0000

Ptacek (is it possible to even say that) you really need a hysterectomy.

Re: Month of VersionTracker Bugs

Chris_B — Mon, 15 Jan 2007 20:03:17 -0000

Pretty darn soon there will be a waiting list for the Maynard & Crabs Security Dude Ranch what with all the MOXB crowd just waiting to get in. Sign up now and get a room with a view of no cattle and a complimentary genuine Stetson 15 gallon hat at no additional cost.

Re: Month of VersionTracker Bugs

Thomas Ptacek — Fri, 05 Jan 2007 13:29:16 -0000

Ok I'm going to suggest that KF's Mom probably pays a little bit more attention to computer security than, say, my brother's mother-in-law, or 99.999% of other Mac users.

I do like how aggressive Apple is about pushing fixes through software update.

Re: Month of VersionTracker Bugs

KF — Fri, 05 Jan 2007 12:45:54 -0000

Does anyones grandma or mom or friend for that matter refuse to install patches because they "change the way things look" or because they do not see the benefit of installing the patches when there is not such thing as mac malware or exploits, viruses and the like?

Just currious.

My mom infact recently sent me an email and said something along the lines of "So... I guess I should start getting used to installing updates instead of clicking cancel eh?" You know why she is said that? Take a guess as to why ...

-KF

Re: Month of VersionTracker Bugs

Thomas Ptacek — Fri, 05 Jan 2007 10:57:18 -0000

One of my big arguments against MOAB is that shutting your friends up about Apple security is not a particularly important goal, especially weighed against the costs of muddying the waters more on disclosure.

The "nobody's invulnerable, everybody has bugs" argument is one of the most toxic in security. If you believe everyone's qualitatively the same, you wind up where Lindstrom did; we might as well stop finding bugs altogether.

Re: Month of VersionTracker Bugs

Mac — Fri, 05 Jan 2007 09:41:05 -0000

In this day in age we still argue about what is good and bad. Regardless of the fact that these people found the issue and are reporting it, there are 100 other people who find it and exploit it.

I say stop the MOXB and let the hackers shows companies the holes. See how many people complain then. If the white hats and/or grey hats stopped reporting to companies, we would be very quickly a botnet contolled internet.

These people who report are doing a service. Apple and others have been very slow in the past at patching and as of only recently begun to patch at a faster rate due to MOXB.

What is nice about MOAB is that it has finally shut my friends up about Apple being safer than any other OS. They have always boasted that they will never be hacked. As of yesterday, my buddy found he was no longer in control of his machine. I laughed.

No one vendor or OS is invulnerable. Everything has bugs. Not all can be fixed. But at least code check your software prior to release.

Re: Month of VersionTracker Bugs

Pete — Thu, 04 Jan 2007 15:46:00 -0000

I admit that there is a bit of spite in my opinion, likely in the same way bugfinders are sometimes finding bugs out of spite. In any case, there are smaller enterprises that are making O.S. choices based on security even though they *don't* understand the issues (perhaps IE vs. Firefox is slightly analogous here). To whatever extent there is an upswing in Mac adoption (not likely) it becomes a bit more important.

I still think that root cause is still important - i.e. is this fact due to inherent properties of the O.S. or is it simply based on the level of attention that bugfinders give to a particular O.S. Else, it is a fishtailing target out of the control of the enterprise.

Re: Month of VersionTracker Bugs

Thomas Ptacek — Thu, 04 Jan 2007 15:21:50 -0000

I'm not sure I see the value in bursting the bubbles of Mac end-users. Is anyone really laboring under the misperception that the average Mac OR Windows users really understands the issues involved in computer security?

The fact of the matter is, moving from Windows to Mac WILL reduce the gross number of hours you spend every year dealing with security issues on your computer, probably by a lot. That the reduction doesn't occur for the reasons John Gruber says it does is hardly relevant, at least not to my Mom.

Re: Month of VersionTracker Bugs

Pete — Thu, 04 Jan 2007 15:01:51 -0000

That is scary. Guess you better update your punditcon graphic ;-) And actually, while I still harbor my standard beliefs (and will be on a panel debating responsible disclosure at RSA), in this case I at least see some "value" in bursting the bubble that Mac addicts have about the security of their solution. Of course, if the bugfinders fail, it will add greater fuel to the fire.

I of course defer to you and others to keep me honest on the likelihood that these guys will succeed technically and what that means to the never-really-answered "what platform is more secure?" debate.

Re: Month of VersionTracker Bugs

Thomas Ptacek — Thu, 04 Jan 2007 12:10:25 -0000

Alastair, I had forgotten that LMH is a superstar. Oops. The worst part about this "debate" is that it puts me in a situation where I appear to agree with Pete Lindstrom.

Re: Month of VersionTracker Bugs

David Maynor — Thu, 04 Jan 2007 09:54:45 -0000

@Rosyna
How does your explanation in any way negate my point that malware authors are adept at turning these types of bugs into real malware? The Myspace worm example was given to show that 3rd party apps have been targeted by malware authors who make use of them. You must have jumped to the conclusion because I mentioned it I think they are the same type of bug, I don’t, but thank you for you very concise analysis of how it worked.

Re: Month of VersionTracker Bugs

alastair — Thu, 04 Jan 2007 09:46:07 -0000

Have you seen

http://news.com.com/2100-1002_3-6147026.html

I particularly enjoyed the quote from Dave Marcus (McAfee's "Security Research and Communications Manager"), where he says

"These guys were superstars in computer security before they were doing the months of bugs. I think they honestly do it in the thought of serving the community."

Presumably by releasing working exploit code so that spammers can enlarge their bot-nets, thereby easing the distribution of viruses and spam, both of which are things that are clearly in great public demand these days?

(And why is there now a Windows-specific exploit on a Month of *Apple* Bugs? Especially if MoAB is there to "discourage smugness" amongst Mac users?)

Re: Month of VersionTracker Bugs

Rosyna — Thu, 04 Jan 2007 05:32:06 -0000

I have to disagree with David on that point. The QT Javascript thing is a bug in the browser, not QuickTime. The QT plugin just passes the javascript to the browser. The plugin is loading javascript from a remote site, the browser should recognize this. So the MySpace thing was exploiting the fact IE didn't check to see if ActiveX controls loaded resources out of the current domain.

Re: Month of VersionTracker Bugs

Thomas Ptacek — Wed, 03 Jan 2007 17:36:05 -0000

I agree with Dave on that point, in case it seems from my post that I don't.

Re: Month of VersionTracker Bugs

David Maynor — Wed, 03 Jan 2007 17:07:46 -0000

@Steve:
I don't think its FUD at all. I think its one of the more dangerous bugs I have seen for Apple because it is one of the first bugs I have seen that could actually be exploited by REAL malware. As shown with the MySpace worm a few weeks ago, malware authors are adept at quicktime vulnerabilities. It wouldn’t be too hard to build a script that determines your browser version and serves up an exploit for either Apple or Windows. To me that sounds like a little more than FUD…

Re: Month of VersionTracker Bugs

alastair — Wed, 03 Jan 2007 16:40:41 -0000

For some reason I wrote Brandon. Anyway, it's *Landon* Fuller, not Brandon. Apologies Landon.

Re: Month of VersionTracker Bugs

alastair — Wed, 03 Jan 2007 16:38:27 -0000

Yes, I just read that too :-)

Doesn't really surprise me. (Sorry Thomas, it's probably at least partly my fault that it's you that he's on about.)

And like everyone else, I'm puzzled as to how a VLC bug gets classified as an "Apple" bug. Maybe it is only easily exploitable on OS X, but VLC doesn't come with OS X and it seems to me that people trying to play wmv files on OS X are much more likely to be running Flip4Mac.

It does seem a shame that LMH and KF don't expend more effort on actually fixing the bugs rather than providing people with pre-written exploit code that could be used for nefarious purposes. Particularly as they aren't giving the vendor(s) any time to actually fix the problems before releasing their findings.

Still, Brandon Fuller seems to be trying to provide fixes for things they find:

http://landonf.bikemonkey.org/code/macosx/

I contemplated doing that myself, but I'm not sure I have the necessary time. Maybe I'll have a go at one if I spot something I'm interested in, we'll see.

Re: Month of VersionTracker Bugs

Thomas Ptacek — Wed, 03 Jan 2007 15:16:34 -0000

Gotta love the drama.

Re: Month of VersionTracker Bugs

one.miguel — Wed, 03 Jan 2007 14:49:21 -0000

Drama: http://applefun.blogspot.com/2007/01/that-noisy-thomas-guy-aka-blackmail.html

Re: Month of VersionTracker Bugs

Andrew Jaquith — Wed, 03 Jan 2007 14:44:22 -0000

Wow, Tom. You've really got your snark on today. I like it.

The only thing I've concluded over this month's (abortive?) Bug cornucopia is that Kevin and LMH have figured out how to use a fuzzer. I am not sure what they are trying to prove, other than generate publicity for themselves.

More to the point -- if the issue really is about fostering a "more concerned (security-wise) user-base" and "better practices from the management side of Apple" I'd like to know how this achieves those aims. LMH/KF say that "responsible disclosure" isn't an option because it would grant various parties, presumably Apple, "insane amounts of time" before things got fixed.

A fair argument, but I don't buy it. I hate to be like Nick Naylor in "Thank You for Smoking," but where are the data? And what constitutes "insane" amounts of time? At least with eEye's "Upcoming Advisories" a "Zero-Day" tickers (which I like) you can see the elapsed time, and judge for yourself about whether the vendor is being reasonable or not.

Honestly, when I hear an inflammatory statement like "insane amounts of time" you'd think that the party making the statement would substantiate it with facts. But they don't, probably because they can't. I am genuinely willing to have my mind changed, but until I see some data I regard this whole thing as 90% stunt, 10% altruism.

Re: Month of VersionTracker Bugs

ChrisR — Wed, 03 Jan 2007 14:12:58 -0000

I am still failing to understand what VLC has to do with Apple and what apple developers are supposed to do about it. I dont use OSX, does VLC come bundled with it? If not then why is that advisory part of the MOAB? I thought MOAB was in response to slow apple patch times? I understand the quicktime bug, apple can do something about it. But please someone explain the reasoning for the VLC bug. Also it appears to work in linux as well, but im too lazy to go beyond segmentation fault on this one.

Re: Month of VersionTracker Bugs

Steve — Wed, 03 Jan 2007 14:01:12 -0000

Great post. While the apple bug is serious, it is not the most serious and there we have Maynor over blowing and creating FUD about an issue. Seems to be par for the course is it not?

I think the only real value in these MOXB campaigns is that it does give the vendor a kick in the ass to perhaps start dealing with security in a more realistic and responsive manner. Too bad there is yet to be any evidence that it actually does this.

Re: Month of VersionTracker Bugs

dre — Wed, 03 Jan 2007 13:58:37 -0000

there is a big difference between MoBB and MoAB/MoKB. I doubt LMH is getting several rounds of beers and respect for this from Apple like hdm got from Microsoft.

plus, I don't see this as full-disclosure at all. somebody please explain to me how this doesn't encourage the hoarding and delaying of vulnerabilities? if anything, this severely lengthens the vulnerability and exploit lifetimes, which is just as counter-productive as Apple's lack of response.

Re: Month of VersionTracker Bugs

whocaresaboutpresscoverage — Wed, 03 Jan 2007 13:56:50 -0000

"That’s one explanation, but there’s a reason Maynor’s announcement got so much press coverage and the Quicktime finding isn’t going to get any.

That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB."

Sounds to me like someone is upset they haven't been in the press lately, and their thunder is being taken from them. :)

Re: Month of VersionTracker Bugs

one.miguel — Wed, 03 Jan 2007 13:34:41 -0000

"That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB. "

Really? I can't tell. LOL. :-)