Full Disclosure mailing list archives

Re: Re: Security Bug in MSVC

From: Jason Coombs <jasonc () science org>
Date: Thu, 19 Jan 2006 09:38:52 +1300

Dave Korn wrote:

Nice thinking, Donnie. This must be the "new class of vulnerability"
that was hinted at by Microserfs a few months ago... The attacks are
launched by way of source code distributions rather than binary code.

Why is this a terrible insecure microsoftism, when GNU make does exactlythe same?

Just after Donnie reported this issue to Microsoft (September) westarted seeing Microserfs suggest that their security team was workingon a never-before-encountered novel class of vulnerability, and theimplication was that Microsoft's security competency had finallysurpassed both the black hats and all other white hat groups -- since itwould be politically valuable for Microsoft to be able to claim thatsharing source code is an unsafe behavior, and since there have been noother vulnerabilities disclosed since that time which might haveappeared to Microsoft to be entirely new and far-reaching, I suspectthat this disclosure prompted those previous statements about work beingdone by Microsoft.

How many other attacks can you point to where Microsoft's developmenttools are exploited to specifically target the unwary programmer whostill thinks it's perfectly safe to download arbitrary data from anuntrusted source and then open it in a text editor? My guess is thatDonnie got Microsoft thinking about this very risk, and they startedtalking internally about it being an entirely new class ofvulnerability. Yes, if my supposition is correct it would be quitepathetic and give us another reason to laugh at Microsoft; but you canprobably see how much benefit Microsoft is going to be able to milk outof this and related attacks that exploit bugs in programmers' tools thatare launched by the simple act of opening or attempting to compile asource code distribution.

Source code is just as dangerous as binary code. Clearly, the only wayto be safe is to rely on Microsoft's programmers to create anddigitally-sign software for us. Go Microsoft. Yeah!


Regards,

Jason Coombs
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Security Bug in MSVC Morning Wood (Jan 17)
- Re: Security Bug in MSVC ad () heapoverflow com (Jan 17)
  - Re: Security Bug in MSVC Stan Bubrouski (Jan 17)
- Re: Security Bug in MSVC Jason Coombs (Jan 17)
  - Re: Security Bug in MSVC Dave Korn (Jan 18)
    - Re: Re: Security Bug in MSVC Jason Coombs (Jan 18)
    - Re: Re: Security Bug in MSVC bkfsec (Jan 18)
    - Re: Re: Security Bug in MSVC Dave Korn (Jan 19)
- Re: Security Bug in MSVC Joachim Schipper (Jan 18)
  - Re: Security Bug in MSVC Morning Wood (Jan 18)
- Re: Security Bug in MSVC Pavel Kankovsky (Jan 19)
  - Re: Security Bug in MSVC redsand (Jan 19)
    - Re: Security Bug in MSVC Stan Bubrouski (Jan 19)
    - Re: Security Bug in MSVC ad () heapoverflow com (Jan 19)
    - Re: Security Bug in MSVC redsand (Jan 19)
    - Re: Security Bug in MSVC ad () heapoverflow com (Jan 19)

(Thread continues...)