A recently released exploit that takes advantage of problems in RRAS has drawn the relative ire of Microsoft and the obligatory rebuttal of a well-known security researcher.
In June, as part of Microsoft's monthly patch release schedule, the company released security bulletin MS06-025, "Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)." Nine days after Microsoft published the bulletin Metasploit Framework developer HD Moore published an exploit module that takes advantage of problems in RRAS. Metasploit automates the use of exploits for penetration testing, instrusion detection system signature development, and exploit research.
Microsoft subsequently issued a security advisory to explain that the company is aware of the exploit code, to clarify that a patch is available, and to offer workaround suggestions for those who cannot install the patch.
In the advisory the company also stated, "Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users." In his blog, HD Moore took issue with Microsoft's comment and posted a lengthy rebuttal explaining why he chose to publish the exploit nine days after Microsoft issued its RRAS patch.
Moore's position is that perhaps there is no "commonly accepted industry practice of witholding vulnerability data so close to update release." To argue his position he points to several companies that routinely buy unpublished exploit code and then resell the details to their customers. Such company's include Versign's iDefense, Digital Armaments, and Immunity Inc., however these companies do not publicly publish exploit code, which seems to be the sticking point for Microsoft.
Moore also pointed to numerous independent researchers who do routinely publish exploit code at, or very near the time a vendor releases its related patch. He then goes on to state that the exceptions to this trend are typically "large proprietary software vendors." This may be the case but some well-known security solutions providers have long since adopted more protective disclosure policies. One company in particular, Next Generation Security Software, doesn't publish vulnerability details until three months after the vendor whose software is affected releases its patch.
Moore went on to point out that his exploit code actually takes advantage of a flaw in RRAS not mentioned in Microsoft's MS06-025 security bulletin. However Microsoft's advisory does indicate that systems with the patch applied are not affected by the exploit published by HD Moore, although Microsoft was careful not to mention Moore by name.
The issue once again comes down to the long-standing difference in opinions of what responsible disclosure is. Towards this end it should be pointed out that noticeably missing from HD Moore's rebuttal to Microsoft is an explanation of who benefits from the release of a semi-automated exploit only nine days after Microsoft released its patch.
Microsoft Response to Exploit Riles Metasploit Developer
1 comment
Hide comments
