back to article Kaminsky: MS security assessment tool is a 'game changer'

Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced "bang exploitable crash analyzer") combs through bugs that cause a program …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Security ehh... that means its been tested?

    If so, then why does the link do this....

    I would have thought that during 'testing' they might notice the 404 page - even though its not a security issue, or is it one of those "not my job chum" events?

    http://www.codeplex.com/msecdbg

    "Server Error in '/' Application.

    The resource cannot be found.

    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

    Requested URL: /error/error404.aspx"

    Kaminsky the chief-self-back-patter tosser and his chums at M$ are utter failures.

    But yet again nobody will notice and will think the sun shines out of his rear end again!!

  2. Jeremy
    Paris Hilton

    404 Fail

    Erm... The link on the MS page to get the tool raises a 404... It's not even a graceful 404 - just an unfriendly default .net error message.

    Did nobody check the download link before they released it then?

  3. Brett Brennan
    Gates Halo

    Finally something worth while from Redmond

    While not a big MS fanboi myself, this is (arguably) one of the first proactive things MS has done in a long time. Worthwhile or not (I don't know: I do no Windows work) it's a solid step in the right direction.

    Good Bill! Nice Bill! Don't bite the hand with the nummy in it Bill!

  4. Anonymous Coward
    Anonymous Coward

    ! = "bang"?

    Is this a case of English - embrace, extend, exterminate?

  5. James O'Shea
    Gates Horns

    re Jeremy

    Jer, me lad, which part of "It's expected to be available soon at this link as an open-source program on CodePlex" was unclear? I got that the item in question ain't there yet. May I suggest patience?

  6. Pierre
    Joke

    Hehehe I can do it too.

    Behold my mighty !Krash Xploitable Bingy Bang Tool. Here be the code:

    print "It seems that your application is running on Windows. You'd better have a look at this problem"

    See? Easy. Arguably the most size-efficient security audit tool ever. It's open source too. Feel free to redistribute. And no nasty 404...

  7. Frank

    The Microsoft Experience

    "Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash..."

    Translation:- Microsoft has taken years of experience of writing software with security vulnerabilities and have written some more software.

  8. Anonymous Coward
    Stop

    "Bang" exploitable? I rather think "not".

    Go look up yer logical operators. I think you missed the joke.

  9. Ida
    Stop

    Given their track record ...

    Given MS's track record wouuld you really trust an application from them that checks for vulnerabilities ???

  10. EdwardP
    Happy

    Interesting.

    http://msecdbg.codeplex.com/ - Looks very interesting, am going to have a play with it now. Coming from a giant like Microsoft, this might be really good. Presumably, an extremely popular in-house tool.

    Now how can I automate the testing process...

    This place is getting more and more like a technical HYS everyday. I'll bet most of the sarcasm crew above are running some form of Windows. Only the mods know for sure...

  11. Anonymous Coward
    Anonymous Coward

    @Ida - absolutely right..

    If they have been working for "years" on "improving their product" it sure as hell isn't noticeable. UAC in Vista was a plain rip from Unix "su", but without understanding (and thus applying) the underlying fundamentals of account segregation, and although the weekly grouping of patches camouflages just how much is sent at systems globally, we're still up to our eyeballs in botnets.

    Note to MS: it's not about patching afterwards, it's about getting the bloody basics right.

    Grmbl.

  12. Steve

    @ida

    Microsoft's track record in the past few years or so can put many open source products to shame. Or are you one of the few Tux-heads that doesn't apply the hundreds of patches to you disty of choice as it's 100% secure out the box?

  13. Boris the Cockroach Silver badge
    Paris Hilton

    considering

    That many attacks are the infamous "buffer overrun" assaults...... does the tool know to report when it sees a lazy ass programmer not bothering to do bounds checking on his incoming data?

    Paris because she can check my buffer anytime

  14. Richard Porter
    Alert

    Re: !="Bang"?

    ! is "Shriek" (or sometimea "Plonk" but not "Bang".

  15. Anonymous Coward
    Anonymous Coward

    Not not?

    Firstly, it's obviously "Not exploitable". Secondly, let's wait and see if it makes any difference to MS's bug rate before we get too excited, shall we?

  16. Chris
    Coat

    I can see Windows Update now...

    Security Update: !exploitable Crash Analyzer Service Pack 1

    This update fixes a number of security vulnerabilities in !exploitable Crash Analyzer which could potentially allow an attacker to compromise the user's computer if the following set of conditions are true:

    1. The affected PC is running Windows

    To resolve this issue, obtain the latest service pack.

    ... Cynic, moi??!!

    Mine's the one with all the holes in the pockets...

  17. Anonymous Coward
    Unhappy

    Bah I was wrong.

    ...now the download site is back up I see that that IS the team's own name for it and not just something written by the PR spokesborg. Well, someone missed an opportunity for a joke, anyway. Probably me.

    Mea culpa.

  18. D. M
    Thumb Down

    Would you

    trust a drug dealer to clean up street with drug problems?

    History tells us, MS and security doesn't go together.

  19. Toastan Buttar
    Alert

    Debugging the Barry Scott way

    Kill It Bang !

  20. Pierre
    Unhappy

    Author, please kick yourself in the nads

    "Delaying the release of a product to fix a crash bug that's most likely not exploitable needlessly drives up development costs."

    Says a lot really. "we have all these bugs we know about and could fix, see, they cause our application to crash every other second, see, but we believe some of them will not give your banking details to script kiddies, so our product is ready for sale. The app won't be usable until the second row of patches, but in the meantime we'll make gazillions from unsuspecting customers".

    I'd better leave now, this is not good for my blood pressure.

  21. Pierre
    Thumb Down

    @EdwardP

    "I'll bet most of the sarcasm crew above are running some form of Windows. Only the mods know for sure..."

    I wouldn't be so sure if I were you. Some of us like to have machines that work. And the "mods" "know for sure" what the browser bloody well want to tell them.

    "Now how can I automate the testing process..." looks like someone who was producing shoddy code is about to produce pure crap.

  22. Anonymous Coward
    Anonymous Coward

    Oh dear, Rabid anti microsoft syndrome strikes again?

    Maybe those complaining about Microsoft's record on security could provide us with a comparison with Apples history on security? Or maybe Oracles or just about any other major software company? Maybe they could point me at where apple provide similar tools to stop people hacking MacOs?

  23. Slartybardfast
    Unhappy

    Po' Man's Blues

    Oh! So tired. So very tired - of the same old shit.

    Ev'rybody's talking about

    Gatesism, Jobsism, Tuxism, Freeism, Macism, Pcism

    This-ism, that-ism

    Isn't it the most

    All we are saying is give peace a chance

    All we are saying is give peace a chance

    A company releases a tool that hopefully will make third party code a little safer to run on their operating system. What do we get, same shit different day.

    Give it a rest, for fucks sake.

    It there's any chance it will make computing safer for all of us then you should applaud it. But do you? No, far better just to have another meaningless pop as per usual. Well I hope you feel better for it.

    We are not all Microsoft fan boys, Apple fan boys or Tux wearers but if our friends, parents and colleagues are saved from having their pc's pawned by the use of this tool then it was worth while.

    Even if all this tool does is to get someone else to think "that's a good idea" and write a better one, then it's still been a good use of resources.

    And they're making it open source - So for fucks sake stop moaning and if you think you can do better, then write one yourself. Or write one for your own operating system of choice, because I bet it probably needs one....

  24. John Smith Gold badge

    @chris

    "It's a Windows debugger extension " according to the story.

    There is not (AFAIK) a user runtime version of this tool.

    However this is an interesting light on MS development and "Open source," MS style

    1)It's an add-on for an MS product. It's therefore useless unless Gnu (or other mfg) products are compatible at that level.

    2)It allows you to spot vulnerabilities at the last stage in the build process. Possibly caused by code originating outside MS. And once spotted, weather you want to do anything about it, even if it will crash users.

    That this tool exists leads to the question of how much of those MS libraries that MS is so keen for people to use are all their own work. Or any other software they supply for that matter.

    I think it will be very interesting to see the results when its run on *any* developers externally sourced libraries. My *guess* is some will prove to be much more dangerous (IE badly written to begin with and then not fixed in later releases)

  25. jake Silver badge

    Uh, people ...

    "!" has been pronounced "bang" for years. Look up "bang path". I was stanford!sail!jake in the late '70s and early '80s. (The bang path is correct, but I've changed my name to protect the guilty :-) If I recall correctly, it's been called a bang by printers for a couple centuries.

  26. Alan W. Rateliff, II
    Paris Hilton

    !=bang? And what's the problem with the new tool?

    I have to jump on-board with the !haters. (Or ~haters, depending upon your language of choice, I suppose.) Anyway, Microsoft puts a foot forward to assist in avoiding exploitable crashes, and makes it (arguably) open source. Is this not two of the biggest complaints *tards have against Microsoft? The lack of security consciousness and unwillingness to abide open source?

    As for the "bang" bit, I learned way way way way back when that the "!" was pronounced "bang." Naturally the "she-bang" thingie makes perfect sense. Yes, it also negates conditionals in some languages, and knowing that, the "not-exploitable" humor does not escape me. I had to chuckle a little.

    Paris, exploitable and DOES escape me.

  27. Robin Szemeti
    Gates Horns

    So .. this will help you how exactly?

    mmm .... and this helps you because you can concentrate on the few "dangerous" crashes, and the other bunch where it just crashes without a vulenrability you can safely ignore?

    Oh my ... well, there was me thinking that production code didn;t crash .. oh well.

    And what about all the vulnerabilities where it doent crash the code? and just goes on to accept un-checked input etc?

    OK. it sounds like a partially useful tool, but only on horrendusly crashy software, where you release it in a state where its crashing like a banshee, and you anly have time to nail the dangerous ones ..., and it will only find the buffer overflow style problems, which is probably about 10% of the vulns out there ...

  28. jake Silver badge

    @Alan W. Rateliff, II

    "Naturally the "she-bang" thingie makes perfect sense."

    Nope. The "she" part is properly called an "octothorpe", or hash, or pound, depending on context. Unfortunately, the "hashbang" idea didn't pan out during the 70s; sounded too much like hashbong & the various neckbearded hippies[1] who were (re)inventing UNIX/BSD were paranoid ... octothorpe-bang is clumsy, and pound-bang is just plain wierd ... I believe that it came down to "sharp-bang"[2] which was modified to sh-bang (from /bin/sh), and pronounced & later written shebang.

    [1]They say that if you remember the SF Bay Area during the 60s & 70s, you didn't live here, but I'm here to tell you that some of us were smart enough to not get into pot ;-)

    [2] Musical notation with computers in the '70s? Oh-kay ... :-)

  29. Pierre
    Flame

    I think MS lovers need to understand...

    The aim of this tool is NOT to remove bugs from the code. Quite the contrary. The purpose of this tool is to INCREASE the number of crash-inducing bugs in released code. More precisely, it is here to allow developpers to willingly leave crash-inducing bugs in the code. It analyses the crash, and tell you if you need to fix the bug, or not. Meaning that it expressely flags fricking crash-inducing bugs as release-acceptable. Before the crash-binggy-bang-tool: your code is buggy, it crashes, you try and fix it. Whith the new tool, your code is buggy, it crashes, but the crashes might not leak info to crackers so hey, no need to bother, just release the buggy code as-is.

    Also, my understanding (but I didn't really look at it closely) is that it does not examine the code itself, but the crash. Meaning that your code may still have gaping, easily exploitable security holes in it and still be considered secure by our banggy little friend. How wonderful.

    Clearly, only MS and their brainless minions could think this is a good idea.

    A "game-changer", really. I unfortunately have to agree. This tool will make stinky turds of what would otherwise have been only shoddy code. Yay! Where be the fireworks, we clearly need to celebrate.

  30. Anonymous Coward
    Joke

    Crash Analyzer

    Crash dump analysis? In WIndows? No way! Who would have ever thought of such a thing?

    Windows was supposed to be the idiot-proof OS that did not require any of these old MainFrame notions.

  31. Anonymous Coward
    Anonymous Coward

    Whilst ! is just a representation of a number

    ! normally means logical not

    ~ normally mean bitwise not

    In shell context:

    #! hash-bang specifies an interpreter for the program.

    $! expands to the process ID of the most recently executed background command

    ~ is a shorthand for user directory; cd ~bilbo_baggins

    It is all quite simple, but don't get your logical and bitwise nots in a knot.

    They have released an exploit tool, and called it an anti exploit tool, yeah these have been around for ages, and the idea is not new. The problem as always, whilst we have automatic checkers, people are pushed to deadlines, alterations happen after testing and error gets introduced.

    This tool will help a bit, for both sides, that's all, crackers will use it to analyse holes in software and so will developers. The problem for a lot of developers is upon finding the security hole, they have the dilemma of rewriting the software or not, that can hurt push it right over budget and destroy cash flow.

  32. Anonymous Coward
    Anonymous Coward

    Production code not crash? Hardly-

    Whilst it would be very nice if shrink-wrapped code would not crash (since I just paid $whatever for it and want to use it to get my work done, or use it to relax after dealing with getting my work done; neither of these is served by the irritation induced by crashes), quite a lot of "production code," especially for Windows, is of the internally-developed corporate tool sort. So, sure, the users would like it to never crash, because that makes it harder to get their jobs done, the users also have this irritating habit of whining when it takes half as long to get something to them as they were told was needed to write it.

    A tool like this will be wonderful for corporate AD shops when they have to write something with exposure to the world and who already know they won't be allowed to fix everything, because at least you can see if you missed something big and buy a little time waving the big red banner of Security Flaw. I imagine it will also help with auditing, as well. So, from the perspective of someone who had to slam together "production" software for Windows, cheers to MS for not only letting people use this without an added cost, but letting people inspect it, as well.

    Remember- not everyone gets to choose what they're writing for that day. Sure, some days you're working on *nix on a project with a realistic schedule, other days it's tweaking something on a mainframe (now there's a group of programmers who have process down to an art form), but other days someone's spreadsheet finally couldn't hack it and they need an app *yesterday* and by the way they'll be using it in the call center. Generally that means hopelessly crunched Windows project you cross your fingers and pray is almost secure because the IT folks are constantly having to kill rogue wi-fi connections, "there was a sale at wal-mart" new kit, and "we wanted our own internet connection so we plugged a cable modem into the network."

  33. Anonymous Coward
    Pirate

    Open Source Crash Analyzer

    Is this just an excuse to get those words in the same sentence?

  34. Chika
    Happy

    != "Bang"?!?

    Actually, RISC OS has been using this to denote an application folder pretty much since the days of Arthur. It's often referred to as "Pling" though, since != is usually interpreted in a number of languages as "is not equal to", "!" would mean...

    Aw, you guys!!!

  35. Christian Berger

    Kaminsky lives in a strange world

    One day he mentioned, he's doing security research for Microsoft because people like his mother are not going to use Linux. What strange world is he in where you can give a Windows system to an elderly person? I mean I have tried that once, and it resulted in constant calls why something didn't work. After the switch to Linux everything worked fine. Windows is just not yet ready for the desktop.

    Much of the rest of his discoveries are actually quite obvious, like that DNS flaw where everybody thought "_That_ hasn't been fixed yet?"

    Occasionally he does something cool like streaming web radio over DNS, but most of his fame comes from his hillarious talks.

  36. Anonymous Coward
    Anonymous Coward

    Umm

    ‽ is an interrobang.

    ! is an exclamation mark.

  37. al
    Paris Hilton

    Re: "Bang" exploitable? I rather think "not".

    Agreed - I came here to post my share of enlightenment on the same geek pun.

    @Robert Long

    same.. looks like many people do code here.

    Paris, coz she might like a bang here and bang there!

  38. Anonymous Coward
    Anonymous Coward

    They should run it on Windows first to see if it works.

    Oh, they HAVE?! Well, that was a waste of time then.

  39. Peter Kay

    @John Smith

    I would hardly call it 'useless' just because it doesn't work with your tool of choice. In theory it should be possible to use the COFF format with gcc (pdb doesn't seem to be publically documented, although there are unofficial guides) so that windbg can read the symbols, if you really want to go down that path.

    Still, Windbg is closed source and I would imagine is likely to stay that way, even if this debug extension is open source. Regardless of that, the debugger, various debugger extensions, compilers and development environments remain free (beer, not speech).

    At least Microsoft is making an effort - or is there a set of open source compilers which are just as good as MSVC (free, or commercial versions) and have tools even better than this new offering? Last time I looked gcc was less optimised and gdb can be a real arse to use.

  40. Neoc
    Boffin

    Testing only proves the presence of bugs, never their absence

    Re: "! = "bang"? @various

    Sorry folks, but this is standard "old-style-hacker" talk. See http://www.ccil.org/jargon/jargon_17.html#SEC24

    As for the product, I have horrible visions of "of course our product is safe, it passes MS's !-tests".

    Anybody else find it ironic that "!" is also boolean-not in C? That's how I first read it, anyway.

  41. John Smith Gold badge
    Happy

    @Peter Kay, @Neoc

    @Peter Kay

    "I would hardly call it 'useless' "

    I try to avoid unqualified statements about things I don't directly use. So this one was qualified by

    "*unless* Gnu (or other mfg) products are compatible at that level." Emphasis added.

    IE If people don't use MS WinDbg then what they do use has an interface that is compatible with this add-on. If no such interface exists for any competitor products then it is useless from other people's POV.

    How many people would find that a problem would depend on what proportion of developers do Windows development without all or part of the MS tool chain.

    I was not disputing how useful the tool itself is in development *provided* your already using MS WinDbg. My apologies for being unclear.

    @Neoc

    The name is a bit odd. Exclamation mark is a bit of a mouthfull but when I've had to speak it I use "Pling." The C connection does give an an interesting name. You might read it as the "not exploitable" crash analyser. This would imply that it can only analyse crashes that don't result in the system leaving security holes. A bit specialised even for most developers I think.

  42. Peter Kay

    Reason for exclamation

    The reason an exclamation mark is used isn't because of some naff attempt to be 'cool' - it's how commands in windbg extensions are activated. First the extension is started by a .load and then the ! commands are used. See, for instance, see the SOS.dll debugger extension to analyse .NET managed heap usage : http://msdn.microsoft.com/en-us/library/bb190764.aspx

    Windbg is quite a good tool, although it's not particularly friendly (hardly surprising from something that's basically developed from an enhanced kernel debugger)

  43. Adrian Midgley

    if it is actually Open Source (TM) then it may be reused...

    so if there is useful code in there, it could be repurposed for other tools and operating systems.

    Or has MS produced something which is not Open Source but which they describe as open source, leading toward an obfuscation of what is Open and what is not?

  44. John Smith Gold badge
    Thumb Up

    @Adrian Midgley

    Microsoft, distorting language to their own private meaning of a term in common usage?

    Surely not.

    However if the source is open it might say quite a lot about some classic interactions which contribute to a potential loophole.

    Incidently is it just me or does anybody else keep seeing this as "windbag"

This topic is closed for new posts.

Other stories you might like