« IBM buys ISS for 1.3 billion | Main | Comments to previous article »

August 23, 2006

Live by the sword ....

A few articles ago I wrote about my interaction with Ross Brown, CEO of eEye. In the article I mentioned that I was quite pleased to meet Ross and he seems like a class act.  However, on my blog, I call them as I see them.  Ross has a post up about the recent news, on the on again, off again patch by MS for MS06-042.  I have to call BS on Ross.  In my opinion his story just does not add up.  First let me lay the foundation. 

Ross claims that eEye has gone out of their way to hold up MS as the poster child for security conscious software vendors for a long time now. However, today MS disappointed them because MS treated security like a marketing problem.  It has been known for some time now that this patch caused IE to crash on some sites.  Because of this eEye being the good citizen they are, decided to investigate these crashes because crashes can be exploitable.  eEye found that it is causing in Ross's words "a non-malicious buffer overflow to occur within Internet Explorer." Ross also states, "this information is already known in various research circles and also with exploit writers."  " All last night and this morning, Marc, our CTO" (geez I thought he was their Chief Hacking Officer, what the heck is a Chief Hacking Officer), worked with MS "to make sure they have all the info, that they have a plan, etc. so that we can issue an alert to our customers about the danger." Next Ross tells us, "We briefed several reporters under embargo on it, specifically to ensure that corporate customers knew what to watch for with this patch and how to get the updated patch from Microsoft, or, barring that, how to mitigate exploitation simply.  The goal here is to make sure the balance of information is in the hands of the customer..,"  MS then decides not to go with the patch today because of an issue with MS SMS, Microsoft's enterprise class patch application that would not let MS distribute it via SMS.  Ross things this borders on criminal and violates all the rules of responsible vendor behavior.  Ross wants us to believe that MS then issues a PR from their mighty machine expressing their dismay at one of the researchers (presumably eEye) for publicly disclosing the exploitability of the issue before the update is available and published a security advisory.  Ross says of course no self-respecting journalist would buy this and knows that eEye would never do such a thing.

OK, now lets get out the boots and air freshener and list  what I see as the inconsistencies in Ross's post:

  1. Lets start with a little one, how well eEye talks and feels about MS over the past months.  Bull Ross!  Is that why at Black Hat your research team walked around with black t-shirts on the front saying eEye research team and on the back a picture of a guy and the words "Hey Microsoft ... See you next Tuesday!  That doesn't sound quite in line with your "we have been so nice to praise MS" story.
  2. Next you say that this exploit causes a non-malicious buffer overflow in IE. If this is the case, by your own words to me in my article, SO WHAT, harmless vulnerability, what is the big deal.  Are harmless vulnerabilities only a big deal when your company finds them in products by companies like MS or other security companies?
  3. Next you take MS to task for "... specifically (in the subhead no less) tells the bad guys exactly where the vulnerability is."  Funny Ross didn't you already tell us, "is already known in various research circles and also with exploit writers."  So if it is already known by them Ross, what is the big deal?
  4. Finally, the biggest lie of all, the BS about "We briefed several reporters under embargo on it,  specifically to ensure that corporate customers knew what to watch for with this patch and how to get the updated patch from Microsoft, or, barring that, how to mitigate exploitation simply.  The goal here is to make sure the balance of information is in the hands of the customer ..."  Ross, if you are interested "specifically to ensure that corporate customers knew what to watch ..." , what the hell are you doing telling the press?  Why aren't you telling your customers directly.  Are we to believe that eEye communicates with its own customers through the press? Here is a hint, invest in salesforce.com, you can now track your customers directly and not have to rely on the press to contact them.

So what is the real story here. I will tell you what I think.  eEye had agreed with MS that MS was going to release the patch today for this.  MS ran into a problem with SMS and being that thousands of MS's biggest customers use SMS to distribute patches, MS put a delay on releasing the patch.  However, it was too late for eEye.  In their rush to grab the glory about finding another vulnerability, they had pre-briefed the press with the understanding that the story would not break until today.  This is a practice many companies including StillSecure follow.  When the patch was not going to be released, eEye was stuck between a rock and a hard place because they had already given out the story to the press to be released today.  When MS found out, they were pissed that eEye rushed the announcement before they were ready to do the patch, and they said so, blaming eEye.  I saw at least 6 articles today with quotes from eEye announcing they had found this vulnerability.  Were they all aimed at eEye's customers. What about the responsible disclosure we have heard so much about?

Why did this happen?  Simple, eEye is a company that is trying to establish themselves as a premier security company by having the premier research team.  Better than ISS X-force, better than Symantec, McAfee, etc.  They never miss an opportunity to announce they have found another vulnerability, especially if it is against a competitor.  I am not sure that this makes their products better, but they never miss a chance to trot out the CHO (chief hacking officer) and announce another one they found.  Hey, you live by the sword, sometimes you die by the sword. Just say so and don't get all righteous blaming the other guy.

Ross, feel free to comment and tell me I am full of beans, but your story just does not add up.

PS- MS Security blog has a post up on this that you can read here

    Posted at 09:14 AM in other security companies, vulnerability management |

    TrackBack

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a00d83451e4d369e200d8342a933053ef

    Listed below are links to weblogs that reference Live by the sword ....:

    » And the winner is... X-Force? from TheConvergingNetwork
    Everyone is abuzz about the IBM purchase of ISS this week. $1.3 billion (that’s with a b) does get your attention. Most are waxing on about how this is really a purchase of the services business of ISS (pretty obvious)... [Read More]

    Tracked on Aug 24, 2006 1:45:11 AM

    Comments

    My Photo

    Subscribe to my blog

    Lijit Search

    MyBlog Log Community

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

    Search

    Lijit Search

    Blog Networks

    • Find the best blogs at Blogs.com.

    Categories

    Track my blog stats

    Blog powered by TypePad
    Member since 10/2005

    About