[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Dear Mr. Aitel - THE OFFICIAL BLOG OF THE SBS "DIVA"
Wed, Apr 13 2005 23:08 bradley

Dear Mr. Aitel

I sent an email tonight...one that won't do any good other than to make me feel better......

Mr. Aitel is Dave Aitel from ImmunitySec who's firm has already released a proof of concept for yesterday's security bulletin MS 05-017 [message queuing] and in the email to his “Daily Dave“ listserve he taunts Mark Dowd and Ben Layer of ISS X-Force to release the exploit for Exchange [MS 05-021]

For us in SBS 2000 land this one is a real concern....as we have the port open and we're a bullseye for this one.... remember when you go to apply this you will need [if you don't have the prerequisites already]

Pardon me while I go off to email Kathryn Quigley, Public Relations Manager for ISS to tell her to tell Mark and Ben to “don't you dare“ release a proof of concept for this.  Not until we've had a chance to patch out here.  It amazes me the lack of responsibility toward businesses that this post from Mr. Aitel showcases.

Remember for SBS 2003 it is NOT the same concern and thus not the same urgency.  On the 2000 platform an annoymous connection can 'nail' the mail port with this crafted 'verb' but on 2003 it would only be exploitable from authenticated connections [and folks, if some bad guy has authenticated on your SBS 2003...you have way way bigger problems...trust me...like sucky passwords..you know?] 

Bottom line folks...let's patch up those SBS 2000 boxes shall we?  Let's not give Mr. Aitel the last laugh.

 -------- Original Message --------
Subject:     Let's not egg them on...
Date:     Wed, 13 Apr 2005 22:26:11 -0700
From:     Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

To:     dave@immunitysec.com


"[Dailydave] mqsvc fun:
https://www.immunitysec.com/pipermail/dailydave/2005-April/001719.html

So Immunity released our exploit for mqsvc in CANVAS. It's only rated "Important" but I think it's neat anyways. Next up, I guess Exchange (go Mark Dowd and Ben Layer) and TCPIP.SYS. (go Neel Mehta!) "

How about let's not.....

Excuse ME dude...down here in SBS 2000 land where we're still waiting for WSUS to come out can you give us some damn time to muster our troups down here to patch ...come on dude.... these are folks that won't be migrating to Linux [not for awhile anyway] ...and you don't sell your services to us and guess what dude...our port 25 is hanging open on those suckers.....

This isn't a laughing matter or a race dude... these are small businesses that your firm doesn't sell to, nor are you out in the newsgroups helping folks to patch....you aren't hurting Microsoft ...you are hurting customers of Microsoft... how about NOT egging these folks on and give us community folks time to patch huh?

As a security firm.... I cannot understand how you can not think of the impact on businesses and the economy here.   If you think this gets you more credibility as a professional firm... it doesn't in my book anyway.

Yeah yeah... I'm putting my head in the sand that this stuff isn't out there already...but you know what...you don't have to put the gas can and matches out there for a worm to be built.

To all other vendors/researchers....whatever ...that are building this POCs...just think about that business impact will you?  Consider that...please?

Sincerely,
Susan, community member for SBS newsgroups
and Patcher

Filed under:

# re: Dear Mr. Aitel

Tuesday, April 19, 2005 7:03 PM by bradley

For what it is worth, your efforts are appreciated. Even if it doesn't do any good, you have made me feel better too.

# re: Dear Mr. Aitel

Monday, May 09, 2005 1:03 PM by bradley

Could you use the word dude some more please... that would definitely help make your point.

# re: Dear Mr. Aitel

Wednesday, May 11, 2005 7:27 PM by bradley

Dude?

# re: Dear Mr. Aitel

Wednesday, May 11, 2005 7:28 PM by bradley

Hey...I'm from California...and he is a dude for egging on a POC like that.

# re: Dear Mr. Aitel

Wednesday, May 18, 2005 12:11 PM by bradley

I think it's sad to say that you feel the need to send a letter like this to Dave Aitel, or ISS or anyone else for that matter. As a security professional this type of code is almost usually already out in the hands of the individuals who are writing up the "worm" code. POC especially in the case of what I do helps me verify my work. Such an instance would be to verify that the patch installed properly. Now I also understand that as a small biz user you might not have the time resources etc... to patch right away. But as this argument always goes, WHEN is the right time to release? Next week, Next month, Next year?

My advice to you would be instead of sending e-mails like this to companies that have talented people who can find bugs and then submit them to MS for free so they can fix a broken product that they have made billions on send one to MS and maybe advise them that it would be nice not to have such broken software. Or better yet, write your government for some legislation that would put vendors liable for corporate loss due to someone exploiting vulnerability in the crappy product that they released. Come on if you bought a car that have as many problems as MS Software and you took a large loss because of an accident don’t you think you’d sue the Car company / tire manufacture what ever?
Putting pressure on the messenger will not fix anything. Putting pressure on the vendor for more secure, more reliable software in the way of not upgrading or switching to a different product would probably help make a difference.

And BTW DUDE I’m not a large Linux / UNIX zealot that thinks things are that much sunnier on the other side of the street, everything has it’s “root compromise” issues. But you also don’t see all the Linux users out there saying DON’T RELEASE THE POC code cause I haven’t patched yet.

# re: Dear Mr. Aitel

Wednesday, May 18, 2005 12:15 PM by bradley

No, the Linux community tells the small biz owner that they can 'roll their own patches'.

Yeah...right....

Apples and Oranges.

The point is he did not have to be so arrogant to egg on the disclosure of a serious issue. That's irresponsibility.

# re: Dear Mr. Aitel

Monday, May 23, 2005 12:36 PM by bradley

The point that needs to be made is that no security company should reveal in code exploits. This defeats the purpose of security. If the company produces exploit code that can be used to attack a public entity be it home or business users then that company should be held liable. The exploit is only used by those who are criminals and cause damage with their use. You can liken it to building a tunnel and then publishing an article that states that if you place explosives at this location the tunnel will collapse. The tunnel is sound as long as the information is not published and that the criminal does not have the information. How many businesses actually have the expertise to test the fixes? I would state that the vast majority does not have that ability, so who exactly are these public code samples being made available for? Other security firms? No because they are competitors, software vendor? No because if this is a legitimate firm they would have already provided the code to software vendor for a fix. So then who are we making the code available for. The only answer is to the hacking community so that this firm can say look we informed the software vendor of this issue. The issue blew up because the software vendor failed to act upon it in our (the security firm’s) time frame so we released it and look what happened.

Basically if a security company makes the code available then they should be liable for ALL damages. If they think that the fix does not work then they can test it after the software vendor releases the patch if it still fails then they can work with the company. If they chose not to work with a company then I see no reason that they should not be pursued for damages due to the release of the exploit to the hacking community.

The reasoning is that if the code fix by the software company does not work…. What does the security firm accomplish by its release other then exposing the customers?

# re: Dear Mr. Aitel

Tuesday, May 31, 2005 2:24 PM by bradley

So, what you are saying is this. If the Security vendor does not release a POC, then the exploit cannot be exploited? I guess you assume that no one outside of a "Security"company can write an exploit? Assuming you are secure while sticking your head in the sand will never work.