Microsoft JPG Bug, Patch, Tool
Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps.
I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their systems by finding problems is a good, even if some people don’t think so. On the other hand, Microsoft could have sent a note to all their MSDN (Developer Network) customers about the problem. So why the effort for a tool? A tool, I think, is in line with what John Pescatore was suggesting, which is customer pressure on vendors to release more secure code.
Microsoft has something of a head start on this, having trained their entire staff. Is this the start of an “Unbreakable” campaign from Microsoft, or perhaps something more subtle? Either way, nicely done.
[Update: Fixed OIS link. Thanks, Max!]
Interesting that you fault OIS for not thinking that releasing tools is a good thing when Microsoft is a founding member of that organization (which is typically, and incorrectly, criticized for being a tool of Microsoft). Had you read the OIS guidelines, you would know that there is no suggestion that releasing tools to improve security is a bad thing. Indeed, half the OIS members make their money by selling such tools. The OIS guidelines suggest (not mandate) being careful about what tools one releases. That is, they suggest that releasing tools that actively exploit a vulnerability in a way that someone with malicious intent could easily modify into an attack causes more harm than good. Is truth too much to ask for?
You new englanders just don’t get subtle sarcasm. Next time, I’ll include a smiley. 🙂
As to OIS, they’re ok with releasing explicit detail 30 days out, which makes it hard for free tool vendors to help protect their customers. I think that OIS’s position, while clearly thought out, does not generate the most good for the most users of a flawed product.