Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

As read by the author

Guninski's huge gamete glands, part 2

As read by the author Rob Rosenberger, Vmyths co-founder
Thursday, 4 April 2002 [continued from part 1] LEGENDARY BUG HUNTER Georgi Guninski assigned a "risk" value to at least 37 of his public security advisories. He labeled 26 of them as "high" risk, eight as "medium," two as "low," plus one as "unknown." An overwhelming majority of "high" risks went to Microsoft products (such as the ones I used to read & analyze his advisories).
"[Micro­soft has] never failed to deliver a fix for any bona fide secu­rity vul­ner­a­bility Mr. Gunin­ski has re­ported, and we clearly demon­strated that we were taking his latest re­ports seriously."
One of us bug hunters consumes a little too much C8H10N4O2 and not enough anxiety medicine — and it ain't me. I couldn't find anything on Guninski's website to explain how he assigns a risk value to his discoveries. If I promoted myself as a bug hunter for hire, then — well, I'd want to declare most of my discoveries as "high" risk threats. I'd have a job reputation to uphold, you know. Guninski's advisories up to #37 contain useful "workaround" advice ... but he took a bitter turn against Microsoft early last year. Starting with #38, he urged Microsoft users to write off major software investments with no regard to ROI. "I do not recommend using IIS on the Internet," he said. Then: "I do not recommend using IIS in [a] production environment." Then: "I do not recommend using IE for browsing the Internet because this is dangerous." Guninski started to lunge for the throat in advisory #49. "MS Office XP — the more money I give to Microsoft, the more vulnerable my Windows computers are," he spat. In #52: "Better [yet], do not use IE in hostile environments such as the internet." He went for gusto in advisory #53: "The solution is to get a real mail client and office applications ... [or] deregister and delete the ms office spreadsheet component."
"It is simply not possible [for Micro­soft] to re­search a secu­rity vul­nerability...
determine the root cause...
implement a fix...
test it to a degree com­men­su­rate with de­ploying it to mil­lions of cus­tomers' machines...
localize it in 28 dif­ferent languages...
and deliver it through mul­tiple ser­vices in only two weeks... We wish Mr. Gunin­ski would [realize this]." I don't know about you, but I can't take someone at face value if he tells me to uninstall every copy of Office & Outlook & Internet Explorer & IIS as a "workaround." Now, now! I don't chide Guninski for holding an opinion about Microsoft. Apathetic bug hunters can still voice their views. I just wish Guninski would voice himself in an opinion column rather than in his advisories. He even opines in the URL of his latest advisory by using "m$" in place of "ms." (Did I mention Rosenberger's apathy theorem?) The latest idiotic recommendation in advisory #53 led me to contact Microsoft bigwig Scott Culp. I wanted to hear Redmond's side of the story. Did his folks stop taking Guninski's bug reports seriously? "Microsoft handles all security vulnerability reports, regardless of who the author is, with the absolute highest priority," he insisted. I knew Culp would make such a claim, and I can personally attest to it. I submit my own concerns to secure@microsoft.com. My name doesn't carry as much weight as Guninski's (not by a longshot), yet I can't recall any problems going through official channels. Just for example, an obscure security enhancement will appear in future versions of Outlook as a direct result of my efforts...
WHAT HAPPENED THIS time, then? Why didn't Microsoft issue a patch before Guninski released his sample exploit code? Culp explained:
In the case of [advisory #53], we received them from him on Sunday, 17 March, and started a dialogue with him within hours of his having sent them. We called personnel from both the Office and IE security teams into the office to start the investigations, and we advised him of our progress as the investigations proceeded. We're obviously disappointed that Mr. Guninski has chosen to handle these issues in a way that increases the risk to computer users. We have never failed to deliver a fix for any bona fide security vulnerability Mr. Guninski has reported, and we clearly demonstrated that we were taking his latest reports seriously. However, it is simply not possible to research a security vulnerability, determine the root cause, implement a fix, test it to a degree commensurate with deploying it to millions of customers' machines, localize it in 28 different languages, and deliver it through multiple services in only two weeks. The vast majority of security researchers we work with understand this, and work collaboratively with us to protect computer users; we wish Mr. Guninski would do likewise.
Memo to Scott Culp: send Guninski a copy of Microsoft Project 2000 for Dummies. Microsoft "started a dialogue with him within hours"? Hey, I feel blessed when Microsoft contacts me in under two days. But that's probably just because I practice security through apathy. Redmond doesn't tremble in fear when I write to them about a security concern. Like I said: only a guy with huge gamete glands can (1) set production deadlines for security patches and then (2) gripe about vendors who blow his aggressive timetable. Oh, which reminds me. Memo to antivirus vendors: I don't hate your guts and I don't even demand your respect, contrary to what some of your employees write on private mailing lists. I'm not anti-industry; I'm just anti-unethical. If I hated you, I'd pull a Guninski on you...