Forgot your password?
typodupeerror
Bug

Controversy Surrounds Huge IE Hole 907

Posted by CmdrTaco
from the no-surprise-here dept.
Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
This discussion has been archived. No new comments can be posted.

Controversy Surrounds Huge IE Hole

Comments Filter:
  • by Anonymous Coward on Tuesday November 19, 2002 @01:07PM (#4707431)
    If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
    • by sirket (60694) on Tuesday November 19, 2002 @01:13PM (#4707511)
      Until a large percentage of the public gets screwed royally by a security hole, people are not going to take notice and start auditing their code as they should.

      As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).

      -sirket
      • by Myco (473173) on Tuesday November 19, 2002 @01:20PM (#4707593) Homepage
        That's a very good point. It encourages a somewhat radical interpretation: that the best way to get MS off their ass is to basically actively encourage all the script kiddies to use every exploit out there as much as possible until it's fixed. Sowing the seeds of dissent is a very worthwhile endeavor.
        • by AgentTim3 (447311) on Tuesday November 19, 2002 @01:47PM (#4707900) Journal
          You know, the script kiddie that's waiting around for exploits to be published on bugtraq is a pretty junior kiddie indeed. This thing's been out there for a couple weeks.

          What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.

          And riddle me this, how is Symantec possibly irresponsible in this matter? They have no responsiblity whatsoever towards Microsoft or any of their products; they're both separate corporations. They both pursue their own separate agendas as they see fit. The good that comes of this is that maybe the public gets a little more aware of the situation.

          MS has its own side to this, Symantec has its own side, they both have valid points to their arguments, but what winds up happening is the general public gets caught in the middle. If just one more person wakes up and realizes that because of this, then there's the real benefit.

          • by Pyrometer (106089) on Tuesday November 19, 2002 @03:23PM (#4709077) Homepage
            What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.

            Riiighhhhtttttt ... so "Joe Public" is reading /. and Wired now is he(/she)? :)

            • by 0x0d0a (568518) on Tuesday November 19, 2002 @04:39PM (#4709787) Journal
              Actually, the mainstream media has gotten in the habit of snagging feelings about things off major tech forums like Slashdot.

              Code Red got *tons* of coverage, despite it not being all that interesting from a technical standpoint. Joe Public knew about it, even if he didn't know what it was (and didn't know that MS's products were the only ones at fault).
        • by Dephex Twin (416238) on Tuesday November 19, 2002 @02:51PM (#4708697) Homepage
          Does this not sound pretty absurd? That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."

          Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
          • by ichimunki (194887) on Tuesday November 19, 2002 @03:03PM (#4708818)
            Your analogy is totally off. Publishing a how-to isn't "committing a crime", it's journalism. A few years ago I saw a TV news spot on car break-in/theft in which they showed a car thief disabling several anti-theft devices. Was the TV news breaking the law or simply alerting people to how false their sense of security really was?

            This is why, in these cases, I think the argument would be well-served if people avoided analogies altogether. It's difficult enough to attempt to clarify the assumptions and facts so that symbolic logic can be applied to reach sensible conclusions without muddying the waters with literary devices.

            MS is recklessly endangering your computer and your data with their shoddy attention to security prior to release. I think BugTraq is doing us all a favor by pointing it out.
            • by InnovATIONS (588225) on Tuesday November 19, 2002 @04:29PM (#4709697)
              Pointing out the existence of the bug is a service. Giving how-to lessons about using it to wreck havoc is irresponsible. Maybe you may call it journalism, but it is irresponsible journalism. The public's need to be alerted about auto theft was in no way enhanced by actually showing how to defeat the devices. Similarly the public's need to know about caring about security holes in software is in no way enhanced by showing them how to exploit the holes maliciously.
              • by Reziac (43301) on Tuesday November 19, 2002 @10:06PM (#4712167) Homepage Journal
                After some thought, I concluded I'd rather have the exploit published in all its glory.

                The script kiddies already have the info, and pass it around like wildfire, so it's not telling them anything they didn't already know. The newbies who join the fun because of a publicly-published howto won't amount to a drop in the bucket.

                But having the code public does let me the user know what to look for, so if I see Suspicious Web Whatever, I can think to myself, "Self, that looks like Exploit X, tread with caution." And having a real example lets me check out what it looks like in the wild, so I can warn my clients to keep an eye out for it.

          • by ivan_13013 (17447) <ivan DOT cooper AT gmail DOT com> on Tuesday November 19, 2002 @03:44PM (#4709289)
            That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."


            No -- nobody is committing a crime yet. This is more like if Joe Whistleblower were to say, "My town's police are lazy and resistant to change their ways, so I am going to publically talk about their problems. The public needs to be warned for their safety, and the PD needs to get their a** in gear."

            Well, after Joe says that, some residents may take extra precautions to protect themselves. Also, some potential criminals now know have information that police response time is bad, and they may take advantage of this by breaking the law.

            Whose fault is that? The police, for failing to keep the town secure in the first place? JW, for letting potential criminals know about the flaw in the system? Or was it the criminal's fault because he was the one breaking the law?

            I believe that it's mostly the fault of the criminal when crimes are committed, and some blame should also go to the police if they have failed to protect. Joe was just doing his duty.

            But comparing MS to the police is too much of a frightening thought, time for the happy pill... ;-)

            -=Ivan
          • by pjrc (134994) <paul@pjrc.com> on Tuesday November 19, 2002 @05:48PM (#4710398) Homepage Journal
            That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."

            It's much more like the local newspaper publishing the limited routes the cops actually patrol, thereby allowing crooks to rob the places that aren't adaquetely protected. Sure, criminals will read the paper and know where they can strike, but the idea is that everyone who lives or does business in such an area is venuerable will learn that they are at risk and put pressure one the cops to clean up their act. One of the biggest factors in making a value judgement in a case like that is what level of effort was made with the cops before widely publishing their weaknesses.

            Remeber that Andreas Sandblad contacted Microsoft about this problem on Oct 4 (Wired didn't even read the bugtraq posting they reported). That's six weeks ago... even longer than the 1 month period that Microsoft has suggested is necessary from discovery to disclosure. He published only after Microsoft said they didn't think it was a bug. Since Microsoft essentially claimed it wasn't a problem, the announcement needed to prove otherwise to have any chance of success.

            One more quote....

            You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things?

            Are you suggesting that Microsoft's inaction and refusal to fix the problem when they first learned of it six weeks ago was not harmful?

            You probably also believe the infamous exploding gas tanks on the Ford Pinto wasn't harmful, and the deaths and injuries were purely the fault of drivers hitting Pintos. Ford's "laziness" (cheaper to settle out of court with victims than the recall and improve the cars) when they knew of the problem and did not fix it probably wouldn't be an issue for you, would it?

            Back to Microsoft... who didn't fix the problem when they learned of it 6 weeks ago... does their inaction ever become harmful in your world view? How about when systems are compromised on a small scale? What about when a virus/worm is released with the ability to exploit it? (and what if someone had made a big stink about it in the press and forced them to fix it before that virus/worm was written) It's all the faults of those hackers, and Microsoft's "laziness" (when they knew of the problem in advance) never receives any of the blame? Yet someone who attempts to force the issue with a high profile public announcement, only after first having made an attempt to get them to fix it, is somehow as guilty in your little world as the actual attachers and at the same time the vendor who refused to fix the problem with advanced notice is not to blame at all?

      • by Nermal (7573) on Tuesday November 19, 2002 @01:36PM (#4707775) Homepage
        Umm...

        But until a large percentage of the population gets screwed royally by a security hole... a large percentage of the population hasn't gotten screwed royally by a security hole!

        Don't get me wrong, MS should be faster to patch their security holes, but where are your priorities? If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
        • Wrongly Phrased (Score:5, Insightful)

          by Srin Tuar (147269) <zeroday26@yahoo.com> on Tuesday November 19, 2002 @02:02PM (#4708067)

          If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".


          Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"


          Then they will at least be angry at the right entity.

    • by The Raven (30575) on Tuesday November 19, 2002 @01:19PM (#4707580) Homepage
      Microsoft, and many other companies, have shown a remarkable ability to IGNORE bugs given to them. They don't care. They don't fix it. UNTIL their customers find out that the bug exists... then they care. Then they fix it.

      Posting an exploit that is currently available to the script kiddies on BugTraq is a way of bringing exploits that so far are only posted in script kiddy boards into the public eye, so they find out about it, get offended, and get the damn hole patched.

      It works. It is PROVEN to work. So I don't know why people still bitch about it.

      Microsoft has known of the hole for over two weeks now. It's in the wild. It's not patched. Maybe NOW it will get patched.
      • by baryon351 (626717) on Tuesday November 19, 2002 @01:30PM (#4707711)
        A very similar disturbing hole was present in MacOSX which allowed a web page to link to a malicious false url that could contain any shell command - and execute it as the current user. It would take one link to lose your entire user directory.

        It was reported to Apple in mid August, then patched via software update within nine HOURS. Information was made widely public about just what the bug was and how it worked a day later. That's the way it should be done, and a company with a clue did something about it. The sections of the OS which were involved weren't open-source, so full responsibility for fixing that particular problem was up to Apple.

        Any company sitting on a more serious bug like this one for two weeks (whether or not it's widely known) is far more irresponsible. No excuses.
    • by jcostom (14735) on Tuesday November 19, 2002 @01:26PM (#4707652) Homepage
      If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner.

      Irresponsible my foot. Mickeysoft WAS given a chance to fix this.

      This was a well-known problem in IE for quite some time. Mickeysoft simply chose to ignore it, pretending it wouldn't have any impact. This proof-of-concept exploit shows that they're wrong.

      Do you think Mickeysoft would have fixed the problem had no exploit been shown? Of course not, they proved that already. Now that there's an exploit will they fix the problem? I would certainly hope so.

    • by corvi42 (235814) on Tuesday November 19, 2002 @01:33PM (#4707744) Homepage Journal
      This is completely false.

      If a sysadmin is able to have access to specific code that causes such an exploit, he can develop filters on a web proxy to prevent his network from accessing such pages, and thereby prevent large scale disasters. Without access to the actual code in question, he would not be able to do this and would be at the mercy of M$ to provide a patch quickly.
    • by bpfinn (557273) on Tuesday November 19, 2002 @01:34PM (#4707750)
      I believe this is the usual course of actions:

      Security Researcher: "There's a security flaw in your product X."
      Big Software Company: "No there isn't."
      Security Researcher: "Yes, there is. If you don't fix it, I'm going to tell."

      (denial leads to public annoucement of problem)

      Big Software Company: "OK, there could be a problem, but it's not possible to exploit it."
      Security Reseacher: "Yes it is possible. It you don't fix it I'm goint to tell everyone how."

      (denial leads to public announcement of exploit)

      Big Software Company: "Well, I guess we better fix it."
    • Irresponsible? (Score:5, Insightful)

      by jaaron (551839) on Tuesday November 19, 2002 @01:37PM (#4707785) Homepage
      You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.

      Could you please explain how one could "properly" describe a bug without giving away how to exploit it? To describe a bug means you show what it is and how it's reproducable, which by definition is how to exploit it. The better you describe it, the better you pave the way for an exploit. So would you rather just no one mention the bug in the first place? Or perhaps just give a hint to the developers: "Psst! Hey, IE has another bug, and this one's a doozy!"

      That's part of the problem with security thru obsecurity. If you either only "hint" at the bug or just don't mention it at all, you run the risk of an exploit being discovered and maliciously used while everyone else is still in the dark.

      That said, the first step for security related bugs is to inform the original developers (in this case Microsoft). However, if and when the developers do not respond, what responsibility to the general public do you then have? Moreover, in this case the exploit was already out in the public domain (but you have to actually read the article to know that):

      "The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."

      Given that, it's important that those who are responsible for their own and others security (generally the types who actually read bugtraq) know about this bug and can be prepared for it.
  • by Millennium (2451) on Tuesday November 19, 2002 @01:08PM (#4707440) Homepage
    The Wired talks more about bugtrack's handling of the whole thing...

    Dude; since when did Lain start writing technical articles?
  • Yes!!! (Score:5, Insightful)

    by jschmerge (228731) on Tuesday November 19, 2002 @01:08PM (#4707445)

    It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.

    In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

    • Re:Yes!!! (Score:5, Funny)

      by AresTheImpaler (570208) on Tuesday November 19, 2002 @01:17PM (#4707562)
      It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable. In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

      Right in the point man. Now, I'm running the code right now to see if im vulne

    • No!!! (Score:4, Insightful)

      by Rupert (28001) on Tuesday November 19, 2002 @01:30PM (#4707705) Homepage Journal
      There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
      • by fizbin (2046) <(martin) (at) (snowplow.org)> on Tuesday November 19, 2002 @02:27PM (#4708425) Homepage
        I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.

        I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
      • yes, of course. (Score:4, Insightful)

        by twitter (104583) on Tuesday November 19, 2002 @03:24PM (#4709086) Homepage Journal
        There was no need to add that payload to the exploit.

        If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.

        I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.

  • Ahhh... but (Score:5, Funny)

    by ShieldW0lf (601553) on Tuesday November 19, 2002 @01:08PM (#4707446) Journal
    Can it install Linux on the hard drive after it has formatted it?
    • by Anonymous Coward on Tuesday November 19, 2002 @01:51PM (#4707947)
      Can it install Linux on the hard drive after it has formatted it?

      You might think you're joking, but there would be no better way to get microsoft to quickly fix this than to create a web page that downloads a debian install floppy and starts up a network install :-)

      User: Hmmm, my computer is acting subtly different, oh well...
      MS: Oh no, we've lost another one!

      :-)

  • by psyconaut (228947) on Tuesday November 19, 2002 @01:09PM (#4707454)
    No. Not in the slightest. Sometimes you have to go to great lengths to get vendors to fix crummy code -- and I have no doubt that simply "reporting the bug" to MS would have resulted in a wait until a maintence release was issued.

    I'd even go as far to commend Bugtraq....it takes balls to do something like that and it *does* benefit the whole community eventually.

    -psy
  • Its not new anyway (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 19, 2002 @01:09PM (#4707458)
    The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
  • Thanks (Score:4, Funny)

    by DigitalDragon (194314) on Tuesday November 19, 2002 @01:09PM (#4707459)
    Thanks for not posting a link to that page.
  • Active content... (Score:4, Informative)

    by wowbagger (69688) on Tuesday November 19, 2002 @01:10PM (#4707463) Homepage Journal
    I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.

    Hence why I as a matter of course disable them.

    How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
    • by psocccer (105399) on Tuesday November 19, 2002 @01:22PM (#4707612) Homepage
      It's not that simple I think. True that active content is overused, but it can really be helpful when you don't want to roundtrip to the server just to calc some numbers, and twiddling settings is annoying for the user, if they choose to turn it off and on. It would be better if the thing was secure. The problem IE has in particular is they try to "zone" thing, local zone, trusted zone, internet zone, secure zone, etc. They do this so that you can have stuff in the local zone executre programs or virtually do anything on the system. And that's the problem, by trying to make javascript in to a generic scripting language, they've opened up the local zone to anyone that can break through the zone barrier.

      Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.
      • by michaelggreer (612022) on Tuesday November 19, 2002 @01:36PM (#4707776)
        I agree. Javascript is very useful as a web scripting language, but a horrible idea as an OS scripting language. There is no reason to blame JS, just Microsoft's allowing it to roam outside the webpage. In fact, i would suggest that the problem is never Javascript, but ActiveX accessed from Javascript. ActiveX is the hole into the local system, Javascript is just the controlling language.
  • by f00zbll (526151) on Tuesday November 19, 2002 @01:11PM (#4707478)
    If people think script kiddies didn't already have the code or grabbed the exploit off some IRC server, they are sadly mistaken. People who bitch about full disclosure would like to live in a nice little world where there's no hackers, but get real. I grew up around hackers. Some were brilliant and were coding in assembly at 10, others were lamers wannabe hackers. Even before the Internet these types of things we widely distributed within the model Bulletin boards. Anyone who was active in the Bulletin Board era knows the most active category was always virii.

    Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."

    • by Havokmon (89874) <rick&havokmon,com> on Tuesday November 19, 2002 @01:44PM (#4707863) Homepage Journal
      Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait?

      While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.

      I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.

      I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.

      IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.

  • by Anonymous Coward on Tuesday November 19, 2002 @01:11PM (#4707489)
    Posting as Anon since I don't need the Karma:

    ----------

    Serious Internet Explorer Defect

    This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830

    SUMMARY

    A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.

    Simple, working exploit software was recently published to a public mailing list.

    There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.

    It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.

    The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:

    1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:

    Click the Tools menu item and select Options

    Click the Security tab

    In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:

    In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:

    These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.

    2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.

    3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.

    ADDITIONAL SECURITY MEASURES AND INFORMATION

    There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.

    Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":

    http://www.jmu.edu/computing/info-security/engin ee ring/issues/ie.shtml#opt

    Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.

    The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.

    A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
  • by Anonymous Custard (587661) on Tuesday November 19, 2002 @01:13PM (#4707502) Homepage Journal
    If I don't know what the malicious code is, how am I supposed to avoid it?

    Informed security is way better than uninformed security.

    Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
  • by pheph (234655) on Tuesday November 19, 2002 @01:13PM (#4707516) Homepage
    Wouldn't it be great to seperate Microsoft Bugs from, well, the rest of them? I'm sure some people, especially those on slashdot would choose to see the "Microsoft Bugs" topic on the front page based on if they:

    a.) Run Microsoft exclusively (only want to see Microsoft bugs)
    b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
    c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
    d.) Don't run Microsoft at all (don't care about Microsoft bugs)

  • Easy (Score:4, Insightful)

    by 4of12 (97621) on Tuesday November 19, 2002 @01:15PM (#4707538) Homepage Journal

    • It's responsible to warn users immediately that a vulnerability exists and to sketch out broadly what kind of vulnerability it is and how to recognize it.
    • It's irresponsible to post a working exploit prior to notifying the code maintainer of the existence of the problem.
    • At some point it becomes necessary and convenient for vulnerable users to have a tool they can use to test for the vulnerability and to see if they can protect themselves from the exploit. They should have the tool in a relatively short time frame, comparable to the same timeframe that crackers make tools from the exploit.

    Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.

    As far as I'm concerned, the interests of the software users should be the primary concern.

  • by signine (92535) <slashdotNO@SPAMsignine.org> on Tuesday November 19, 2002 @01:15PM (#4707541) Homepage
    BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).

    On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.

    It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.

    Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.

    In short, BugTraq good, security good, black hats bad.
  • by jvmatthe (116058) on Tuesday November 19, 2002 @01:19PM (#4707584) Homepage
    "Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing."

    Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE! ;^D
  • by toupsie (88295) on Tuesday November 19, 2002 @01:23PM (#4707629) Homepage
    I just tried using the exploit code on my Mac OS X box running Internet Explorer and it didn't work. My hard disk was not formatted. I am disappointed. Why is Microsoft treating Mac users different than Windows users? Its not often that Mac OS X users get to use those nice 'Recovery CDs' that get shipped with Macs. We pay top dollar for our computers, we might as get to use everything that comes with them. Thanks a lot Microsoft! Just for leaving me out, I'm switching to Mozilla where are all the security problems and bugs [slashdot.org] are cross platform!
  • by fhwang (90412) on Tuesday November 19, 2002 @01:27PM (#4707675) Homepage
    There's a point past which you have to stop feeling bad for people who make certain decisions. Microsoft has a well-established history of being terrible with security, of treating it as a P.R. problem that can be fixed with lies as opposed to an engineering problem that can be fixed with quality programming. This is not an obscure fact known only to Linux kernel hackers. This is the news we're getting now on CNN and other mainstream news sources.

    So if you're using a Windows box, I've got to assume one of three things is happening:

    1. You're ready to have a hair-trigger response to the constant stream of security patches and updates you'll need to use. You probably have up-to-date virus protection software, and you probably work in an office with really paranoid, on-the-ball IT staff.
    2. For whatever reason, you don't care that your files could get mangled, erased, and resent: Maybe nothing's that critical, maybe you're just playing around, maybe you make constant backups.
    3. You're completely irresponsible.

    And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.

    If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.

    • by Tenebrious1 (530949) on Tuesday November 19, 2002 @01:53PM (#4707968) Homepage
      If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.

      But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."

      Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.

      Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."

  • by sdjunky (586961) on Tuesday November 19, 2002 @01:29PM (#4707690)
    Here's some more info... click this link [dotomycomputer] it's ok.. you can trust it... go on.. you know you want to.

    Nothing to fear. Just a link.
  • by corvi42 (235814) on Tuesday November 19, 2002 @01:31PM (#4707718) Homepage Journal
    I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.

    For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.

    This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
    • by fizbin (2046) <(martin) (at) (snowplow.org)> on Tuesday November 19, 2002 @02:47PM (#4708649) Homepage

      corvi42 wrote:

      I'm not sure about the details of the current case

      Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)

      1. The original advisory about the IE bug [neohapsis.com] (note that it includes sample code to execute "winmine") [Nov. 6]
      2. The post pointing to zdnet forums [neohapsis.com]. Note that it is on the ZDNet forums that this format code first appeared - I find it most odd that Wired chose not to mention that. [Nov. 11]
      3. The post that got everyone's panties bunched up. [neohapsis.com] Someone took the code that was on that ZDNet forums thread and posted it to Bugtraq. [Nov. 14]

      One especially noteworthy point: Microsoft was informed of the bug on October 4th.

      So:

      • The original discoverer (that we know of), Sandblad, acted responsibly.
      • Bugtraq was being perfectly responsible in posting Sandblad's advisory
      • The format exploit code was free for the taking on public forums
      • Bugtraq published the format exploit, creating a PR issue for Microsoft, after said code had been public for three days

      My opinion? A wired writer needed a story.

  • What luck! (Score:4, Funny)

    by Alizarin Erythrosin (457981) on Tuesday November 19, 2002 @01:35PM (#4707773)
    Microsoft is sending some of their people here tonight to give a talk about how cool they are and how fun it would be to work for them (recruitment meeting). I think I'll mention this exploit to them and see what their response is.

    The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"
  • Microsoft(TM) Press Release 11-19-02

    Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!

    Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!

    Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!

    See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!

    Use Trojaned@Home(TM)!

    Ha! You already are(TM)!

  • by sonra (100135) on Tuesday November 19, 2002 @01:45PM (#4707870)
    Found the code, made a web page and verified the exploit with ie5 win200...
    Tried it on WINE using CrossOver Office.
    and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.

    All i got was HTML help and a script error. No files written to my "C:" and no exploit.

    *sigh* Guess WINE still needs some work.
  • by venomkid (624425) on Tuesday November 19, 2002 @01:47PM (#4707896)
    ...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).

    We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.

    Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.

    But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.

    I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.

    vk.
  • OT but relevant (Score:4, Interesting)

    by theolein (316044) on Tuesday November 19, 2002 @01:49PM (#4707921) Journal
    Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.

    Differing perspectives on security, I suppose.
  • by Charles Dodgeson (248492) <jeffrey@goldmark.org> on Tuesday November 19, 2002 @01:50PM (#4707940) Homepage Journal
    The most sensible thing I've ever read about this kind of question is crptogram article [counterpane.com] last year by Bruce Schneier.
  • SuperVirus (Score:4, Interesting)

    by Deathlizard (115856) on Tuesday November 19, 2002 @01:52PM (#4707955) Homepage Journal
    The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.

    I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.

    With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
  • Yawn (Score:4, Insightful)

    by cyranoVR (518628) <cyranoVR AT gmail DOT com> on Tuesday November 19, 2002 @01:55PM (#4707992) Homepage Journal
    It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-

    There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
  • by talks_to_birds (2488) on Tuesday November 19, 2002 @01:58PM (#4708023) Homepage Journal
    ...a puff piece for alleged "security expert" Richard Smith, who has a long-standing agenda about full disclosure [computerbytesman.com].

    What new ground is broken here?

    None.

    The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.

    So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?

    Are you kidding me?

    billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.

    As for full disclosure, let 'er rip.

    It's the only way Micro$oft will ever be held in the least bit accountable for their crap.

    t_t_b

  • Responsibility (Score:4, Insightful)

    by BrianWCarver (569070) on Tuesday November 19, 2002 @02:08PM (#4708144) Homepage

    It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.

    That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)

    But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.

    For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.

    In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.

    BWCarver
  • He Gave Them a Month (Score:5, Informative)

    by serutan (259622) <.snoopdoug. .at. .geekazon.com.> on Tuesday November 19, 2002 @02:18PM (#4708280) Homepage
    If you read Sandblad's actual BugTraq posting [securityfocus.com] you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:

    Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

    How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
  • Worse than goatse (Score:4, Informative)

    by phorm (591458) on Tuesday November 19, 2002 @02:29PM (#4708443) Journal
    Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
    Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.

    And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
  • by e1en0r (529063) on Tuesday November 19, 2002 @02:31PM (#4708474) Homepage
    I actually posted a similar question [elenor.net] to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:

    [snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
  • by Anonymous Coward on Tuesday November 19, 2002 @02:36PM (#4708532)
    Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:

    http://online.securityfocus.com/archive/1/28213/ 20 02-09-30/2002-10-06/0

    Bits of note include:

    "The key is the Format command's "/autotest" flag, which I believe was
    put into place early on in MS-DOS's history to assist in batch
    processing, and was probably dropped from the documentation some time
    back (it's not in my DOS 5.0 manual as far as I can tell -- although
    that's not too far in the past). It can be tested for by entering:
    "Format a: /autotest" at the MS-DOS C:\ prompt.

    The automated format via web page can be accomplished as follows (with
    the example shown demonstrating how to create a link on a web page which
    will automatically format Drive A):

    1) Either:

    Create a .pif file ("Format.pif") with the Command Line set to:

    "C:\WINDOWS\COMMAND\FORMAT.COM a: /autotest"

    And Working Line set to:

    "C:\WINDOWS\COMMAND"

    Or:

    Create a .bat file ("Format.bat") with a single command:

    "format a: /autotest"

    (Should the user wish to format another disk, the a: may be
    replaced with c:, d:, e:, etc.)

    2) Link to the file on a web page as follows:

    Click Me [slashdot.org]

    Or:

    Click Me [slashdot.org]

    According to the method chosen for implementation in step 1. These
    links may be placed beneath graphics or text, as would be found on a
    regular web page.

    3) Upload the html document and .pif or .bat file to the targetted web
    server directory and wait for an unwary user to click the link and
    'Open'.

    Spooky, eh?

    These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
  • by Cylix (55374) on Tuesday November 19, 2002 @02:38PM (#4708547) Homepage Journal
    What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.

    Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.

    It *can* happen, but now companies are definately more security cautious.

    Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).

  • by Gyorg_Lavode (520114) on Tuesday November 19, 2002 @02:39PM (#4708562)
    If a vulnerability/exploit combination is already in the wild making it more common is not inappropriate if the maintainer of the source has been contacted. In many cases it expediates the fix which is important when there are no feasable workarounds.

    An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.

    Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.

    Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.

  • by litewoheat (179018) on Tuesday November 19, 2002 @02:54PM (#4708717)
    So I figured that I could avoid this by just deleting the key in my registry for IE help so that the OCX would never load and the exploit wouldn't work. I did that and it solved the problem! But wait... Windows is now trying to "help" me by putting that registry key back the way it was! Thank you so much Windows for saving me from myself and reopening the door to my harddrive. What would I do without you?
  • Malicious? (Score:4, Funny)

    by njdj (458173) on Tuesday November 19, 2002 @03:12PM (#4708936)
    security hole in IE that allows malicious web pages to reformat a hard drive

    Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?
    • Re:Malicious? (Score:4, Insightful)

      by Da VinMan (7669) on Tuesday November 19, 2002 @04:39PM (#4709788)
      I doubt you were trying to be funny about this. All I can tell you is this: Go find the exploit code and try it. When you're done filling your pants, go find a Mozilla based browser you like and stick with that.

      Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!
  • Timlock puzzles (Score:5, Insightful)

    by karlm (158591) on Tuesday November 19, 2002 @03:20PM (#4709049) Homepage
    Look at "Timelock puzzles" or something to that effect by Professor Rivest. You can make the solution to a cryptographic puzzle the decryption key for an exploit. Publish the puzzle and the encrypted explot along with your submission. Give the vendor the decryption key. The problem of repeatedly calulating quadratic residues modulo a Blum integer is essentially non-parallelizable, so it doesn't matter if you set up a beowulf cluster or a distributed.net project. You still only solve the problem as fast as your fastest node. Hence governments don't get the solution much faster than some slashdot reader with a 4 GHz overclocked system. If you have REALLY low latency interconnects, you may be able to spread the work out among several CPUs in the same box.

    This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.

  • Was it responsible (Score:4, Interesting)

    by I_redwolf (51890) on Tuesday November 19, 2002 @03:38PM (#4709235) Homepage Journal
    The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

    What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.

Nothing succeeds like success. -- Alexandre Dumas

Working...