Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bug

Controversy Surrounds Huge IE Hole 907

Posted by CmdrTaco
from the no-surprise-here dept.
Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
This discussion has been archived. No new comments can be posted.

Controversy Surrounds Huge IE Hole

Comments Filter:
  • Its not new anyway (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 19, 2002 @12:09PM (#4707458)
    The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
  • by davidmcn (606752) <[dmcnelis] [at] [gmail.com]> on Tuesday November 19, 2002 @12:11PM (#4707474) Homepage
    Had BugTraq not posted this code then what proof would they have to take to Micro$oft. After all, the people that want to utilize that code are going to be able to find it anyway. In my opinion this merely makes Micro$oft responsible for their product and hopefully will lead to the quicker introduction of a patch. Or, God forbid, it could entice people to use a different web browser.
  • by sirket (60694) on Tuesday November 19, 2002 @12:13PM (#4707511)
    Until a large percentage of the public gets screwed royally by a security hole, people are not going to take notice and start auditing their code as they should.

    As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).

    -sirket
  • by pheph (234655) on Tuesday November 19, 2002 @12:13PM (#4707516) Homepage
    Wouldn't it be great to seperate Microsoft Bugs from, well, the rest of them? I'm sure some people, especially those on slashdot would choose to see the "Microsoft Bugs" topic on the front page based on if they:

    a.) Run Microsoft exclusively (only want to see Microsoft bugs)
    b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
    c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
    d.) Don't run Microsoft at all (don't care about Microsoft bugs)

  • Re:Irresponsible? (Score:2, Interesting)

    by FortKnox (169099) on Tuesday November 19, 2002 @12:14PM (#4707518) Homepage Journal
    However I'd also be quite upset at my vendor for letting this happen.

    That's getting down to a different point. Did the vendor know of the bug and ignore it, or was it something that wasn't considered? Even Linux has security bugs. Its naive to think that any program is 100% secure.
  • by signine (92535) <<gro.eningis> <ta> <todhsals>> on Tuesday November 19, 2002 @12:15PM (#4707541) Homepage
    BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).

    On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.

    It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.

    Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.

    In short, BugTraq good, security good, black hats bad.
  • It's a thorny issue (Score:2, Interesting)

    by Dr Thrustgood (625498) <ThrustGood@spamoff.atari.co.uk> on Tuesday November 19, 2002 @12:15PM (#4707542)
    Certainly, making sure someone is aware of an issue with their software should be paramount before telling others. Alas, big corporations often just don't care, which is a disgrace.

    However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.

    Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?

    Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.

    Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.

    Think of the users. Please.
  • Re:Irresponsible? (Score:3, Interesting)

    by Myco (473173) on Tuesday November 19, 2002 @12:17PM (#4707561) Homepage
    This argument that because 100% security isn't possible, we should just give up on the whole idea is specious. Companies are responsible for doing their best to provide a product that's not full of holes. Their moral liability is determined by what constitutes a good-faith effort to that end. Their legal liability depends on the legal fiction you clicked "I agree" for.
  • Either way... (Score:2, Interesting)

    by tyrelb (619467) <tb-slashdot.tyrel@ca> on Tuesday November 19, 2002 @12:18PM (#4707567)
    people who want to do malicious things to your computer will find a way, whether or not the exact code is posted to popular web sites. Software companies have the responsibility to publish fixes to bugs, especially in a timely fashion. Microsoft tends to delays patches to their programs.
  • NOT (Score:2, Interesting)

    by fygment (444210) on Tuesday November 19, 2002 @12:20PM (#4707588)
    Malicious code is out there for the taking from any number of sources. It's not a case of finding and identifying malicious code anymore. It's about letting the most people know about it. If they erred it was by not spreading the word broadly enough.
  • Question (Score:3, Interesting)

    by ChuckMaster (595275) on Tuesday November 19, 2002 @12:20PM (#4707591)
    Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.
  • by Myco (473173) on Tuesday November 19, 2002 @12:20PM (#4707593) Homepage
    That's a very good point. It encourages a somewhat radical interpretation: that the best way to get MS off their ass is to basically actively encourage all the script kiddies to use every exploit out there as much as possible until it's fixed. Sowing the seeds of dissent is a very worthwhile endeavor.
  • by Conspiracy_Of_Doves (236787) on Tuesday November 19, 2002 @12:21PM (#4707599)
    is why on my computer, IE doesn't even have permission to get through ZoneAlarm [zonelabs.com]
  • Hypothetical (Score:2, Interesting)

    by dallask (320655) <codeninja@ g m a i l.com> on Tuesday November 19, 2002 @12:21PM (#4707602) Homepage
    Just imagine what would happen if someone combined this hack with the blackops IP techniques discussed in prev /. article... could someone effectively wipe ALL the drives and servers running windows on the net?... do you think people would come down on MS then???

    I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.
  • Easy Solution (Score:1, Interesting)

    by Apreche (239272) on Tuesday November 19, 2002 @12:23PM (#4707623) Homepage Journal
    For a minute I was worried that google searching wouldn't be safe anymore because there was a real threat of something erasing my hard drive. Then I realized, hey, it's an IE security hole, I can still run Moz in Win and wait until a fix.
  • by fhwang (90412) on Tuesday November 19, 2002 @12:27PM (#4707675) Homepage
    There's a point past which you have to stop feeling bad for people who make certain decisions. Microsoft has a well-established history of being terrible with security, of treating it as a P.R. problem that can be fixed with lies as opposed to an engineering problem that can be fixed with quality programming. This is not an obscure fact known only to Linux kernel hackers. This is the news we're getting now on CNN and other mainstream news sources.

    So if you're using a Windows box, I've got to assume one of three things is happening:

    1. You're ready to have a hair-trigger response to the constant stream of security patches and updates you'll need to use. You probably have up-to-date virus protection software, and you probably work in an office with really paranoid, on-the-ball IT staff.
    2. For whatever reason, you don't care that your files could get mangled, erased, and resent: Maybe nothing's that critical, maybe you're just playing around, maybe you make constant backups.
    3. You're completely irresponsible.

    And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.

    If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.

  • by orb (9170) on Tuesday November 19, 2002 @12:30PM (#4707708) Homepage
    Someone said MS has known about this for weeks and still there is no fix. MS should have released a fix for this immediately.

    Perhaps by giving so much information, MS will get off its lazy rear. There is no excuse for MS not having a fix for this released by end of business today. Anything less is simply inexcusable.

    Yes, there is a LOT of work involved here. They need to indentify the problem, find a solution, implement the fix, test the fix, and then release the fix. (with several iterations of implement/test) However, they really should have had people working around the clock on this starting the very minute they found out about it.

  • by baryon351 (626717) on Tuesday November 19, 2002 @12:30PM (#4707711)
    A very similar disturbing hole was present in MacOSX which allowed a web page to link to a malicious false url that could contain any shell command - and execute it as the current user. It would take one link to lose your entire user directory.

    It was reported to Apple in mid August, then patched via software update within nine HOURS. Information was made widely public about just what the bug was and how it worked a day later. That's the way it should be done, and a company with a clue did something about it. The sections of the OS which were involved weren't open-source, so full responsibility for fixing that particular problem was up to Apple.

    Any company sitting on a more serious bug like this one for two weeks (whether or not it's widely known) is far more irresponsible. No excuses.
  • Re:Easy (Score:1, Interesting)

    by Anonymous Coward on Tuesday November 19, 2002 @12:31PM (#4707725)
    "It's irresponsible to post a working exploit prior to notifying the code maintainer"

    Bah! I wonder how many exploits are known out there which have been reported to Microsoft, and the average Joe doesn't know about. I bet these exploits are known among hacker groups, still, with relative ease. I betch you would be pissed off knowing that Microsoft doesn't fix many of their security problems. That's why everyone needs to know, that way, we can pressure Microsoft into doing SOMETHING.

    Security through obscurity is not.
  • by Anonymous Coward on Tuesday November 19, 2002 @12:47PM (#4707899)
    Better a loud mass of script kiddies than a quiet Bad Guy stockpiling credit card numbers and exploring the innards of various Defense Department systems, no?

  • OT but relevant (Score:4, Interesting)

    by theolein (316044) on Tuesday November 19, 2002 @12:49PM (#4707921) Journal
    Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.

    Differing perspectives on security, I suppose.
  • by krinsh (94283) on Tuesday November 19, 2002 @12:51PM (#4707942)
    Just because you can find the code "everywhere else on the web" does not mean you should share the code yourself. I find something like this akin to leaving porn magazines in your yard because the neighborhood kids will find them in the trash bin (or surfing the net - sic) anyway.

    It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.

    I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
  • by Anonymous Coward on Tuesday November 19, 2002 @12:51PM (#4707949)
    In germany Heise.de even published an exploit:

    C't Browsercheck [heise.de]

    You can test your IE and report the results to your boss.

    See also:

    Sandblad at Securityfocus [securityfocus.com]
  • SuperVirus (Score:4, Interesting)

    by Deathlizard (115856) on Tuesday November 19, 2002 @12:52PM (#4707955) Homepage Journal
    The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.

    I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.

    With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
  • by timothy_m_smith (222047) on Tuesday November 19, 2002 @12:53PM (#4707965)
    What if we changed the scenario a little bit. Imagine that 50% of the world is using Mozilla on Linux (or even that there is a large body of non-technical using Open Source Software). Say that a bug was revealed that allowed a website to maliciously delete data from a user's Linux/Mozilla installation. In the Open Source world, this bug would probably be patched very quickly, probably more quickly than MS would. However, keep in mind that you average non-technical user is not going to be checking for frequent patches. When someone (who should be more responsible) releases code to exploit that hole, you have potential average users who may be losing very valuable data. Are these users getting what they deserve? The point is that no one should be helping the script kiddies screw up other people's machines. If you believe in that then you're not a productive part of the technology community.
  • Re:Irresponsible? (Score:4, Interesting)

    by Sherloqq (577391) on Tuesday November 19, 2002 @12:53PM (#4707972)
    "Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."

    I have to admit I wonder about this myself from time to time.


    On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.

    On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.

    Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?

    If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?

    As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
  • by linuxwrangler (582055) on Tuesday November 19, 2002 @12:56PM (#4708000)
    No, if you care about the security of users you tell the user that s/he is using a defective product ASAP. The user is then empowered to:

    1) ignore the problem 'cause the risk is low and they don't have anything really important on their hard drive or perhaps they only go to one or two trusted sites

    2) use a different browser

    3) stop browsing altogether until they have made backups of the last two week's work on their magnum opus.

    The way people browse, the frequency of backups and the consequences of data loss are different for each user and it should be the user's choice to decide what to do. Failing to notify a customer of a serious product should be a criminal offense.

    Suppose you discovered that if the hubcap was left off the wheel of your Fuelguzzler-4000 then 20% of the time the wheel would fall off and your vehicle would roll over. What's more appropriate? Tell people to stop driving till the defect is fixed (but worry that some kid will start stealing hubcaps) or leave everyone in the dark about a potentially fatal defect? I side with full disclosure.

  • Fight Fire with Fire (Score:3, Interesting)

    by raehl (609729) <raehl311&yahoo,com> on Tuesday November 19, 2002 @01:02PM (#4708066) Homepage
    Ok, so Microsoft illegally uses their market power to drive competition out of the marketplace.

    Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.

    Do both suck for the end user? Yes. But they're also both Microsoft's fault.

    Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.

    Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
  • Re:Yawn (Score:2, Interesting)

    by Tom (822) on Tuesday November 19, 2002 @01:11PM (#4708178) Homepage Journal
    No problem, just visit the IT department of any company near you that is using windos for their corporate LAN.

    I'm a Unix admin, but I've often worked closely with the NT admins. I know that a considerable part of their day (which for the company means: salaries) is spent on all kinds of busywork that essentially compresses to damage control.
  • by JabberWokky (19442) <slashdot.com@timewarp.org> on Tuesday November 19, 2002 @01:24PM (#4708372) Homepage Journal
    keep in mind that you average non-technical user is not going to be checking for frequent patches.

    Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.

    And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.

    --
    Evan

  • by daveaitel (598781) on Tuesday November 19, 2002 @01:26PM (#4708395) Homepage Journal
    Why exactly, does the world feel entitled to control the results of research it did not pay for, and had nothing to do with? To wit, why would I, as a security researcher (see my web page for some examples) give away for free the results of my research to Microsoft, Sun, IBM, or any other company, when doing that research cost me significant time and money? The era of software vendors getting research for free is over. Now, they get it when everyone else gets it - whenever I have the spare time and energy to explain it in small words, or whenever they pay me money to do so, whichever comes first. I think you'll see more and more small consulting companies and independant researchers moving towards this policy. We don't need the "fame" from having a one line attribution in a vendor's advisory, and we have more lucrative things to do than explain every little aspect of our research to an ungrateful and frankly hostile vendor's "security response" staff.
  • by bergeron76 (176351) on Tuesday November 19, 2002 @01:28PM (#4708437)
    But this begs the question: Can MSFT be held responsible (in spite of the EULA) in a situation like this where a user "removed IE" (remember the US DOJ ruling, they have to provide the option) and didn't use Outlook or Outlook express, if they were to get infected? I only use Mozilla for email and browsing, but it occurred to me that IE is so "entrenched" in the core Windows code that even if it's its removed do they remove the dangerous parts or just the UI? Mozilla is my default browser, yet when I click on a link from Y! messenger, it spawns IE.

    Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?

    Wouldn't negligence in this regard supercede the EULA and make MSFT liable?

    Any legal beagles out there have any insight? (IANAL)

  • by e1en0r (529063) on Tuesday November 19, 2002 @01:31PM (#4708474) Homepage
    I actually posted a similar question [elenor.net] to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:

    [snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
  • by Gyorg_Lavode (520114) on Tuesday November 19, 2002 @01:39PM (#4708562)
    If a vulnerability/exploit combination is already in the wild making it more common is not inappropriate if the maintainer of the source has been contacted. In many cases it expediates the fix which is important when there are no feasable workarounds.

    An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.

    Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.

    Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.

  • by Dephex Twin (416238) on Tuesday November 19, 2002 @01:51PM (#4708697) Homepage
    Does this not sound pretty absurd? That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."

    Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
  • by SlashChick (544252) <ericaNO@SPAMerica.biz> on Tuesday November 19, 2002 @01:53PM (#4708710) Homepage Journal
    "Microsoft willfully decided not to fix this bug..."

    Actually, that's not exactly true. The article linked states:

    "[Microsoft's] final response were that the technique used to run programs with parameters from the 'Local computer zone' was no security vulnerability. A fix should instead be applied for all possibilities for content in the 'Internet zone' to access the 'Local computer zone'."

    This is entirely the right response from Microsoft. They don't want to fix the symptom; they want to fix the underlying problem. I think this should be applauded.

    However, fixing the underlying problem is much more advanced than simply fixing a single symptom. It involves finding all possible vulnerabilities for Internet zone sites to become Local zone sites and plugging those holes. It's an architecture change instead of a bug fix.

    I agree that Microsoft should release some sort of stopgap measure in the meantime, but every indicator I've seen says that they are taking the problem seriously and want to eliminate all possible vulnerabilities instead of one specific exploit. This is absolutely the right response to the problem.
  • Re:I disagree. (Score:3, Interesting)

    by ChaosDiscord (4913) on Tuesday November 19, 2002 @02:08PM (#4708878) Homepage Journal
    I agree that a reasonable waiting period is good idea before disclosing an exploit. However, I disagree on why is a good idea. It's a good idea because it's good for the many, many innocent users who have the regrettably exploitable system. By delaying disclosure of the exploit you make it harder for some (but not all) attackers to exploit the bug against these innocent users. However, you said, "Microsoft has a huge responsibility here" and "...it's a huge amount of trouble for Microsoft!" That this causes problems for Microsoft is irrelevant. I'll let the multi-billion dollar corporation worry about itself, its responsibilities are its own, not mine. (And I'd say the same about, say, Red Hat Linux. I'd delay an exploit release for the sake of Red Hat's users, not because I feel any responsibility to Red Hat or a desire to help Red Hat shoulder its responsibility.)
  • by baryon351 (626717) on Tuesday November 19, 2002 @02:34PM (#4709180)
    You're making things out too be too simple.

    No - it is that simple. If MS fixes a bug when they're told about it, there is no further problem (without including those who don't patch their systems, and that's irrelevant as I do so)

    What if you were one of the people effected by this exploit?

    Irrelevant. If MS had first fixed the bug quickly I could not be affected

    what if you lost VERY important information because the bug was posted publicly?

    Irrelevant. If MS had first fixed the bug quickly I would not lose data because of this bug

    what do you do when a script kiddie takes down an important server?

    I would realise Microsoft have proved themselves not worth my time, and consider changing platforms. As I have done

    What if it happened to your precious macintosh?

    Irrelevant. This is an MS Windows bug. Similar Apple bugs have been fixed within hours

    It could happen and it would because sites are TELLING PEOPLE HOW TO EXPLOIT

    Are you an apologist for the worst of Microsoft, or just not thinking? It would happen because Microsoft failed to fix a bug they knew about well beforehand, and because people continue to blindly run with vendors who just don't care beyond fresh sales $. You can apportion blame all you like further down the track, but once a vendor knows of a serious problem and makes a decision not to provide a remedy, all further consequences stem from that inaction.
  • Was it responsible (Score:4, Interesting)

    by I_redwolf (51890) on Tuesday November 19, 2002 @02:38PM (#4709235) Homepage Journal
    The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

    What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
  • Re:No!!! (Score:1, Interesting)

    by Anonymous Coward on Tuesday November 19, 2002 @02:38PM (#4709238)
    Yeah, Internet Exploiter is just so awful that it can justify deleting millions of people's hard drives causing thousands of hours of downtime. Nice. I love Slashdot with its, "ohh, it's M$, it's just so awful, oh noo!!" attitude. It's a solid browser that rarely gives me any problems. It's patched fairly regularly, so what's the problem?
  • Re:No!!! (Score:3, Interesting)

    by Beautyon (214567) on Tuesday November 19, 2002 @02:42PM (#4709279) Homepage
    Wake up you retard.

    Already awake; using Mozilla exclusively.

    MS addicted office drones and the like dont take security seriously enough. Everyone (except maybe you) knows this. This is why those pathetic worms spread a quickly as shit through a goose, week after week.

    If one million people all got wiped out by one exploit, it would forever change the worlds prespective about MS products. Certainly, all the people who have been warned for years would suddenly take the concept of switching from Outlook / IE much more seriously.

    Mass mailing worms are too easy to clean out with AV software. Everyone thinks that they are a minor issue at best....completly wiping a hard drive.

    That is something utterly different.

    It would be the ultimate wake up call. It would make a difference. Think about it; what if someone planted this on every link at the front page of CNN.com?

    Use your inmagination.
  • by sean@thingsihate.org (121677) on Tuesday November 19, 2002 @03:00PM (#4709430) Homepage
    Many software vendors won't respond to a problem if they don't consider it a problem. They're not in it to make you happy or be your pal, they're in it to make money.
  • by Krellan (107440) <krellan@k[ ]lan.com ['rel' in gap]> on Tuesday November 19, 2002 @03:52PM (#4709883) Homepage Journal

    True. This URL was the first mentioned on Bugtraq when this exploit was announced.

    http://wwx.dino-soft.org/auto.html
    (scrambled for your protection, as always: change wwx to www)

    I tried it on two Windows 2000 machines.

    One is patched up to date, the other is somewhat out of date. Both have SP3, though.

    Results: The exploit failed on both machines.

    When clicking on the link, four things pop up, each popping up on top of the previous:

    1. The URL above, with text "Testing IE Execute Exploit"
    2. MSIE help window, standard help contents, exactly the same as hitting F1
    3. Empty "HTML Help" window, half size
    4. An error message box: "This operation can only function within HTML Help".

    So, I don't know the exact conditions that are needed to trigger this bug, but machines are not 100% vulnerable at this point.

  • by 95_gst_al (601102) on Tuesday November 19, 2002 @04:02PM (#4709961) Homepage
    I agree with you, but I also think they should link users to free programs to help them get started protecting their machines. Instead of just pointing out the flaw in their systems, tell them a handfull of programs they could use and cost of purchase for such programs. It would at least make the article seem helpful instead of just revealing the security flaw.
  • The Code Red Fix (Score:2, Interesting)

    by njhunter (613589) on Tuesday November 19, 2002 @04:48PM (#4710399)
    No more clogging of the Apache error logs looking for default.ida, default.ida will now exist with a javascript. Of course I'm not mean enough to delete their harddrive but they might wonder why they left open a command window saying their computer is infected with Code Red.
  • by cranos (592602) on Tuesday November 19, 2002 @04:58PM (#4710473) Homepage Journal
    I fail to see how this is controversial in the least. It is just another bug found in a piece of software full of bugs. The guy reporting it gave Microsoft a full month before he went public, that should have been more than enough time to build a patch.

    As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.
  • by theendlessnow (516149) on Tuesday November 19, 2002 @05:07PM (#4710550)
    There has been a buffer overflow in the Unix login routine for quite some time. This problem affected Solaris 2.5.1 clear through Solaris 8. However, not many patched it UNTIL a VERY simple exploit was created that could be done by ANYONE with a Unix-like telnet client.

    In fact, there were a few machines for which we did not have root password and we used the exploit to patch the machine (closing the hole behind us).

    Having a very visible exploit definitely helps NOT only the vendor, but the reluctant administrator!

    Quality only comes through the finding (exploiting) of bugs. Covering up problems is not the answer. Ignoring problems for which there are no known exploits is also not the answer.

  • by TrevorB (57780) on Tuesday November 19, 2002 @08:40PM (#4712017) Homepage
    Well, here goes 2 mod points I spent on this thread...

    We've tested this on 4 boxes here. I actually took another variant of this script (the one that wrote a file to your C:\ folder and opened minesweeper) and modified it to run CHKDSK, and put it on my work webserver. The results:

    My desktop XP w/ IE6: blammo. It's exactly as they say it is. Brown trousers time.

    Co-workers Win2k w/ IE6: no effect. Much as you describe above

    WinNT box with IE5.5: blammo. More brown trousers time.

    Win98 box with IE5.5: no effect.

    While it doesn't seem to work on 100% of machines (Win##'s are immune?) it does seem to work on others.

    The script is just 30 lines long, and that's including spacing and comments. Even if MS came out with a quick patch, the amount of damage you could do to 50% of the PC/IE systems out there could be pretty staggering.

    Let's hope nobody hacks CNN and replaces their frontpage tonight.
  • by jefu (53450) on Tuesday November 19, 2002 @10:20PM (#4712684) Homepage Journal
    If I discover that there is a serious (ie, reformat hard drive) hole in a product (ie IE) what are my options ?
    • Say Nothing
      Not a good choice. Someone else will find it and potentially abuse it badly. This is the classic action of a stupid "Keep it secure through obscurity." fool. Often enough the original vendor.
    • Notify the Vendor/Manufacturer (V/M)
      An OK choice. In my experience V/Ms are all too likely to do their best to bury the hole and any knowledge of it till they've published a fix. Thats ok, but big organizations tend to take a while to get the fix out, during which time the Bad Guys may be abusing it.
      I've also been seriously insulted by people representing V/Ms who have said things like "You shouldn't oughta do that.", or "Its not a bug, its a feature.", or "Nobody would ever do anything like that." or worse. One of my favorites was good ole DEC who told me after I sent them a bug report (and potentially a security hole) - and a commented fix - that I really shouldn't be looking at the code (it was early DEC Ultrix and we had a source license as well as source and the license for the ATT/BSD code on which it was built)). A V/M gets one such message these days and then I wont tell them. I've usually found these bugs/holes while doing perfectly legitimate things, so the "don't do that" response is just a mite annoying. (Or (sigh) in the process of making and fixing bugs.)
      In another case it took the threat of publication to get the system admins to fix a problem - one that involved the tax records for an major metropolitan (um) state.
    • Send it out to the Bad Guys Not a good choice. Certainly involves serious ethical issues and potentially legal problems as well.
    • Publish it for all to see Rather a good choice. The V/M sees the bug just as quickly as in sending it to them directly and gets an added incentive to fix it. But until the bug is fixed the people who don't get the news are vulnerable. "There you have it."
    • Send the info to a third party with an interest and reputation for being honest. Quite a good choice - especially if they pass it on to the original V/M.
    • None of the above
    • All of the above
    My personal current choice is (more or less) all of the above. I'll send the info to the original V/M (if they've not managed to peeve me too much previously) and to a second party (Symantec, CERT) as appropriate. I'll then wait some reasonable time (time enough, however minimally, for a fix to be found and circulated) and publish it more widely, then after a bit more time just announce it to everyone who will listen.

    Leaving it a secret, or limited in knowledge to only myself and a laggard V/M seems to me to be just as ethically remiss as sending it out to the Bad Guys. And sending it out to the world is so much more likely to result in something.

Sentient plasmoids are a gas.

Working...