Another Critical Microsoft Hole 601
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another
related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
why? (Score:1, Interesting)
It's getting tiring to see all this sarcasm, like open source is so free of bugs or something...
what can one do? (Score:2, Interesting)
The joke is to say never. But with Microsoft controlling however many trillions of computers, it seems like something they should seriously be addressing. And more seriously than they are.
Re:Sound Advice (Score:3, Interesting)
Incredible... (Score:3, Interesting)
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--
Re:why? (Score:5, Interesting)
who still use Windows...
I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.
This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.
And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.
Do you?
I found it ammusing... (Score:5, Interesting)
Re:why? (Score:3, Interesting)
Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)
Use separate certificates for each control? (Score:5, Interesting)
Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?
It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...
MS buffer overrun theory (Score:4, Interesting)
The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.
What do you think?
Migrate away (Score:2, Interesting)
I know we've seen a million security problems from MS before, but this one (for me at least) is the last straw.
Re:So what.. (Score:5, Interesting)
Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?
I don't think so.
Re:More Bias (Score:2, Interesting)
I'd have to agree with you that it gets tiring seeing IE exploit of the week ( or day ) and the retreaded jokes and karma hores. But then maybe you can filter them in your preference?
The thing is MS is the system that is allegedly on 90%+ of the desktops in the USA and maybe the world. They did'nt get there legally and they do not take security, law, or human rights seriously. They spend millions on advertising, FUD and outright lies. So in the end I guess I don't mind suffering the constant reminders as to why I don't use any of their products. What other news source reports this stuff?
Besides, nothing puts I smile on my face in the morning like a cup of coffee and a new MS exploit.
Kind Regards
I don't understand... (Score:4, Interesting)
Re:This is big (Score:2, Interesting)
If you want to run windowsupdate (to remove security risks
The only system that doesnt trust Microsoft is a outof the box unpatched one - and then you are fried anyhow...
A clear catch 22
Re:WTF ? (Score:3, Interesting)
From bulletin:
===
Why not revoke the certificate that was used to sign the control?
The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.
===
Additionally, there is this tidbit, about killing the control w/o revoking the certificate:
===
Will Microsoft eventually set the Kill Bit on this control?
Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.
===
Bottom line: they *could* revoke the certificate, but it would screw up other controls that use it.
Re:More Bias (Score:4, Interesting)
Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe)
So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.
Re:Microsoft knows best (Score:3, Interesting)
In Microsoft's Technet Security Bulletin MS02-065 [microsoft.com]. It's linked from the submission and still not Slashdotted. However, as a free service (maybe you're afraid of surfing to untrusted websites), I am hereby reproducing some of the juicy bits:
Please note that this will generate a warning message EVERY TIME you encounter an ActiveX control - whether it is signed or unsigned. So how would you tell the difference between a 'bad' Microsoft-signed control and a 'good' one (ignoring for a moment the inherent badness in ActiveX)? The short answer is: You can't. You're toast. Muahahahaha!
All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...
Not that easy, I'm afraid. First, if you have been a good astroturfer you have undoubtedly cheched the "Always trust content from Microsoft Corporation" checkbox the first time you saw it (or your keeper checked it for you). Therefore, you will NOT be getting a pop-up warning. Second, the pop-up warning you may get if you haven't added Microsoft to your list of Trusted Publishers does indeed come from Microsoft. Bill Gates more or less personally guarantees the security and validity of Microsoft Corporation's digitally signed certificates (unless they've been hacked again, but that's so unlikely that it probably didn't even happen the first time).
Oh and if I see M$ or Micro$oft one more time I'm going to puke...
Most astroturfers do. It's a feature of your implants and nothing to be ashamed of.
I realize most /.ers use IE, but... (Score:5, Interesting)
Don't trust Linux either... (Score:4, Interesting)
Open Source and Linux: 2002 Poster Children for Security Problems
November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.
Read more here [aberdeen.com]
Re:why? (Score:2, Interesting)
Okay, let's face it. The average
And in that "common perception", Windows has one hell of a large chunk of market share. No amount of
Also, who doesn't like seeing the big dog getting taken down a peg? It's "American" nature to root for the underdog, and that means wishing all kinds of nasty things to happen to the big dog. It just so happens that Microsoft does so many things to shoot themselves in the foot, or at least wing themselves, according to the editors here.
And no, Open Source is not free of bugs. But you know what? It sure seems to have a damn sight less, and they seem to get fixed faster.
Kierthos
What if - it were not a security hole at all ... (Score:2, Interesting)
Re:WTF ? (Score:1, Interesting)
The result wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography."
-Bruce Schneier
Re:why? (Score:3, Interesting)
Re:WTF ? (Score:3, Interesting)
> systems designed by people who read Applied Cryptography
Apparently the Microsoft code-signing system is one of them.
We can go back and forth all day long about the quality of that or any book; it happens to be one I get a great deal of use from. Fact of the matter is, there are open, standard public-key infrastructures that are designed such that this "problem" wouldn't be a problem at all, just a barely noticed update to the CRL that wouldn't disturb anything else in the system. Microsoft got infected with the Not Invented Here syndrome, and Windows admins are now suffering the results.
This thread is tiresome, so I'll leave it at that. Cheers. =)
Re:Don't trust Linux either... (Score:1, Interesting)
Isn't it better for an advisory to be made and the software patched fully (Note: I don't concider what they are doing in this case to constitute fully) than to have fewer advisories but the holes to remain?
Re:Don't trust Linux either... (Score:2, Interesting)
If you look at the DETAILS of many linux advisories, you will find that many of them have no known exploits but rather a POTENTIAL that it MAY be possible to exploit the flaw. Also, 2002 is not over yet, and we have had several REALLY nasty MS flaws come to life. Aberdeen may have to restate the results
If the study looked at the severity of advisories on some sort of scale, the results would be quite different.
Note the WORDING of this press release: Open source software is now the major source of elevated security vulnerabilities for IT buyers.
Excuse me? IT buyers? What, do I BUY vunerabilities for linux now? From who, Microsoft? Anyone with a little intelligence can see right through this crap. WHen you use the word "buyers" you are dealing with marketing. PR. Spin. By the way, who paid for this study?
Anyway, what's that old saying again? There are lies, damn lies, and statistics.
.NET has similar design flaw (Score:4, Interesting)
So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.
CNN (Score:4, Interesting)
I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.
What will happen when people start treating Microsoft's security lapses like the epidemic they are?
Windows Update (Score:3, Interesting)
Does Windows Update require signed ActiveX controls?
If so, I presume the default action would be to trust Microsoft controls? Will this mean that the majority of users will be exposed to this problem?
Re:He's right about the fonts (Score:4, Interesting)
While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.
Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).
Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).
However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.
No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.
In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.
Okay, maybe that analogy doesn't work either, but I think you get my point.
Re:Windows specific? (Score:3, Interesting)
It sounds like the same one that runs on every other Mozilla platform.
If that were true, then the behavior of the following would be the same across platforms:
document.forms.FORMNAME;
document.forms["FORMNAME"];
Note: the first statement works in all versions of IE that support JavaScript on both the WIndows and Mac OS X platforms. The first statement doesn't work in any version of Mozilla except the Windows versions. Several conclusions might be drawn from this: