Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

Microsoft Bug May Attract Big Worm 261

Posted by timothy from the and-it's-a-big-'un dept.
daveq writes "Several sources report that a serious new Microsoft vulnerability has been found. Experts expect it to be exploited heavily."
This discussion has been archived. No new comments can be posted.

Microsoft Bug May Attract Big Worm More

Microsoft Bug May Attract Big Worm

Comments Filter:

  • For the lazy...... (Score:4, Informative)

    by dirkdidit ( 550955 ) on Wednesday March 19, 2003 @07:57PM (#5548546) Homepage
    WASHINGTON -- Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.

    Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.

    The company said it was unaware of any reports that hackers already had used the technique to break into computers, but the time between disclosure of a new flaw and such break-ins has become increasingly short.

    Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.

    "I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."

    The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.

    There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.

    Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.

    Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.

    • Re:For the lazy...... (Score:5, Funny)

      by gordyf ( 23004 ) on Wednesday March 19, 2003 @08:09PM (#5548675)
      "It's pretty unlikely any such exploit attempt will get legs."

      Worms don't have legs anyway, do they?
    • "increasingly short". Sort like getting more less.

    • Re:For the lazy...... (Score:3, Interesting)

      by nolife ( 233813 )
      Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.

      They should have add the following, "or if you are using just about any other mail reader besides ours."

      I love how MS attempts to twist the story here and appears to make it look like you should only be using the most recent versions of THEIR software to be safe. They completely fail to mention that the only reason any of t

  • In order to keep it secret... (Score:5, Funny)

    by rasafras ( 637995 ) <tamas@@@pha...jhu...edu> on Wednesday March 19, 2003 @07:58PM (#5548550) Homepage
    Top officials have decided to post it on Slashdot.

  • Is this Monday? (Score:5, Funny)

    by spanky1 ( 635767 ) on Wednesday March 19, 2003 @07:58PM (#5548551)
    I thought Monday was the official MS patch day [slashdot.org]? As an MS admin I'm not expected to work two days a week, am I?

    • Re:Is this Monday? (Score:5, Funny)

      by Sloppy ( 14984 ) on Wednesday March 19, 2003 @08:03PM (#5548619) Homepage Journal
      You have to this week, because of Linux. After Microsoft's weekly publicity blitz on Monday with the IIS bug, Linux fired back with a local root exploit, thus stealing the limelight. Microsoft, which is feeling very threatened by Linux these days, could not let that stand.

      The big question is whether or not The Penguin will escalate with another salvo tomorrow. If so, you will have a busy Windows-patching session before the week ends.

      Ain't competition great?

      • Ain't competition great?

        Now that was funny!

        I have both ms and linux servers, and it has been patch city all week. At least I know why. You know what they say, bad press is better than no press...
  • Already patched, thanks in part to VNC.
  • This story is being given big licks because everybody with a desktop thinks MS rules the world.

    Of course, MS has been getting screwed in the server market for years and so this is not quite as big as they think...plus it's a week old story!

  • Heh. (Score:2, Funny)

    by Black Parrot ( 19622 )


    The Early Bird OS?

  • There seems to be some discrepency here... (Score:5, Interesting)

    by DataPath ( 1111 ) on Wednesday March 19, 2003 @07:58PM (#5548566)
    From an AP article:
    "I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."

    Russ Cooper is a security expert for TruSecure Corp., based in Herndon, Va.

    There seems to be some disagreement on the exploitability of this.

  • Not webdav (Score:5, Informative)

    by ryanr ( 30917 ) <ryan@thievco.com> on Wednesday March 19, 2003 @07:59PM (#5548580) Homepage Journal
    Half the stories linked to are for the wrong vuln. I think they're supposed to be warning us about this one:

    http://www.microsoft.com/security/security_bulleti ns/ms03-008.asp [microsoft.com]
    • Which stories are you reading? So far all the headlines have been:
      • Microsoft flaw leads to military hack
      • Military Web server hacked
      • Army dodged bullet on Win 2000 vulnerability; experts wait for wider attacks
      • Microsoft flaw leads to military hack A dupe link in a dupe story now how about that!

      Every one of these links refers to MS03-007 and not MS03-008.

  • what day is it again? (Score:5, Funny)

    by GweeDo ( 127172 ) on Wednesday March 19, 2003 @07:59PM (#5548581) Homepage
    It is monday...time to patch my Windows Boxes... It is tuesday...time to patch my Linux boxes... It is hump day...time to patch my Windows Boxes again... Crap...what is Thursday gonna bring! And what is this gonna do to my loverly uptime!
    • It is hump day...time to patch my Windows Boxes again... Crap...what is Thursday gonna bring!

      Thursday, time to patch the SunRPC holes in Solaris. I WAS about to implement a central NFS server for our workstations, but Sun has so many problems with their RPC implementation resulting in root exploits I think I'll have to look for something else.

  • They are not talking about the vulnerability discussed in this previous slashdot story [slashdot.org]?

    Considering how much exploited was this particular flaw, I don't think that a lot of servers will remain unpatched, but, anyway, I still receiving so much hits from CodeRed and Nimda that I will not be surprised if such worm have a big success.

    • I doubt that a lot of servers are going to be effected by this, especially considering that this comes from JScript from a server or HTML email.

  • Big Worm? (Score:5, Funny)

    by LesPaul75 ( 571752 ) on Wednesday March 19, 2003 @08:00PM (#5548589) Journal

    I heard he smoked a fool over 20 bucks!

  • Web security news and papers (Score:1, Informative)

    by Anonymous Coward
    www.cgisecurity.com [cgisecurity.com]
    www.cgisecurity.com/lib [cgisecurity.com]
  • Big worms are unusually fond of Apples.

    You might want to cover your Macintosh with a thin layer of paraffin, or place it in a plastic bag this week; that should deter any worms.

  • How to check if you are vulnerable (Score:5, Funny)

    by gmuslera ( 3436 ) on Wednesday March 19, 2003 @08:05PM (#5548634) Homepage Journal
    From the Microsoft security bulletin
    ---------------
    How to Check Which Version You Have

    If you are unsure whether a product you are running is affected by this issue, check the version.

    To determine which version of Microsoft Windows you are running:

    1. On the taskbar at the bottom of your screen, click Start, and then click Run.
    2. In the Run dialog box, type: winver
    3. Click OK.
    A dialog box displays the version that you are running.
    -------------

    If it say "Microsoft " and something else, you are vulnerable.
  • Can we just have a Microsoft hack/exploit/bug page that is always there. This will spare the rest of us the repeated bombardment of notices. Old7

  • Can bug affect hotmail or yahoo email? (Score:1, Interesting)

    by Anonymous Coward
    Or must you be using Outlook for email to be vulnerable to this bug? The Microsoft website is extremely vague on this matter.
    • The attacker would first have to send you an e-mail message or entice you into visiting a malicious Web site.

      Yes, since it seems that it is actually the Windows Script engine (shared by IE, OE and the OS) that is the problem.

      For more: click here. [microsoft.com]

    • This affects all users who view HTML webpages with Internet Explorer or view HTML email on their windows box with an old version of Outlook or Outlook Express. If you are using another browser or email program you are still vulnerable if scripting is enabled. This is a problem with processing JScript. This is a problem for most M$ boxes. If using one please upgrade to another OS or update using windows update.
    • The webmail sites usually do some javascript filtering, but there have been bypasses for those filters in the past, and probably will be in the future. If you're using IE to read mail on those sites, there's always a chance this bug might bite you.

  • lets play a game (Score:4, Funny)

    by xao gypsie ( 641755 ) on Wednesday March 19, 2003 @08:08PM (#5548667)
    lets guess at how many root name servers will go down this time.....weee!!!

    xao

  • MPL (Score:1, Flamebait)

    by houseofmore ( 313324 )
    "Several sources report that a serious new Microsoft vulnerability has been found."

    Maybe this is there version of "open source".
  • Yet another buffer overflow. In Windows. Yet another opportunity to send email viruses in Outlook. Yet another opportunity for Linux geeks to make fun of "M$."

    While this is important news for Windows users, I expect MS has already told them. Move along, nothing to see here.
  • /me retreats hurredly back to the security stronghold of his Linux system
  • Experts expect it to be exploited heavily.

    Celebration times come on!
    With slashdot now reporting speculations on future events, we can drop shit on Microsoft even before bad things have happened!
  • "I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."


    I like it how he doesn't go on to give any tecnical reasons why there won't be widespread exploit attempts.

  • Pbbbbttt (Score:1, Redundant)

    by the eric conspiracy ( 20178 )
    Slashdot quality control at it's finest.

    DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE DUPE

    Hey guys.... how about writing a routine that chacks URLs in submitted storries vs. those already posted? Surely that would cut down on these repeats.

    • It's not a dupe. RTFA!

      Believe it or not, Microsoft has had more than one security flaw in it's operating systems (just like Linux!!). This isn't the same bug as the one mentionned yesterday. Duh!

      Had you read the article, or indeed, any of the previous comments, you'd have realised that you're as dumb as someone who wants to bomb Iraq for Oil.

      Nick...

  • Two separate vulnerabilities (Score:5, Informative)

    by nweaver ( 113078 ) on Wednesday March 19, 2003 @08:21PM (#5548781) Homepage
    #1 is the WebDAV vulnerability, affecting IIS 5 on Win2k. This is the one used to corrupt the military web server in question, and is a very worm friendly (arbitrary remote execution) vulnerability. This is the most likely target of a worm, as it can be purely automatic (a'la slammer and Code Red), and gives full system access.

    #2 is a script engine vulnerability, allowing an email message or web page to execute arbitrary code. Although good for mail worms, this is less autonomous-worm friendly: it's a good secondary way to cross a firewall, but users need to read the email to spread, making a slower worm, something in the ballpark of an auto-executing Klez: a pain but nothing catastrophic. It also runs as the user, not as sysem, making it a (somewhat) less valuable exploit when targeting Win2k/XP.

    Both are serious vulnerabilities which require patching, however.

  • In case you are curious... (Score:5, Informative)

    by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday March 19, 2003 @08:22PM (#5548790) Journal
    No, you are not crazy. These articles are all refering to the other MS issue this week: IIS's WebDAV remote buffer overflow attack.

    There is, however, a new issue today. Use Windows Update. This new issue would allow operators of a malicious website to remote root your machine if you navigate to them. This applies to all (!) versions of Windows since Win98.

    The worm-friendly bug is the old bug. So, technically speaking, this post is 100% dupe. It just happened to (luckily?) coincide with another MS security issue.
    • This one is more worm friendly than the other. You know, Klez, Sircam, etc, ARE worms, and some of the most sucessful email worms are so because IE vulnerabilities (like the iframe bug). So this, that can be activated by a html mail, is the perfect opportunity for a big mail worm, and maybe easier to do than an obscure buffer overflow.

    • Quoteth the parent:

      This new issue would allow operators of a malicious website to remote root your machine if you navigate to them.
      According to Microsoft's advisory this exploit is only able to run with user priviledges. Although on Win9x this is always "root" it really shouldn't be the case on 2000 and XP. Because you really don't use your Administrator-account to browse the web, do you?
    • It just happened to (luckily?) coincide with another MS security issue


      Considering how often such issues come up, it's almost inevitable that such "coincidences" should happen semi-regularly.

  • Big worm (Score:5, Funny)

    by RenHoek ( 101570 ) on Wednesday March 19, 2003 @08:23PM (#5548795) Homepage
    I usually use a thumper to call Shai-Hulud.

    Truth suffers from too much analysis.
    Ancient Fremen Saying

  • Microsoft's lesson from Herbert (Score:5, Funny)

    by whm ( 67844 ) on Wednesday March 19, 2003 @08:24PM (#5548806)
    Walk without rhythm, and you won't attract the worm.

    Shai-Hulud's a-coming!
  • Surf without I.E.
    it won't attrack the worm

    Surf without I.E.
    and it won't attrack the worm

    Surf without I.E.
    and it won't attrack the worm

    Surf without I.E.
    ah, you'll never burn


  • From the "Mitigating Factors" section of Microsoft's bulletin:

    - For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.

    They forgot some other mitigating factors, like:

    - the user's machine would have to be connected to a source of AC power

    etc.
  • look for a lot of default.htm's to be rewritten this weekend with an image of saddam hussein and the text "all your base belong to us... i mean, iraq"

    the press will call it the "mother of all worms" ;-P

  • Oh yeah, baby... (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Wednesday March 19, 2003 @08:41PM (#5548914) Homepage Journal

    Microsoft Bug May Attract Big Worm

    So there I was at a Halloween party. This woman dressed up as a giant insect walks up. I realise she has a Microsoft logo on the chest of her costume.

    I was hooked.

    "So," she asked "does me being a Microsoft Bug make your Big Worm want to come out and play?" I was flabbergasted.. There I was being asked this by the woman of my dreams and I was wearing a Tequila Bottle costume...

  • Let's not give anyone any ideas now... It wouldn't surprise me if there are a dozen different worms running around the internet tomorrow.

    /. is almost as bad as how CNN was during the Rodney King Riots...

  • The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message ...

    Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.

    IOW, it's Yet Another Java 'Sploit; turn off ActiveX and Javascript [or just not use IE] and yo

  • I sometimes wonder (Score:5, Interesting)

    by sielwolf ( 246764 ) on Wednesday March 19, 2003 @08:50PM (#5548977) Homepage Journal
    If any of this does any good (outside of warning Windows admins). People who have used computers for twenty years still have no idea how these exploits and bugs work. They think that Kevin Mitnick can hack a computer with a telephone (ala Scanners) but don't think twice about double-clicking an email from "1337user@aol.com".

    I sometimes think that education has been a problem, as all of these reports usually come with a verbose "what this does, what it doesn't, what you should do." So then I go on to think that it must be some sort of lethargy on the part of Joe End User. So then I think that a serious entrance learning curve would do the trick (i.e. stick every one on some old terminals).

    But I think a threshold has been crossed. People now need to use computers. Colleges and businesses are going paperless, demanding a higher level of computer savvy... but all the while ignoring basic user compotence. Computer use is either "so simple a monkey could do it" or "impossible for anyone but geeks to understand". It's as if most users are satisfied to never understand how their "magic box" works.

    This wouldn't bother me too much if it didn't seem that this same disease has seemingly infected a significant minority of admins out there (considering how ridiculously some of these viruses spread). Of course many of these seem to be (in my experience) non-CS academic types who "need" Unix workstations but are uninterested in protecting them.

  • Contradictions from the experts (Score:5, Interesting)

    by dstone ( 191334 ) on Wednesday March 19, 2003 @08:59PM (#5549044) Homepage
    Russ Cooper, moderator of the NTBugTraq security list and a security expert for TruSecure Corp., seems to be contradicting himself in two stories on the same day (or is being misquoted). Make of this what you will...

    This story [gcn.com] quotes Cooper: "I do expect that in the next seven to 10 days we're going to see a worldwide wave" of attacks, probably via an Internet worm, Cooper said Wednesday. "And it will be effective."

    And this story [nwsource.com] quotes Cooper: ""I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs.""

    • Re:Contradictions from the experts (Score:4, Informative)

      by ryanr ( 30917 ) <ryan@thievco.com> on Wednesday March 19, 2003 @09:49PM (#5549369) Homepage Journal
      Probably because they are about two different vulns. Since the webdav hole is known to have an exploit already being used in the wild, it's pretty safe for Russ to say that it will be used. :)

      He's probably also not too far off with the jscript integer overflow either. It's usually difficult to write an exploit that will work for all the different OS and jscript.dll versions, without simply crashing on a mismatched version. That makes an effective worm a lot less likely.

  • The Details (Score:5, Informative)

    by Anonymous Coward on Wednesday March 19, 2003 @09:01PM (#5549054)
    Technical details

    Technical description:

    The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.

    A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.

    Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.

    Frequently asked questions:

    What's the scope of the vulnerability?

    This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.

    What causes the vulnerability?

    The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.

    What is a scripting language?

    Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user.

    In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.

    What is a scripting engine?

    The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.

    What is JScript?

    JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3).

    It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.

    What's wrong with the Windows Script Engine for JScript?

    There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.

    What could this vulnerability enable an attacker to do?

    This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.

    If I am not using Internet Explorer do I need the patch?

    Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.

    How could an attacker exploit this vulnerability?

    The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerab

  • Windows Update not working? (Score:5, Interesting)

    by mtcrowe ( 86952 ) on Wednesday March 19, 2003 @09:08PM (#5549102)
    Has anyone tried to use Windows Update to grab this patch? I'm running WinXP at work and just tried to hit Windows Update to let it auto-magically determine which update(s) to send to me. However - it came back and said everything was already hunky dory, no patches available.

    I checked www.microsoft.com/security and looked up the MS03-008 patch for XP. It had a Qfix number starting with 8. I then compared against the Qfixed installed in my add/remove programs listing and it wasn't there...

    I'm wondering whether they forgot to include that patch on the WU site for WinXP users. Seems to me like that would be one of the most critical places to put it for all of the normal user-folk.

    So, I manually downloaded and installed the "Js56en" patch on WinXP and it took.

    As an aside - I was very concerned when MS announced the Windows Scripting Host functionality. My thinking at the time (and again now) is that they allow so many file types to be executed that there's just no way they can keep all of the bugs out of all of those interpreters. Figured it would just be a matter of time..

  • another dupe? (Score:5, Funny)

    by theraccoon ( 592935 ) on Wednesday March 19, 2003 @09:08PM (#5549105) Journal
    Wasn't this story posted last month... And the month before? And the week before that? And the month before...
  • From the advisory, which is now in my mailbox, (though it wasn't a few hours ago when I left work) Microsoft was initially notified last July, iDefense's (paying) clients were notified in January and we, the great unwashed, are just hearing about this now.

    Actually the receptionist(!) at work forwarded me a news story about this from the local tabloid newspaper this afternoon, but the article was so non-technical that it was impossible to tell what exploit they were talking about (and there were no links
  • Maybe this is a stupid question, but what is the point of enabling such feature as running executable code received in an e-mail? I know what everybody on Slashdot think (except for those 1337 H4X0RZ who find this useful). I just want to know the answer from inventor of this "feature".

    s/feature/bug/g if $OS=="Windows"

  • Hey everyone,

    Has anyone found a place to download this patch without Windows Update? After recent discoveries [slashdot.org] I'm kinda reluctant...

    Thanks!

  • Hearing about this bug, I thought I should run another Windows Update on my game box... just to be safe. Well, it ran as normal, but when I rebooted (as you ALWAYS have to do after an update), I noticed something strange. I didn't get the usual login prompt.

    Aparrently, the update apparently broke my Windows Networking! I tried it on a couple other computers, and they all did the same thing. Network was still working fine for TCP/IP, but I couldn't see any other computers in the "Neighborhood".

    Only w

  • There was one worm going around about a year and a half ago, that would get launched from the preview screen without the email being specifically opened. Well, we had finally gotten it mostly cleaned from our systems and one guy was checking his hard drive. He clicked on a file he didn't recognize, it tried to show the web-formatted document in a preview, and launched the script again.

    i guess my point is that many people will launch the script without opening the email, simply because as soon as the he
  • Microsoft: 2
    Linux: 1

    Bets for the end of the week, anyone?
  • Yep. I expect angry kids or intelligence agencies to start doing damage to the internet at some point if this war lasts.
  • Microsoft bug may attract big women ?

    I'm sitting there thinking -- why would fatties have a thing for Microsoft? Bloated code?

    Oh, never mind. Just wanted to blow some karma chunks.

Slashdot Top Deals

"Just think, with VLSI we can have 100 ENIACS on a chip!" -- Alan Perlis

Close