Exploit Based On Leaked Windows Code Released

mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"

See!

[Anonymous Coward]

More proof that code who's source is open is less secure!

(trigger-fingered mods : thats a joke)

so THATS why it was leaked

[SlashDread]

to fix it...

"/Dread"

Re:Open Source More Secure... maybe not

[The Unabageler]

OTOH M$ should thank the code thiefs for expediting their QA process :-)

The bitmap in question...

[lacrymology.com]

Of course the bitmap is of a penguin! More ammunition for the M$ FUD campaign.
-m

What the fuck?

[tomstdenis]

What the fuck in a bitmap renderer could overflow and cause such problems?

Fuck MSFT it's called bounds checking. e.g.

1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater

Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.

Tom

No Problem

[Jedi1USA]

Microsoft just needs to get a copy of the leaked code and look it over for potential exploits.

Oh wait. :^)

Smells

[first.last]

Smells like bullshit....like the jpeg virus hoax a few years back. IMAGE FILES CANNOT RUN COMMANDS!!!!

Well I got IE6

[superpulpsicle]

So I should be all set for the next 2 days until the next major security flaw is found.

Anyone surprised?

[LearnToSpell]

Anyone? Come on, there's a million /. readers. Somebody must have thought this wasn't going to happen.

Maybe the once-a-month patching schedule's going to have to be revised though.

Re:You thought Microsoft were tardy with

[lacrymology.com]

"It's called IE6"

Weird... I would have sworn that it was called Windows XP.
-m

Re:Funny comment by the bugtraq submitter

[Anonymous Coward]

This means that the exploit is so obvious that even a 14 year old can figure it out.

Boogle...

[mark_space2001]

I guess I should have expected that someone would start posting bug fixes to Windows when I heard that the code was got released, but I'm still surprised that they are finding actual exploits in the code.

I guess all those advertising^W software engineering dollars that MS spent on their security inititive were not^W well spent.

Re:You thought Microsoft were tardy with

[cgranade]

And here I was thinking it was called Mozilla [mozilla.org].

Re:You thought Microsoft were tardy with

[Lifewish]

Mine's called "Linux". Seems to fix a whole host of problems.

Re:Open Source More Secure... maybe not

[1010011010]

Finally, Microsoft's "Trustworthy Computing" exercise begins in earnest.

Hehe

Re:See!

[Lumpy]

Nahh...

The virus writer used the links to the SECURITY_HOLE refrences in holes.bas module from the VB.NET code that IE is written in.

Re:What the fuck?

[vontrotsky]

I think it went more like

1. load int from char array
2. check int against sizeof(yourbuffer)
3. user=root if greater

Gone.. But Never Forgotten

[halo8]

a specially crafted bitmap file

Good thing all thoes Goatse pictures where in .jpeg .gif and .tiff

Business plan

[loconet]

<conspiracy theory>
1. Fake a source code leak of some of the shittiest code in your projects
2. Act surprised
3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
4. Create Patch before major damages
5. Sue person who found hole
6. ...??
7. Double PROFIT!
</conspiracy theory>

Re:The bitmap in question...

[p4ul13]

This [millan.net] seems to be what the BMP would look like.

Re:What the fuck?

[SlashDread]

In the old days, when I was young system admin, it was called "Monkey Testing".

It went something like this:
You position yourself behind a functional input screen, and start hammering viciously and blindly. The latter is important, the more blind the better, it invokes he Holy Random God. Repeat for 5 minutes. You repeat this for each input screen.
If the screen showed anything similar to "ERROR: OTHER INPUT EXPECTED" it passed.
If it showed anything similar to "OK, 98zxc3v4^DD^C^Z NEW CUSTOMERS ADDED" or failed to read at all due to overly blinkeyness or so, it failed.

I understand MS needs more monkeys.

"/Dread"

Re:What the fuck?

[tomstdenis]

char whatoverflow[3];

scanf("%s", whatoverflow);

;-)

occurances of " Don't Care " in MS code

[Anonymous Coward]

i wanted to post this in the first MS leak story, but oh well, here it is now.

$ grep -ir " don't care " /win2k/* | wc -l
332

check it yourself

This is not BAD news

[IamGarageGuy 2]

I see this is good news in that there is going to be an ongoing stream of exploits in Windows. This is good news. Think of all of the boxes that will be broken in the next few months. I should mention that I make a living fixing Windows boxes. I also fix Mac and Linux - but there isn't really much money in fixing them.

Re:I'll be first to say it

[lacrymology.com]

"We have an interesting 6 months ahead of us, folks."

I can see the headlines now;

"New exploit found in IE5"
"Yet another exploit found in IE5"
"Exploit found in Minesweeper"
"Expolit found in Notepad"
"Yet another exploit found in Minesweeper"
"Yet another exploit found in Notepad"
"New exploit found in IE5"
"God damn! Another exploit found in Minesweeper"
.
.
.
"Exploit found in taskbar"
"Exploit found in Times New Roman"
"Exploit found in bootstrap"
"Exploit found in Wingdings"
"Exploit found in ...."

Sounds pretty redundant and boring to me. ;)

-m

Re:And awaaayyy we go!

[bshroyer]

Can the same thing happen to linux?

Yeah, let's hope that the source code for Konqueror or Mozilla never gets leaked... No telling what kinds of exploits might pop up then.

Re:What the fuck?

[tomstdenis]

MS optimized it [their innovative]

1. Look at bitmap, get scared.
2. user == root

They also merged in a backdoor so the attacker wouldn't have to embed it in the bitmap

3. open port 1234 as a rsh automatically logged in.

Tom

Re:Text of advisory

[myowntrueself]

So now the /. servers are going to be raided by DMCA police? Time to move offshore, guys! ;)

I cant wait

[Edmund Blackadder]

I cant wait to read a whole thread of slashdot people saying "i told you so".

However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".

Time to MS proof what it says

[famazza]

That's all I was hoping to see. MS says that it reponse time for bugs is lower then OpenSource reponse time.

Now we have a released bug, and I want to see how long will it take until MS fixes this bug.

Somebody, please, monitor this bug (or teach me how to monitor it)

Re:Get the source code from Freenet

[Anonymous Coward]

You bastard! That's my IP address!!!

This reminds me of "The Ring"

[MetaMarty]

Did you hear about the image that kills your computer whenever you view it?

Re:But the question is...

[Apiakun]

And the other question: How long would Microsoft have lasted?

Contaminated!

[esnible]

You have 'contaminated' me.

I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.

Re:Text of advisory

[grub]

I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation

SCO does. :)

I wrote that code

[AragornSonOfArathorn]

I guess I shouldn't have lied about my certifcations during the interview...

Re:What the fuck?

[corbettw]

By any chance, did the program come up with the entire works of Shakespear?

Re:What the fuck?

[AstroDrabb]

I understand MS needs more monkeys.

It appears they have their fair share already [ntk.net]

I'm disappointed

[Greedo]

No one has yet posted a modified version of the goatscx photo that takes advantage of this security "hole".

Re:Ha Ha Only Serious

[CodeRx]

"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"

Ha, that reminds me of a recent article on devx [devx.com]. This guy demonstrates how being a little stupid and misinformed can lead you down all kinds of wrong paths.

His argument is that some crazed open source hacker is going to put a back door in an open source program. Further he presents this as a disadvantage of open source when compared to closed software. Because, of course, it is so much easier to hide backdoors in programs that EVERYONE HAS THE SOURCE CODE TO. No one could even hide a backdoor in a program that nobody except the developers have seen the code for. That is unpossible. Right.

Re:What the fuck?

[Walterk]

I bet some MS exec misinterpreted it and used the monkeys for the coding, and not testing.

IE code

[Anonymous Coward]

So there was some IE 5 code in there? Too bad it wasn't the IE 4 code, I hear you can summon demons by reading that out loud.

Re:off topic, but orthogonal kind of prompted this

[orthogonal]

By the way, does anyone know why the bitmap formap [sic] is writte [soc] upside down?

It's an obscurity that provides extra security against exploits like buffer overflows. ;)

Re:huh

[tverbeek]

a well-seasoned older programmer who has the social skills of a 13 year old?

You say that as if it were unusual. ;)

Re:Text of advisory

[prockcore]

Oh my god! I read the source! Now I'm tainted! All future code written by me will inadvertantly contain MS's copyrighted and patented signed int overflow techniques!

Re:Text of advisory

[Anonymous Coward]

Thanks to Microsoft AutoParody Wizard!

Re:Source Code

[Maserati]

I don't do spelling flames often, but I will for a Farscape quote in a .sig.

"guarantee"

Patch is already released!!!

[iamwahoo2]

It is called Firefox and can be downloaded at Mozilla.org!

Re:Open Source More Secure... maybe not

[OsCarJ]

It's like seeing your sister naked. Ack!

I don't know. I always thought your sister was pretty hot.

Re:off topic, but orthogonal kind of prompted this

[Anonymous Coward]

writte [soc] [sic]

Find a serious unpatched bug and...

[Anonymous Coward]

..instead of making your own worm, go and hack the evil corp and steal all their code. That would be really ironic and fun :)

Re: of been

[Anonymous Coward]

I wish that I would of thought have that.

It could of been me that was modded insightful for of-ing no grammatical skills.

Well, you know the old saying... birds have a feather, etc.

Of a nice day! :)

Re:Open Source More Secure... maybe not

[fetus]

The patch is called "IE 6"

why BMP?

[Anonymous Coward]

bitmaps are not a particluarly clever choice to use on the Ineternet. there are JPEGs, PNGs etc. that are much better suited for the web. But as a side smirk - it is highly amusing to see microsoft products die trying to read microsoft formats

Re:huh

[poot_rootbeer]

Who browses as root? Oh, yes, thats right Windows users.

I'm a safety-conscious Windows user! I never login as "root"! I just use the "Administrator" account instead!

Re:Open Source More Secure... maybe not

[ostrich2]

I think you misunderstand: he's talking about your sister.

'Specially Crafted Image'

[bokmann]

That is a little funny... Isn't a 'specially crafted image' the same 'exploit' that Geordie LaForge came up with for introducing a virus into the borg collective? Remember the first episode with 'Hugh'?

-db

Re:And counting

[Viadd]

Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly"

According to the comp.basilisk faq [nature.com] about Basilisks (images that cause system crashes in wetware):
10. Is it true that Microsoft uses basilisk booby-traps to protect Windows 2005 from disassembly and pirating?
We could not possibly comment.

use it for change!

[tau_]

So, where's the .bmp I can link to my web site that makes IE5 remotely execute Mozilla Firefox installer?

Hmm..

[Anonymous Coward]

I can see the ultimate virus now: you click an innocent-looking link, it takes you to a goatse bmp, and the exploit will lock your keyboard and mouse...leaving you utterly defenseless! Oh the horror!

Who Runs IE 5 anyway?

[vwjeff]

I mean really, who runs IE 5 anyway. I'm sure that most corporate network admins keep up with updating IE. Let me check on a random company machine...

Help-About Internet Explorer-.....Never mind my previous comment.

Re:Text of advisory

[Anonymous Coward]

worse than that, it contains a "goto" statement... *shudder*

Re:stop knocking Microsoft

[BCW2]

That kind of thinking explains the collapse of the British Empire completly.

Re:well, the source is out there

[gnu-generation-one]

"Wouldn't it be interesting to see the patch come out later today, from an anonymous source!"

Line 3: replace "int" with "unsigned int"

Do I need to be anonymous for this to work?

Re:Open Source More Secure... maybe not

[1010011010]

60% Funny
20% Troll
10% Insightful

Welcome, Microsofties!

Re:Open Source More Secure... maybe not

[bach37]

Where can I download the patch for IE5?

The Patch [mozilla.org].

Scott
(Come on, you knew this answer was coming!)

Take That Back!

[Anonymous Coward]

We, the members of MSDA (Monkey Software Developers of America), are deeply offended by what you imply. We are much better developers than MS and smell better too.

Re:Exposing Your Identity

[gooman]

You tell 'em. Someone called the cops the last time I exposed myself.

Re: of been

[Anonymous Coward]

You of a keen wit.

You're the sort have guy I admire.

You could of noted the grammatical humor, but instead you chose to be have a cleverer sort.

Shame about the lead paint in your nursery.

Re:Open Source More Secure... maybe not

[Rysc]

Yes, but you didn't post the uptimes.

I like it

[scribblej]

You said:
There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.

I say:
Yes, I agree completely. The next version of Windows should be written in Java.

FUCKING TROLLS!

[jotaeleemeese]

Of course you realize that it is absolutely pointless.

If MS is doing its work they will check the exploit's code and fix it in a timely fashion.