Exploit Based On Leaked Windows Code Released 952
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
See! (Score:4, Funny)
(trigger-fingered mods : thats a joke)
so THATS why it was leaked (Score:5, Funny)
"/Dread"
Re:Open Source More Secure... maybe not (Score:5, Funny)
The bitmap in question... (Score:4, Funny)
-m
What the fuck? (Score:4, Funny)
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.
Tom
No Problem (Score:5, Funny)
Oh wait.
Smells (Score:0, Funny)
Well I got IE6 (Score:5, Funny)
Anyone surprised? (Score:3, Funny)
Maybe the once-a-month patching schedule's going to have to be revised though.
Re:You thought Microsoft were tardy with (Score:4, Funny)
Weird... I would have sworn that it was called Windows XP.
-m
Re:Funny comment by the bugtraq submitter (Score:5, Funny)
Boogle... (Score:3, Funny)
I guess all those advertising^W software engineering dollars that MS spent on their security inititive were not^W well spent.
Re:You thought Microsoft were tardy with (Score:5, Funny)
Re:You thought Microsoft were tardy with (Score:5, Funny)
Re:Open Source More Secure... maybe not (Score:5, Funny)
Hehe
Re:See! (Score:4, Funny)
The virus writer used the links to the SECURITY_HOLE refrences in holes.bas module from the VB.NET code that IE is written in.
Re:What the fuck? (Score:5, Funny)
1. load int from char array
2. check int against sizeof(yourbuffer)
3. user=root if greater
Gone.. But Never Forgotten (Score:5, Funny)
Good thing all thoes Goatse pictures where in
Business plan (Score:3, Funny)
1. Fake a source code leak of some of the shittiest code in your projects
2. Act surprised
3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
4. Create Patch before major damages
5. Sue person who found hole
6.
7. Double PROFIT!
</conspiracy theory>
Re:The bitmap in question... (Score:5, Funny)
Re:What the fuck? (Score:5, Funny)
It went something like this:
You position yourself behind a functional input screen, and start hammering viciously and blindly. The latter is important, the more blind the better, it invokes he Holy Random God. Repeat for 5 minutes. You repeat this for each input screen.
If the screen showed anything similar to "ERROR: OTHER INPUT EXPECTED" it passed.
If it showed anything similar to "OK, 98zxc3v4^DD^C^Z NEW CUSTOMERS ADDED" or failed to read at all due to overly blinkeyness or so, it failed.
I understand MS needs more monkeys.
"/Dread"
Re:What the fuck? (Score:3, Funny)
scanf("%s", whatoverflow);
;-)
occurances of " Don't Care " in MS code (Score:5, Funny)
$ grep -ir " don't care "
332
check it yourself
This is not BAD news (Score:5, Funny)
Re:I'll be first to say it (Score:5, Funny)
I can see the headlines now;
"New exploit found in IE5"
"Yet another exploit found in IE5"
"Exploit found in Minesweeper"
"Expolit found in Notepad"
"Yet another exploit found in Minesweeper"
"Yet another exploit found in Notepad"
"New exploit found in IE5"
"God damn! Another exploit found in Minesweeper"
.
.
.
"Exploit found in taskbar"
"Exploit found in Times New Roman"
"Exploit found in bootstrap"
"Exploit found in Wingdings"
"Exploit found in
Sounds pretty redundant and boring to me.
-m
Re:And awaaayyy we go! (Score:3, Funny)
Yeah, let's hope that the source code for Konqueror or Mozilla never gets leaked... No telling what kinds of exploits might pop up then.
Re:What the fuck? (Score:3, Funny)
1. Look at bitmap, get scared.
2. user == root
They also merged in a backdoor so the attacker wouldn't have to embed it in the bitmap
3. open port 1234 as a rsh automatically logged in.
Tom
Re:Text of advisory (Score:2, Funny)
I cant wait (Score:5, Funny)
However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".
Time to MS proof what it says (Score:4, Funny)
That's all I was hoping to see. MS says that it reponse time for bugs is lower then OpenSource reponse time.
Now we have a released bug, and I want to see how long will it take until MS fixes this bug.
Somebody, please, monitor this bug (or teach me how to monitor it)
Re:Get the source code from Freenet (Score:5, Funny)
This reminds me of "The Ring" (Score:5, Funny)
Re:But the question is... (Score:3, Funny)
Contaminated! (Score:5, Funny)
I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.
Re:Text of advisory (Score:5, Funny)
I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation
SCO does.
I wrote that code (Score:4, Funny)
Re:What the fuck? (Score:5, Funny)
Re:What the fuck? (Score:5, Funny)
I'm disappointed (Score:5, Funny)
Re:Ha Ha Only Serious (Score:2, Funny)
Ha, that reminds me of a recent article on devx [devx.com]. This guy demonstrates how being a little stupid and misinformed can lead you down all kinds of wrong paths.
His argument is that some crazed open source hacker is going to put a back door in an open source program. Further he presents this as a disadvantage of open source when compared to closed software. Because, of course, it is so much easier to hide backdoors in programs that EVERYONE HAS THE SOURCE CODE TO. No one could even hide a backdoor in a program that nobody except the developers have seen the code for. That is unpossible. Right.
Re:What the fuck? (Score:5, Funny)
IE code (Score:3, Funny)
Re:off topic, but orthogonal kind of prompted this (Score:5, Funny)
It's an obscurity that provides extra security against exploits like buffer overflows.
Re:huh (Score:5, Funny)
You say that as if it were unusual. ;)
Re:Text of advisory (Score:3, Funny)
Re:Text of advisory (Score:1, Funny)
Re:Source Code (Score:2, Funny)
"guarantee"
Patch is already released!!! (Score:2, Funny)
Re:Open Source More Secure... maybe not (Score:5, Funny)
It's like seeing your sister naked. Ack!
I don't know. I always thought your sister was pretty hot.
Re:off topic, but orthogonal kind of prompted this (Score:0, Funny)
Find a serious unpatched bug and... (Score:1, Funny)
Re: of been (Score:5, Funny)
It could of been me that was modded insightful for of-ing no grammatical skills.
Well, you know the old saying... birds have a feather, etc.
Of a nice day!
Re:Open Source More Secure... maybe not (Score:3, Funny)
why BMP? (Score:1, Funny)
Re:huh (Score:5, Funny)
I'm a safety-conscious Windows user! I never login as "root"! I just use the "Administrator" account instead!
Re:Open Source More Secure... maybe not (Score:1, Funny)
'Specially Crafted Image' (Score:4, Funny)
-db
Re:And counting (Score:3, Funny)
According to the comp.basilisk faq [nature.com] about Basilisks (images that cause system crashes in wetware):
10. Is it true that Microsoft uses basilisk booby-traps to protect Windows 2005 from disassembly and pirating?
We could not possibly comment.
use it for change! (Score:5, Funny)
Hmm.. (Score:4, Funny)
Who Runs IE 5 anyway? (Score:5, Funny)
Help-About Internet Explorer-.....Never mind my previous comment.
Re:Text of advisory (Score:2, Funny)
Re:stop knocking Microsoft (Score:2, Funny)
Re:well, the source is out there (Score:2, Funny)
Line 3: replace "int" with "unsigned int"
Do I need to be anonymous for this to work?
Re:Open Source More Secure... maybe not (Score:5, Funny)
20% Troll
10% Insightful
Welcome, Microsofties!
Re:Open Source More Secure... maybe not (Score:4, Funny)
The Patch [mozilla.org].
Scott
(Come on, you knew this answer was coming!)
Take That Back! (Score:1, Funny)
Re:Exposing Your Identity (Score:2, Funny)
Re: of been (Score:2, Funny)
You're the sort have guy I admire.
You could of noted the grammatical humor, but instead you chose to be have a cleverer sort.
Shame about the lead paint in your nursery.
Re:Open Source More Secure... maybe not (Score:3, Funny)
I like it (Score:2, Funny)
There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.
I say:
Yes, I agree completely. The next version of Windows should be written in Java.
FUCKING TROLLS! (Score:3, Funny)
If MS is doing its work they will check the exploit's code and fix it in a timely fashion.