Exploit Based On Leaked Windows Code Released 952
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Open Source More Secure... maybe not (Score:5, Insightful)
huh (Score:2, Insightful)
When you break the law and possibly expose thousands of users to a root exploit, at least you could be politically correct about.
"GAYER THAN AIDS", what the hell?
I hope they sue him..
You thought Microsoft were tardy with (Score:2, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
> like this secret as well.
Yeah, but if Windows were truly open source then there's not chance it'll just be sat on for six months...
It may not of been a secret to everyone (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
In other words, had the source code for IE been OSS from day one, then the bug might very well have been found and fixed before the application was widely distributed.
But the question is... (Score:4, Insightful)
Re:Open Source More Secure... maybe not (Score:2, Insightful)
Microsoft wants us to upgrade to XP (Score:3, Insightful)
Or maybe it is a ploy by microsoft to force users to upgrade to XP
Bugs (Score:5, Insightful)
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
Re:Is it good or bad (Score:1, Insightful)
Tom
Leak a good thing for MS (Score:5, Insightful)
Re:And counting (Score:3, Insightful)
Re:I'll be first to say it (Score:5, Insightful)
Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
Re:Smells (Score:5, Insightful)
Re:What the fuck? (Score:5, Insightful)
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task
It all goes to the quality of the coder. This is just plain bad code. I learned how to write something to check these kinds of things in middle school.
Outbreak and email renderer (Score:5, Insightful)
Re:Is it good or bad (Score:4, Insightful)
Of course, from the point of view of converting everyone to Linux, this can only be a good thing
Re:I'll be first to say it (Score:5, Insightful)
Please...you might as well say that BSD is dead. Nobody is happy about all the ruckus that the whole affair is going to raise, but it's a little early to pronounce Microsoft dead.
-h-
Outlook (Score:5, Insightful)
The lessons learned (Score:5, Insightful)
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
Ignore it! (Score:4, Insightful)
Whether it's finding exploits, bugs or whatever; anything that anyone does with it will eventually make Microsoft stronger. If it's a security problem they 'll fix it. Maybe Microsoft is trying to capture open source developers and their free services; I don't know.
What I don't want to see is Microsoft making improvements on their product based on this experience. I don't want to see as much as two adjacent assembler instructions from it end up in Linux.
If you want to do something constructive, run the 2.6 kernel and start making the supporting software more secure. Don't waste your time supporting losers like Microsoft who demand your money up front and then deliver whatever crap they feel like.
Just ignore it!
Re:huh (Score:5, Insightful)
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Cheers
Ha Ha Only Serious (Score:5, Insightful)
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Who says it was secret? For all you know, it could have been the cause of that "mysterious intrusion" a few years ago...
Code review (Score:3, Insightful)
It would be a bit hard to admit:
"uhh, yes we do embrace open-source, but our business model is to protect our intelectual property", "recently our business model has been adapted to incorporate also the intelectual property of 3rd parties, also known as hackers", "the only way to do this legally is to put the FBI out on those folks what ensures that the code review can be reworded as 'theft' and will face the highest criminal punishment", "you know it's all terrorism and that kind of stuff", "It's terrorism on the American Capitalistic Marketing Model", "And we're going to nuke those hackers",
Probably without the approval of the United Nation
nail in the coffin? (Score:4, Insightful)
From Yahoo Financial: "For the six months ended 12/31/03, revenues rose 13% to $18.37 billion. Net income rose 7% to $4.16 billion. Results reflect increased demand for both desktop and server products, partially offset by a $1.48 billion stock option transfer charge."
Here's [yahoo.com] their financial statement.
You may dislike them. Pretending they're not successful is just ignorant. The source leak is a problem for them, but I doubt it'll have any serious repercussions much beyond this quarter.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
This shows that open source is more secure (Score:1, Insightful)
Of course it is a totally different story if you are a hated monopoly and the main proponent of security by obscurity.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Open-source security doesn't come from having the source available. It comes from lots of people actively working on the source. Tell me, how many random hackers do you think will work on the Windows codebase?
This is one of the reasons why "open source" is more than "source available"
Re:huh (Score:5, Insightful)
It begs the question (Score:2, Insightful)
Answer: Mozilla's code is higher-quality because of open-source peer-review.
Do you think that the hackers that have been trying to embarass Microsoft into fixing their old vulnerabilities finally said
"screw it then, THIS will teach Microsoft" ?
Well sucks but (Score:5, Insightful)
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Re:And counting (Score:5, Insightful)
Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.
Re:A quick look at the source code (Score:3, Insightful)
Now is a good time to Burn CDs (Score:5, Insightful)
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
Re:I'll be first to say it (Score:5, Insightful)
but i am happy that this leak happened. it just shows that the code should be out for peer review from day one. security-by-obscurity is second only to security-by-telling-people-what-not-to-do. (e.g.: "don't open that door, there's valuable stuff in that room")
Now that the code is leaked (Score:3, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
It just turns out this one was extra easy to find because the code could be read. It would have been equally easy to fix as to exploit (had non-assholes been reading the source, but fear of contamination is keeping most credible OSS engineers from touching that stuff with a 10-ft debugger), bringing us right back around to the superior security of open-source position.
Re:Leak a good thing for MS (Score:5, Insightful)
I'm staying away from the code, and if I were ever tempted to look at it and did discover a vulnerability, I certainly wouldn't release a patch with my name attached.
Re:But the question is... (Score:5, Insightful)
Re:huh (Score:2, Insightful)
(Hate having to post anonymously, but you have to be careful whose toes you step on.)
Re:Open Source More Secure... maybe not (Score:4, Insightful)
No exploits = Our software are the best no-one has been able to find anything.
Exploit made= Access to source code are dangerous.
Re:Well sucks but (Score:3, Insightful)
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Only affects IE 5 apparently
shows.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Linux source code has been around for how long? An how many exploits have been released for it?
Re:I'll be first to say it (Score:3, Insightful)
Instead, they will write and release exploits... leaving MS to find the particular code that is messed up.
Re:huh (Score:5, Insightful)
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
Two Interesting Notes (Score:4, Insightful)
2000 source codes, why are we seeing an issue
with IE 5.0? Just goes to prove how close the
browser was tied to the operating system.
On a cynical note, this only bolsters security through
obscurity.
had fewer bugs than open source competition?
With some 10% code or more leaked, there is quite
a bit more worry about their own peer-review process
or should I say lack of.
Re:Ignore it! (Score:5, Insightful)
Why don't you want to see MS software improve? My guess is that you think of your OS choice as a religion or a political statement, which makes you just as bad as pro-MS zealots.
If MS code gets stronger and less buggy, everyone benefits. Remember how many worms have caused major Internet congestion problems? How many spammers now use trojan's/worms to create relays for themselves? I don't think I'm the only advocate of Open Source who thinks that it would be a good thing to see more quality come from Microsoft.
I'm not fan of MS, but I am a fan of quality software. If MS can improve the stability and security of their products then it's a Good Thing(tm) for everyone, even those who don't use said products.
The real reason to ignore the code is so that MS can't try to pull a SCO and claim that OSS projects are steaing their code.
Monthly updates (Score:3, Insightful)
Re:Leak a good thing for MS (Score:3, Insightful)
(I'm pretty sure the OP means "open source coders" by "them" not "Microsoft's coders". So...)
Fu^H^HScratch that dude.
I code for pay, or I code because I get to use the code as I wish. I'm not coding anything for free for Microsoft to keep as proprietary.
Even worse, anyone who does look at the stolen Microsoft source can't work on any code to which they attach their own copyright -- whether GPL'd or their own propriety license -- that has similar functionality to Microsoft's stolen source, for fear of tainting their project and opening it to claims it uses stolen Microsoft "Intellectual Property".
Open source doesn't operate on stolen code, and open source isn't some great big altruistic charity project designed to rescue any arbitrary buggy proprietary code.
Open source is about working on our own code, and owning our own code. That we license it so that you can use it too doesn't -- Darl McBride's "unconstitutional" claims to the contrary -- make it any less our property; it just means that we have different goals (like attracting talent to work with us, and getting bragging rights, and perhaps tentative tries at ushering in a world much less controlled by scarcity), and are leveraging our ownership to reach those goals.
Microsoft can fix their own code, and godspeed to them.
Re:Well sucks but (Score:5, Insightful)
If they knew it was a security risk, they'd have fixed it in both IE5 and IE6.
Since they didn't, you may safely conclude that MS doesn't "do their job."
Except... (Score:4, Insightful)
Re:I'll be first to say it (Score:5, Insightful)
There is only one problem: the source code is ilegal.
Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.
It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.
IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.
Unless MS is trying to pull an SCO, I can't imagine a worst scenario.
Re:A quick look at the source code (Score:5, Insightful)
Wrong. He was right. This particular IE exploit has been fixed; it only affects an old version of IE. And IE is free, so there's no real excuse for not upgrading it. If I found a bug in an older version of an open-source app, and filed a bug report on it despite the fact that it had been fixed AGES ago in a newer version, I think I would be told to shut the fuck up and upgrade with little or no delay.
Re:huh (Score:3, Insightful)
Oh, yes, thats right Windows users.
Ok carry on...
Re:Outbreak and email renderer (Score:5, Insightful)
I've seen everyone say that IE 6 isn't vulnerable... and all I keep thinking is: Not to this particular instance of the exploit. That doesn't mean it is free of problems from this class of exploits.
But, you can bet that the person that wrote this one little bit of code wrote a lot of other code. So, what you have in front of you is a class of problem that can be tried over the entire binary code base. You now know that one image handling routine is succeptible to this flaw... and now you can start targeting them all. Without needing access to the source code for that part of the software.
Know how many times Windows (a graphical user interface) handles bitmapped files? Every one of those is a possible point of failure that you don't need the source code to find... simply start feeding something like this bmp to each of them.
Automated testing at it's finest.
Re: most effective SPAM subject line? (Score:2, Insightful)
Re:huh (Score:3, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:Why? (Score:1, Insightful)
Re:Tad Sad. (Score:5, Insightful)
Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.
It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.
It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Just because it doesn't occur in future releases, doesn't mean its been fixed. Unless your arguing that staying current is the only way to avoid exploits, then your making a strong argument that the TCO of Open Source should be sung from the moutain top.
I posted that vulnerability on August 13, 2000 (Score:5, Insightful)
You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.
If Microsoft doesn't read Slashdot, that's their problem.
Re:Open Source More Secure... maybe not (Score:2, Insightful)
Re:Well sucks but (Score:3, Insightful)
On the other hand, I do think that this is also part of the price you pay for choosing a closed-source system. My preference, despite the fact that my summer job with a closed-source company is helping to pay for my uni lifestyle, is for open source.
For example, I'm pretty sure that I made at least a couple of errors when programming for said company that could allow attacks by a smart non-admin insider. Unfortunately it's too late to fix them so I'll just have to learn all I can and not do the same the next time I take up programming as a career.
Personally I think blacksun.box.sk should be required reading for all programmers. If I'd read it's content before last summer I'd have stood a chance of not being stupid in obvious ways.
Re:huh (Score:1, Insightful)
You know that there is a weakness in the walls, an exploit that could destroy the castle and inhabitants. You have been trying to convince people of this, but the king insists that there is nothing to worry about.
To prove your point, you create plans for how to take advantage of this exploit and place it in public places for all to read.
A king who would have beheaded this individual would be a tyrant, doing nothing but obscuring his own incompetence as a leader.
This is a more appropriate analogy.
Comment removed (Score:3, Insightful)
Another funny thing (Score:2, Insightful)
Re:What the fuck? (Score:5, Insightful)
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
AHahahaha, you know you just made the exact mistake MS did. You're using ints, not unsigned ints. Reject if greater does nothing if it's less than 0, which would still cause an overflow.
Re:huh (Score:2, Insightful)
Re:huh (Score:2, Insightful)
Re:Leak a good thing for MS (Score:3, Insightful)
You could have just said: out judicial system is broken. This is akin to musicians not looking at each others sheet music because we're afraid BMG would sic their lawyers on us for using that F# in our original song. So much for the innovation, competition, and peer review that has led to North America being one of the more technologically advanced societies. It's like we're throwing the baby out with the bathwater, nevermind that the baby got us here in the first place.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
The editors should add an update warning that some source code is in the article. It's like seeing your sister naked. Ack!
Obligatory Monty Python reference:
GOD:
ARTHUR: I'm averting my eyes, oh Lord.
GOD: Well, don't. It's like those miserable Psalms -- they're so depressing. Now knock it off!
Re:huh (Score:5, Insightful)
Just search for all stack arrays in the source...
$ egrep "\[[:digit:]+\]"
Combine a search as above with one for calls to strcpy(), strcmp(), sprintf(), [or any other C runtime/misc. function that fails to check input], and you have an even smaller lump of code to inspect.
So, the 13 year old wouldn't need extensive knowledge, just what you could glean from reading an article or two on buffer overflows. Still, I'd bet its a seasoned socially backward individual.
Anyway, good question to ponder.
Re:Open Source More Secure... maybe not (Score:1, Insightful)
OK, how about Bind?
Conclusion: It has a lot more to do with the code quality and the function of the software than it does with "Open Source".
Re:Open Source More Secure... maybe not (Score:1, Insightful)
Just one little thing... (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:4, Insightful)
That's exactly the point -- it's impossible to keep source code secret, as this proves.
Ummm. You need to go back to logic class. This doesn't prove that it's impossible to keep source code secret at all. That would be like saying that the fact that I got a ticket on my way to work this morning proves that it's impossible to speed without getting a ticket. It doesn't follow.
Re:they use GOTO? (Score:5, Insightful)
You're seeing an example of one of the very few instances where goto is considered "acceptable" to use. Sometimes you code a function which winds up a lot of complicated state, and a failure halfway through requires that you "unwind" the partially constructed state. This is most easily accomplished by having a "bailout ladder" which can be jumped into (via goto) from various points in the code above.
The only other solution involves lots of code duplication, or very bizarre function calls such as CleanupMyState(&context, 6) which just ends up use a Duff's Device in a switch() statement to simulate the use of goto in precisely such a manner, anyway.
When you find that the cleanest way to do something is goto, then the solution is goto. What is the point in cortorting your code just to follow a piece of dogma that was only meant as a guideline anyway? Remember, the point is clarity, not adherence to dogma.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
You're right, but open source software don't all conveniently provide security updates for old versions, either. It is definitely better, because if nobody else (package maintainer) does it for you, you can do it yourself. However, let's not sing from the mountaintops, because the TCO for insisting on running Red Hat 5.0 today is probably considerable.
Both forms of development obey the same equation: cost versus benefit. The difference is that the cost in commercial software is entirely calculated based on the perspective of the source code owner. While open source is better, it can still be "too expensive" to fix relative to just upgrading.
Re:Get the source code from Freenet, ALSO (Score:4, Insightful)
- patents (despite them being protected by patent law)
- sheet music from other musicians (despite them being protected by copyright)
- trademarks (despite them being proteted by trademark law)
- software code (despite them being protected by copyright
Remember kids, even tho ALL of this information is protected by decades-old, and even centuries-old legal frameworks, if you look at it you will be stealing money! Its as simple as that!
Yes, I'm being sarcastic. The parent poster is a 'Yes Man' moron beyond my wildest dreams. Maybe one day he will sit down and actually learn about copyright/patent/trademark laws and realize that knowing how exactly your peers do things is what has led us to such an incredibly robust technologicaly and scientificly rich society.
Sharing your methods does not cost you shit, even to the point that patent law is designed to promote sharing of information in return for legal protection. Same with copyright law. MS doesn't want you to see their code not for security reasons, but because it helps you build interoperable products and thus become a competitor. And we all know how anti-capitalist competition is!
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Hmm, Windows 2000 comes with IE 5.0. My Windows 2000 with slipstreamed SP3 still has IE 5.0. Not to mention, I still have IE 5.0 installed, because I don't use IE.
How many places do you know still have Windows 2000 compared to places with Red Hat 5.0?
Exactly.
Maybe you should compare it to a relatively new Red Hat version, like 7.3 or say 8.0.
Many eyes and colored hats (Score:2, Insightful)
In this case, the white hats working inside the Microsoft Compound had to turn a blind eye to these bugs in order to focus on their impossibly rushed deadlines. (Of course, now those same eyes are in panic mode since the leak.)
Meanwhile, the white hats outside the compound walls are powerless to fix the bugs, through fear of legal repercussions: The very existence of any fix suggested proves that they saw the source without paying the license tax and signing away their firstborns to an NDA.
The black hats, OTOH, shielded by anonymity and freed from the bonds of legal accountability and responsibility, they're free to see all the chaos, hate, and mayhem they can cause (and then go do it), secure in the knowledge that nobody can stop them.
Sure, some of them will be slowed, as patches trickle out after the fact. Sure, some of them will be caught, as their own idiocy gives them away. But nobody can stop them, because more of the eyes looking at the sources, with the power to change them, are wearing black hats than white.
This Windows disaster cannot afford to be called similar to the situation with Open Source Software. With the sources open, and the maintainers equally open, more of the eyes looking at the sources are wearing white hats than black. And thanks to the openness, the white hats are just as powerful, if not moreso, than the black hats.
Re:And awaaayyy we go! (Score:3, Insightful)
IMnsHO, exploit authors prefer Microsoft Windows products because they are buggy (note that the posted exploit actually affects a discontinued product, it lasted that long), because they are based on a buggy security model (oh, you are code? I'll run you automatically and save asking the user if he/she wants to run something from "MLM will make you millions!"), and because they are commonly used by people who don't know what they are doing. Any twit can install IIS--it's just a matter of following prompts. With Apache, you need a certain level of knowledge; particularly if you are not happy with the default settings and want to change them (especially the compiled in settings, which can obviously only be changed by recompiling the software; Microsoft writes that stuff out and makes it configurable, since they don't allow you to compile things).
eh... its not really an IE problem... (Score:5, Insightful)
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
How is this practical? Look at Linux, and more specifically Red Hat. There was a period of a year or two where Red Hat was finding a TON of bugs and fixing them. Why? Because they paid an external auditing firm to find them.
This seems like business as usual until you think about the SuSE user... he gets a security update to openssh and sendmail even though HIS vendor didn't do the audit. This idea that everyone benefits whenever ANYONE in the community does the right thing means that the right thing gets done far more often. It's not that Linux vendors are more security conscious, it's that there are more of them.
When Microsoft gets around to doing a security audit that's great, but they don't benefit when Red Hat does one or when FreeBSD does, etc., and that's hurting them and their reputation.
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Re:Open Source More Secure... maybe not (Score:3, Insightful)
Besides, if Sendmail lets someone into the system, or bind, UNIX permissions and Access Control Lists help keep the infection from spreading. The developers aren't under an insane amount of pressure to get it right every time. They can get lazy. Or something.
Heh. The kernel doesn't have anything to fall back on, so kernel developers aware of their responsibility are under stupendous pressure to get it right every time, despite the peer-review process. Hehe. That kind of pressure makes you crazy. Makes you fanatical. heh. Makes you work harder. Makes a good crazy, you know?
(disclaimer: I'm not a kernel developer (yet)... but I don't mind being crazy. Heh.)
Re:But the question is... (Score:4, Insightful)
Re:I'll be first to say it (Score:1, Insightful)
"Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.",
it feels right to mention that in releasing this, the win9x hold-outs are going to be scrambling to purchase the latest-and-greatest Microsoft offerings (Operating systems and the hardware to support them), unless they have access to a Linux-geek/young computer tech who will tell them to relax and migrate their "data" to a cd-rom/dvd-rom and install Linux instead.
Microsoft has wanted to see the win9x/win2k crowd go for a while now, this looks like a really rough way to do it (one stone, many birds).
Re:Open Source More Secure... maybe not (Score:5, Insightful)
it's a pretty moot point
The impact of a bug i probably inversely proportional to the amount of people auditing the code in an open source project...
Sure, there are a lot of small projects that nobody really uses, so there aren't that many eyes for auditing the code... but so what?
The projects are unpopular, so if somebody found a security bug it wouldn't affect that many people (and is it really worthwhile spending the time making an exploit that will affect 1000 users worldwide?)
As long as the popular projects are safe then I don't really care.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Just because someone claims something is a bug doesn't mean that it _is_ and must be fixed.
A lot of our bug reports are just user preference/pickiness.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:huh (Score:5, Insightful)
I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:
Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."
Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."
Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.
Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
Re:What the fuck? (Score:5, Insightful)
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.
I guess you missed the original article, brainiac, but your code is flawed.
"Reject if greater" will fail if int is negative.
But hey, thanks for proving that you're as dumb as a box of rocks.
Re:Open Source More Secure... maybe not (Score:4, Insightful)
That's the entire point I was making, which you apparently missed. Just because Red Hat 5.0 was open source doesn't mean you can viably continue to use it indefinitely. If nobody will apply patches for you for free, you'll either have to do it yourself (time) or pay somebody to do it (money). Remember, the cost in this case is not compared to Windows, but to upgrading.
But just for the sake of argument, where would you get free patches for Red Hat 7.3?
Re:they use GOTO? (Score:3, Insightful)
Getting a program working is the first goal of any real programmer. Getting it working well, or having maintainable code are both very important, but they are secondary to getting the program functioning in the first place. Especially with commercial products, sometimes spaghetti code that works NOW is preferable to textbook examples that work sometime next year. Perl wouldn't be nearly so popular if not for that fact of development.
There are also some interesting, and rather elegant, looping structures you can do with goto that are actually more elegant than the more purely structured counterparts- that isn't what seems to be going on here, just thought I'd mention it.
I would have to dig through the code to find the context of that goto, but they aren't always bad.
Code Complete by Steve McConnell has a good section on goto.
Re:Outlook (Score:2, Insightful)
I think most people seem to have missed the point of the original posting. The words "for example" should tell you something. The BMP exploit is just one bug that was easy to find, and presumably one that he felt would be simple to explain. The implication of the message is that such problems are abundant in the code.
So while everybody is thinking about "this" bug, they miss the point that they need to be concerned about using the entire microsoft system, because it is generally a defective product.
Open Source Coders (Score:1, Insightful)
All that manpower, yet the most prominent face on this issue so far is an exploit.
Is this how the OSS community at large operates? Instead of releasing patches, they release exploits?
The issue as I see it now is: the OSS advocates with the big mouths tend to be the ones saying that ALL code should be open for public inspection, and that closed-source is bad for everyone. This new event however, seems to prove to the public at large that these "rogue" coders don't have the Public Good at heart at all.
OSS coders should stick to OSS - let the closed-source companies and coders be. Mixing OSS coders with closed-source is kinda like mixing Communism with Money.
Re:Open Source More Secure... maybe not (Score:4, Insightful)
I'm not saying that MS might not throw a lot of remote root vulnerabilities in that category too, I don't have access to their bug db!
MP
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:A quick look at the source code (Score:3, Insightful)
So you say the fix would be to upgrade to XP? That's far from free, and most machines running NT 4.0 now are to old to run XP. Besides, why upgrade when the OS you have does everything you need it to do?
Your analogy with open-source apps isn't right either. The 2.0 linux kernel, for example, is many years old now, but it's still being maintained and patched when needed.
How on earth could this little gem make it past QA? You'll have to admit it's pretty easy to spot when you're looking for vulnerabilities.
Re:Business plan (Score:1, Insightful)
1. Release the source code to your projects
2. Read the GNU Manifesto [gnu.org] and revel in your contribution to society
3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
4. Create Patch before major damages
5. Thank person who found hole
6.
7. No PROFIT!
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Open source scales well. A small project that few people take an interest in has few users and lots of bugs. It's not a big problem if the bug is exploited because only a handful of people are even using it.
As more people use it and more people get involved more people see the code. As more people see the code, more bugs are eliminated and the code becomes better. Thus the risk of serious bugs declines as more people use the software.
In the case of a closed source product though, the scrutiny does not scale at all. The scrutiny is a fixed value based on the company's internal policies. Given that most companies are far more concerned about time to market and profit margins, extensive security audits are seen as unneeded costs. As the product becomes larger and more complex, the likelyhood of bugs developing increases, but the likelyhood of a thorough review remains constant or even declines.
Re:Open Source Coders (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
When an exploit is found for, say, the Red Hat 7.3 kernel, it may not work on Red Hat 8.0 let alone Debian for just this reason. That's not to say the bug isn't present in all three.
Re:occurances of " Don't Care " in MS code (Score:2, Insightful)
if we take into account 332 'dont care's per 15% of MS code, all of windows must have... 2213 'dont care's in all of windows. 13 times more than linux.
No longer a thought experiment (Score:3, Insightful)
As a thought experiment, imagine the following contest:
a) 1000 Linux developers are given (full) WinXP source code and locked in a room to find potential exploits.
b) In another room, 1000 WinXP developers are locked in a room with (insert distro here) source code to find potential exploits.
Which group finds more holes in a week? Which group finds more serious holes? Up until last week, this was purely a thought experiment, with OSS claiming the virtual victory. Last week, it became real.
(And don't you think that it's possible that Microsoft has been conducting contest (b) FOR YEARS trying to find holes to prove OSS insecurity?)
Free as in beer helps as well (Score:4, Insightful)
where would you get free patches for Red Hat 7.3?
I think the point is that you can patch Red Hat 5.x for free by upgrading to a more recent version of Red^H^H^HFedora [fedora.org] for no charge. IE 5 is the last version IE to run on Microsoft Windows 95, and Microsoft charges for newer versions of Windows.
Re: most effective SPAM subject line? (Score:3, Insightful)
I don't know about the original poster's ideology, but I certainly expect to get the "source code" to a book when I buy one, or even when I browse in the bookshop or library. I expect to get the "source code" to a newspaper when I buy one, or when I flick through it in the newsagents deciding whether it looks interesting enough to buy. I generally expect to be able to read recipes when people give them to me, and I *definitely* expect pre-processed foods to contain a list of ingredients when I buy them.
As for PIN numbers, I have never tried to sell my PIN to anyone, so I don't see what right anyone has to know what it is - but then you were just being flippant with that comment, weren't you?
Re:Open Source More Secure... maybe not (Score:1, Insightful)
Re:Open Source Coders (Score:4, Insightful)
There comes a point where releasing a patch would be ludicrous, because the problem and its solution are so obvious.
It would be like calling up Boeing to report that the wing has fallen off your airplane, explaining why that is a problem, and giving them detailed instructions how to fix it. They know what's wrong and how to fix it. The problem is motivating them to do it.
Time and again, MS has proven that the only motivation to fix problems is concrete exploits in the wild (and even then, they sometimes don't fix it).
Re:huh (Score:4, Insightful)
What are you talking about? He posted a vulnerability and a proof of concept BMP that shows that the stack is overwritten. It doesn't do anything except crash IE5.0.
If he had made a BMP that contained functional shell-code or similar nastiness ready to be used by script-kiddies, I'd agree with you.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
It also helps to know what you're talking about before going ballistic.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
You can download RedHat 9 (10?) and upgrade some or all of your ailing RedHat 5.0 box. Either upgrade the whole thing (RH9 would do slim installs suitable for old machines) or just upgrade the old service.
Call Microsoft and ask them if they allow free upgrades to WinXP from older OSes to fix security problems. Ask if they mind if you grab some WinXP DLLs from a friend and use them on your WinNT machine. That is, if they would work. Services in RedHat would probably work on an older machine, though they may require a parallel install of some libraries.
Then there's the issue that even for outdated versions of software that aren't patched directly, a moderately skilled coder (perl - barely any C - like many junior unix admins) can usually adapt the fix for an older version, or use the information provided to script some firewall rules to avoid it.
Then there's simply the fact that it's available. Even if you can't do it internally, you can pay a coder for a day of work ($250 tops - about the cost of a trouble call with big software companies) who can go grab all the source code (no NDAs required) and do the fix for you.
If this IE5.0 fix was critical for you to have, how could you go about getting it before Microsoft got around to fixing it? Turn off images?
Re:huh (Score:1, Insightful)
Some vendors (like Microsoft) doesn't acknowledge a vulnerability until there is an exploit released for it.... This has been proven over and over again.
Conclusion: Proof of concept exploits aren't always a bad idea.
Re:A BITMAP file can cause trouble?? (Score:1, Insightful)
Re: Not running as Admin or Root != safe (Score:5, Insightful)
Seperate user accounts, securing the system itself, etc, that is _ONLY_ security-related when you are the administrator of a server and require your box be up 24/7 (or at least somewhat often)
Think about it for two seconds: You're a normal user, you're using your personal computer. Hell, you're using it to surf the web, this isnt any system which other people are dependent on having a high uptime or anything. You go to a webpage, and some arbitrary code gets executed.
What files could be effected? Well, you're running as a normal user, so luckily for you only the files which you give a shit about will be harmed, while the easily replaceable part of the system remains intact.
This whole "multiple accounts == security" line is pure bullshit extract. The files which a USER, not a System Administrator, cares about, are files which that USER created, downloaded, edited, etc. Files which the User has access to.
If some malicious code executes as root/Admin, so what? Your important files are trashed and you need to spend an extra hour reconfiguring your system? That extra hour or two doesnt mean squat compared to the years it may take to restore the files which you created personally.
"You Should Keep Backups anyway" is Irrelevant. As that can just as easily be applied to root-accessible files, the point is that non-admin privs are just as bad as admin privs on a personal system.
And this exploit _is_ talking about a personal system, unless you're in the habit of running IE5 on a high-priority server instead of the laptop sitting next to it.
Blackhats is what worries me. (Score:3, Insightful)
MS i in for a ride and it should be hammered around that most of theese exploits would NOT be stopped by Palladium. Palladium is just a buzzword and does not stop errors in protocols or implementations of them. Thats not going to stop MS from marketing palladium as a tool to stop errors in their code.
Re:they use GOTO? (Score:2, Insightful)
Software is always about compromises. It is stupid to go for "correctness" in a performance-critical part of the code.
Would you like your images to render faster or the underlying code to be goto-free?vulnerability = exploit (Score:3, Insightful)
Please change your browser because otherwise you will get rooted (i cannot explain why, please, please believe me).
Would you take this serious ? And what amount of time would it take to find a exploit for a explanation like this:
Found a serious buffer owerflow in IE when loading a bitmap image...
This would result in exploits in a couple of hours and would give only the false impression that there are no exploits up to now...
The source code is leaked since friday and you don't gain anything by telling only Microsoft that this and that vulnerability exists. Till they fix it its to late. And without a proof of concept everyone could claim he found a serious bug.
Re:Well sucks but (Score:2, Insightful)
Whatever excuses you might have, that is sloppy programming - based on sloppy thought, and reflecting sloppy practice.
If there is one example in the code, there will be more - and I for one don't want to be exposed to an exploit because of lazy thinking in Redmond.
And yes - I do program in C/C++, and my code is buggy as hell, at least until I fix it, but I always consider it good practice to type my variables appropriately, and most of the bugs come from ill-documented APIs that leak memory if you forget the undocumented trick (SQL Server connections, anyone?).
Even in Java, I always try to avoid overflow conditions - it's just good practice and sound technique.
Re:huh (Score:2, Insightful)
- somebody has told us how the code works
- somebody else has posted a link to a site that explains how to make a buffer overflow exploit
- yet another person has told us how bitmaps are organized
The most important part is still missing: write the code that has to be executed.
If you want to exploit the bug, all you need to do is to figure out the bitmap and read this article, no matter if the exploit has been posted or not.
Re:Open Source More Secure... maybe not (Score:3, Insightful)
Isn't that a bit of a tinfoil view of the world?
IE6 is a free download (Score:3, Insightful)
If this were an OSS program, everyone on Slashdot would be falling over themselves posting to "upgrade to the latest version, it's fixed." But when it's Microsoft, suddenly there's some sort of unnamed hassle when it comes to just downloading a setup program and running it.
Re:Open Source More Secure... maybe not (Score:4, Insightful)
Because regardless of what Microsoft pretend or what others accuse or don't accuse, the fact is that IE has been MADE an integral part of the OS.
I don't use IE anymore, (Firebirdyfoxchicken has served me well for months now with no hitches) but I STILL keep it up to date. Unfortunately it's essential for sensible operation of Windows.
IMHO.
Re:occurances of " Don't Care " in MS code (Score:2, Insightful)