Exploit Based On Leaked Windows Code Released 952
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Is it good or bad (Score:1, Interesting)
well, the source is out there (Score:5, Interesting)
And counting (Score:5, Interesting)
I'll be first to say it (Score:5, Interesting)
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
A quick look at the source code (Score:5, Interesting)
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
Re:so THATS why it was leaked (Score:2, Interesting)
or, one of the offshore programmers was stuck trying to fix a bug and posted a question to a board somewhere and put the code up so people could help fix it.
nyeh.
Get the source code from Freenet (Score:2, Interesting)
Re:You thought Microsoft were tardy with (Score:5, Interesting)
I know, UAs get faked all the time...
* Depends on which site you look at.
Tad Sad. (Score:5, Interesting)
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
Re:Open Source More Secure... maybe not (Score:4, Interesting)
Re:well, the source is out there (Score:3, Interesting)
Re:Open Source More Secure... maybe not (Score:3, Interesting)
And you guys moderated this post of mine [slashdot.org] funny.
Bwah-hahah-ha!
Yeah, Ok, I was trying to be funny, but I guess I underestimated the truly innovative quality of Microsoft's incompetence.
all who have looked are tainted? (Score:0, Interesting)
You haven't looked, have you?
Funny thing. I can easily envision people stamping out T-shirts with pieces of the MS Windows source in them. Would I be tainted if I incidentally stumbled across one in the street? Would that person be potientially held liable by all programmers or future programmers he/she meets?
Re:Text of advisory (Score:4, Interesting)
Microsoft learns a lesson today (Score:4, Interesting)
Pop Quiz: IE5 or IE5.5 too? (Score:2, Interesting)
Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not
Re:And awaaayyy we go! (Score:3, Interesting)
IMHO exploit authors prefer windows simply because they want to maximize their impact. Why spend all those hours writing a virus when it will only cause problems for a few percent of the computers out there. I would think they get much more satisfaction when they see "500 million" machines infected on CNN.
Re:And awaaayyy we go! (Score:3, Interesting)
With high quality crackers going after Linux boxes, I think either A) somehow nobody outside of the cracker community hears about exploits and companies are keeping quiet when they get hit, or B) OSS really does have an edge.
I'm more inclined to believe the latter.
Cheers
Re:well, the source is out there (Score:3, Interesting)
Re:Ha Ha Only Serious (Score:5, Interesting)
- Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
- With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
- Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.
2 attacks for 2004... (Score:2, Interesting)
Source Code (Score:2, Interesting)
I wonder who will be the first to incorporate this leaked source. Judging by the exploit found, it's no wonder they want to keep the code secret.
"Bill Gates can't gaurante Windows to work. How can you gaurante me that?" John Crichton
Re:What the fuck? (Score:5, Interesting)
This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.
It's scary how many bugs a simple test like this can throw up...
Re:Smells (Score:2, Interesting)
Images are just data and everyone agrees with that, but you can display source code [C, perl whatever] as a bitmap file if you really want to, in numerous ways. Won't look like much, but you can't deny that the code is now a picture. Why can't a picture be formatted in such a way as to be interpreted as code.
The problem here is the renderer [have I mentioned that already], not the picture.
Re:well, the source is out there (Score:3, Interesting)
And then, if this sort of thing happens again in the future, we would want to find out if MS used the rogue patch and claimed to write their own independently. By then, the company will be the equivalent of today's SCO - not really releasing anything of value, but suing people for using some phantom bit of source code that they bought the rights to a few years before.
better security review (Score:3, Interesting)
You also post it to the LKML. That has a lot of eyeballs, but most of them aren't familiar with kernel internals and don't more than glance at patches. If you're lucky (although perhaps lucky isn't the word) you'll get twenty skilled eyeballs looking at and criticizing your code. Most times the number is only two or three, and it can be even fewer.
If you take an average of ten knowledgeable people examining your code, then I think you can agree that it is plausible that Microsoft has just as thorough a review as critical OSS projects like Linux. Four or five people looking at code before a commit would put it within a factor of two of Linux. The skill of the people doing the audit would be much more important at this stage.
Once you get a release of Windows code, no one examining it in the general community is knowledgeable about Windows specifics, but it may get a lot of attention from a lot of skilled people, just because of the novelty. I would think that parts of it will be subject to much more scrutiny than Windows or Linux source code usually ever is.
Why? (Score:1, Interesting)
Re:so THATS why it was leaked (Score:5, Interesting)
Re:But the question is... (Score:4, Interesting)
Re:Text of advisory (Score:5, Interesting)
Guess you haven't worked at MS before. :) (Score:3, Interesting)
Also, those who code reviewed the offending code and let it through are likely to loose their jobs.
All in all, heads are going to be chopped on the main campus. Cutler will have to reshuffle his team, and theres a few FTE's sweating right now.
Re:What the fuck? (Score:3, Interesting)
For example, from my LibTomCrypt a macro to load a variable length mp_int [mycrypt_pk.h INPUT_BIGNUM] logic works as follows
1. inlen == sizeof input
2. y = 0, current offset
for all bignums
1. if y + 4 > inlen return error
2. load 32-bit unsigned into x, advance by 4
3. if x+y > inlen return error
4. load x byte mpint
5. check if mpint loads correctly.
[I'm in the middle of doing massive updates to my PK code though...;-)]
But that's the jist of it. Really simple and since I use macros I only have to work out/code the logic once.
Tom
Re:Text of advisory (Score:3, Interesting)
Given Windows XP ability to display thumbnail views of JPG's, TIF's and MPG's (even though it can display the first frame of MPG-2, but not actually play the movie), there could be some serious fun to be had there...
they use GOTO? (Score:2, Interesting)
goto Cleanup;
My god... I thought this was one thing they taught us not to do in schoool. But here it is in Windows! My god, don't they screen for these things at the interview?
"A quick look at the source code" is all MSFT took (Score:3, Interesting)
I'm bracing for the coming flood of exploits. The OSS community may prove themselves honorable and pitch in to help, but it's the script kiddies, and those whose moral compass is broke, that I'm worried about.
Re:Open Source More Secure... maybe not (Score:3, Interesting)
Re:Text of advisory (Score:4, Interesting)
Also, is it slashdot, the comment poster, or both, who is screwed?
[0] Note: I don't have a copy.
Re:Open Source More Secure... maybe not (Score:4, Interesting)
References, please. I know of some companies that will NOT move to IE 6.0 because of increased vulnerabilties that do not exist in 5.0 or 5.5. I myself have had bad experiences with IE 6.0. Where did you get your facts?
Re:Open Source More Secure... maybe not (Score:5, Interesting)
These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.
Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.
I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.
I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.
Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.
good info on 2d graphics (Score:2, Interesting)
Re:Open Source More Secure... maybe not (Score:3, Interesting)
Re:Open Source More Secure... maybe not (Score:5, Interesting)
My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.
anybody consider that the leak was intentional? (Score:2, Interesting)
1. proper QA is done right, as only open source can allow (they get the benefit of QA that only the dynamics of open souce allows, all without acknowledging open souce has a superiour model in this aspect)
2. they can push XP as a superiour OS, and get more users to upgrade to XP and drop 2000/NT
Does anybody else see this?
Re:Leak a good thing for MS (Score:2, Interesting)
Re:A quick look at the source code (Score:2, Interesting)
Re:What the fuck? (Score:4, Interesting)
Re:huh (Score:1, Interesting)
Both parties are irresponsible. Microsoft is notorious for doing nothing about security holes which are pointed out to them. Their inaction leads to people bypassing Microsoft altogether and just posting exploits in an attempt to force the matter. DOJ is supposed to go after Microsoft when they sit on their ass instead of fixing security holes, but we've all seen how well that has worked out.
The "good citizen" thing to do would be to contact Microsoft, inform them of the security hole, the sample exploit and a patch. But, since this is taken from illegally obtained source code I doubt the author wants to risk it. In the end, this is just the result of Microsoft treating security problems as PR problems.
My bet is that if they do anything at all about this, Microsoft will simply bitch. As is typical with Microsoft, a security hole is just another PR issue -- in this case an opporunity to spread Open Source FUD. It will still take Microsoft forever to patch this, despite having exploit code, identification of the hole and an obvious means to correct the problem.
Re:A quick look at the source code (Score:2, Interesting)
Although an exploit was found, the security risk is low. That's probably true, because most people have upgraded from IE 5.x to 6.x or some other browser.
Still, I just checked the stats on a webpage about a moderately advanced security topic that I recently made. It turns out that almost 5% of the visitors use IE 5.x. Yikes...
Palm does too (Score:3, Interesting)
Re:Open Source More Secure... maybe not (Score:5, Interesting)
I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.
Re:off topic, but orthogonal kind of prompted this (Score:5, Interesting)
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.
Re:Open Source More Secure... maybe not (Score:5, Interesting)
Folklore.org link from Apple early days (Score:3, Interesting)
Re:Open Source More Secure... maybe not (Score:3, Interesting)
[cramer:ttyp1]dominion:~/[1:38pm]:uname -a
Linux dominion 2.3.42-SMP #11 SMP Sun Feb 6 20:06:02 EST 2000 i686
[cramer:ttyp1]dominion:~/[1:38pm]:cat
release 4.1 (Vanderbilt)
[ttyp0]foobar:~/[2:46pm]:uname -a
Linux foobar 2.3.18-SMP #10 SMP Mon Sep 20 17:27:00 EDT 1999 i686 unknown
[ttyp0]foobar:~/[2:46pm]:cat
release 5.1 (Manhattan)
[jfbeam:pts/0]chickenboo:~/[2:11pm]:uname -a
Linux chickenboo 2.4.2-SMP #1 SMP Tue Feb 27 17:04:47 EST 2001 i686 unknown
[jfbeam:pts/0]chickenboo:~/[2:11pm]:cat
Red Hat Linux release 6.2 (Zoot)
(And no, they are not publically accessible machines.)
IE5.0 still accounts for the majority of browsers (Score:1, Interesting)
What's your point? (Score:3, Interesting)
Microsoft, with a couple hundred million users they'd really wouldn't mind being compelled to buy their next O/S
Or some surly hacker who doesn't care if he loses his job?
Fear is a powerful motivator against the latter... and Microsoft's greed, which has compelled them to illegal market-manipulating tactics in the past, seems the greater force. We haven't seen much response [microsoft.com] from Microsoft about the source leak, yet it may prove to be the 9/11 for the computer business, if virus writers get busy with it.
Back doors... (Score:1, Interesting)
Re:A quick look at the source code (Score:3, Interesting)
Upgrading isn't always an option. For example, at work we have a system that relies heavily on specific versions of Apache and Perl. But, the Apache and Perl teams still patch bugs in my "old" versions of the software.
I don't have this option with MS.
Oulook using IE engine to render HTML email (Score:4, Interesting)
Re:Open Source More Secure... maybe not (Score:3, Interesting)
This is just speculation, besides, if they found a security hole in IE5 it would be their responsibiltiy to published the fact rather than leave IE5 users out there vunerable.
Re:they use GOTO? (Score:4, Interesting)
Re:What the fuck? (Score:2, Interesting)
Code Audits (Score:4, Interesting)
Now open source has in reality been proven the best way.
And security by obscurity fails again.
Representative (Score:3, Interesting)
No one thought they were stellar; some already knew how bad things are; some figured, naturally, that if you could poke holes in their stuff like we've seen, something must be very, very wrong.
But now people are going to see with their own eyes - and that, I insist, is what is interesting here. So keep your eyes peeled (sorry, PJ).
Re:Was this leak accidental? (Score:4, Interesting)
The nature of open source software makes actually verifying the existence or non-existnece of code very easy. Microsoft wouldn't even need to contact anyone to tell them they thought they were including Microsoft code in their product. They could just download it and check. As could everyone else.
The main problem is, and this is why I think MS has not actually gone to court against major oss projects yet, is that doing so would force them to show the offending lines of code in order for it to be compared to the oss source. If this incident has shown anything it is that revealing source is not something Microsoft wants to ever do -- even for products that are near or at/past EOL.
That said, I think that project managers REALLY are going to need to be vigillent in monitoring contributions to their projects especially when programmers claim to be introducing Microsoft compatibility with the code. Chances will be good that some unethical programmers will try to slip some Microsof owned code into a project. I can actually see some pro MS people joining oss projects just to try to do this then notify MS so they can take legal action. But, if a project manager is doing their job, this should be an easy problem to fix.
Re:off topic, but orthogonal kind of prompted this (Score:3, Interesting)
Which is actually not as good an idea as it sounds. When you refresh the screen (or a large window) upside down, CRT refreshes, which always go from top to bottom, become much more obtrusive. The system looks and feels slower due to more screen-tearing, even though it's technically 1% or so faster.
This is why display systems that put (0,0) at the lower-left corner are a pet peeve of mine. Upside-down rendering = a slightly more elegant mathematical model that yields significantly worse-looking results in real life.
There is... (Score:3, Interesting)
Re:Who Runs IE 5 anyway? (Score:1, Interesting)
It would be unethical to disclose who that major manufacturing company is. Hehe.
MS crypto subsytem? (Score:3, Interesting)