Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Exploit Based On Leaked Windows Code Released 952

Posted by simoniker
from the nda-never-signed dept.
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
This discussion has been archived. No new comments can be posted.

Exploit Based On Leaked Windows Code Released

Comments Filter:
  • by LostCluster (625375) * on Monday February 16, 2004 @01:43PM (#8295365)
    Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
    • by Anonymous Coward on Monday February 16, 2004 @01:44PM (#8295377)
      > Oops... we just gave MS a chance to say keeping the source secret keeps flaws
      > like this secret as well. :)

      Yeah, but if Windows were truly open source then there's not chance it'll just be sat on for six months...
    • by The Unabageler (669502) <joshNO@SPAM3io.com> on Monday February 16, 2004 @01:45PM (#8295386) Homepage
      OTOH M$ should thank the code thiefs for expediting their QA process :-)
    • by Anonymous Coward on Monday February 16, 2004 @01:45PM (#8295398)
      Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.
      • Re: of been (Score:5, Funny)

        by Anonymous Coward on Monday February 16, 2004 @02:54PM (#8296262)
        I wish that I would of thought have that.

        It could of been me that was modded insightful for of-ing no grammatical skills.

        Well, you know the old saying... birds have a feather, etc.

        Of a nice day! :)

    • by aborchers (471342) on Monday February 16, 2004 @01:46PM (#8295411) Homepage Journal
      Funny, yes, but in the interest of full disclosure it's worth noting for the credulous that this code was perhaps only vulnerable because it had not been open for audit before.

      In other words, had the source code for IE been OSS from day one, then the bug might very well have been found and fixed before the application was widely distributed.

      • by LostCluster (625375) * on Monday February 16, 2004 @01:56PM (#8295579)
        On the other hand, this bug existed in IE5 all along, but was not discovered until the code was leaked. Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.
        • by aborchers (471342) on Monday February 16, 2004 @02:03PM (#8295674) Homepage Journal
          A valid observation, but how many exploits were found without access to the source? If that number were low, the security-through-source-obscurity would be valid, but unfortunately for MS's credibility, it isn't low.

          It just turns out this one was extra easy to find because the code could be read. It would have been equally easy to fix as to exploit (had non-assholes been reading the source, but fear of contamination is keeping most credible OSS engineers from touching that stuff with a 10-ft debugger), bringing us right back around to the superior security of open-source position.

          • by malfunct (120790) on Monday February 16, 2004 @02:32PM (#8296005) Homepage

            These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.

            Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.

            I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.

            I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.

            Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.

            • by ajs (35943) <ajs@ a j s . c om> on Monday February 16, 2004 @03:01PM (#8296305) Homepage Journal
              Let's make this clear: the value of open source to security is not that there are this passive pool of eyes waiting to look at all code, but rather that when you have the eyes, they already have the code.

              How is this practical? Look at Linux, and more specifically Red Hat. There was a period of a year or two where Red Hat was finding a TON of bugs and fixing them. Why? Because they paid an external auditing firm to find them.

              This seems like business as usual until you think about the SuSE user... he gets a security update to openssh and sendmail even though HIS vendor didn't do the audit. This idea that everyone benefits whenever ANYONE in the community does the right thing means that the right thing gets done far more often. It's not that Linux vendors are more security conscious, it's that there are more of them.

              When Microsoft gets around to doing a security audit that's great, but they don't benefit when Red Hat does one or when FreeBSD does, etc., and that's hurting them and their reputation.
            • by G. W. Bush Junior (606245) on Monday February 16, 2004 @03:15PM (#8296447) Journal
              I know plenty of projects that get far fewer eyes and have TONS of bugs.


              it's a pretty moot point

              The impact of a bug i probably inversely proportional to the amount of people auditing the code in an open source project...
              Sure, there are a lot of small projects that nobody really uses, so there aren't that many eyes for auditing the code... but so what?

              The projects are unpopular, so if somebody found a security bug it wouldn't affect that many people (and is it really worthwhile spending the time making an exploit that will affect 1000 users worldwide?)

              As long as the popular projects are safe then I don't really care.

          • by tedgyz (515156) on Monday February 16, 2004 @02:43PM (#8296147) Homepage
            Your last point is particularly poignant. I followed the link, started reading, and then saw there was source code in it. I quickly x'ed the tab to avoid even glancing at the code.

            The editors should add an update warning that some source code is in the article. It's like seeing your sister naked. Ack!

            Obligatory Monty Python reference:
            GOD: ...What are you doing now!?
            ARTHUR: I'm averting my eyes, oh Lord.
            GOD: Well, don't. It's like those miserable Psalms -- they're so depressing. Now knock it off!
        • by yamla (136560) <chris@@@hypocrite...org> on Monday February 16, 2004 @02:25PM (#8295926)
          What evidence do you have that this bug was not found until the code was leaked? It is entirely possible that some people did indeed know about this bug and had used it to exploit Windows systems for quite some time. Of course, I have no evidence of this either but as I'm not a black-hat (or indeed a hacker at all), I wouldn't expect to hear about it.
        • by KReilly (660988) on Monday February 16, 2004 @03:09PM (#8296393)
          But I think the point is that it was leaked. That nobody can keep an eye on their code if it is used this widely. If the code had been under public scrutiny since day one, more flaws would be found, but the overall code would be stronger, not weaker. This is why everyone can complain about tons of holes in linux, but miss the fact that just as many (if not more) exist in windows, and its just a matter of time before they get found out. With Linux, you have to take the additude, the sooner, the better.
    • by Anonymous Coward on Monday February 16, 2004 @01:58PM (#8295602)

      Open-source security doesn't come from having the source available. It comes from lots of people actively working on the source. Tell me, how many random hackers do you think will work on the Windows codebase?

      This is one of the reasons why "open source" is more than "source available"

  • by SlashDread (38969) on Monday February 16, 2004 @01:44PM (#8295376)
    to fix it...

    "/Dread"
    • by santos_douglas (633335) on Monday February 16, 2004 @02:10PM (#8295775) Journal
      Think about it, the conspiracy theorists are right - the leak was on purpose. Call it Phantom Open Sourcing: pretend to leak your buggy source code, lots of programmers look it over and find all sorts of problems for free! All their developers continue working on new products and a few are assigned to make the new updates compliments of the leak. This will be hailed as the most brilliant management cost cutting strategy in history.
  • by WebMasterJoe (253077) <joeNO@SPAMjoestoner.com> on Monday February 16, 2004 @01:45PM (#8295394) Homepage Journal
    Wouldn't it be interesting to see the patch come out later today, from an anonymous source!
  • And counting (Score:5, Interesting)

    by millahtime (710421) on Monday February 16, 2004 @01:45PM (#8295397) Homepage Journal
    So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?
    • Re:And counting (Score:5, Insightful)

      by RomikQ (575227) <romikq@mail.ru> on Monday February 16, 2004 @02:00PM (#8295630) Homepage
      Even, for an IE hole, this is pretty severe - now worms just have to send html emails with an img tag that points to a specific bitmap and voila: anyone who uses an mshtml based email client(including webmail) and hasn't updated for a while gets infected just by opening the message.

      Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.
  • No Problem (Score:5, Funny)

    by Jedi1USA (145452) on Monday February 16, 2004 @01:46PM (#8295407)
    Microsoft just needs to get a copy of the leaked code and look it over for potential exploits.

    Oh wait. :^)

  • by MicroBerto (91055) on Monday February 16, 2004 @01:46PM (#8295413)
    IF this is true, the release of the source is the nail in the coffin for Microsoft.

    An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.

    I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.

    Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.

    We have an interesting 6 months ahead of us, folks.

    • by KingOfBLASH (620432) on Monday February 16, 2004 @01:49PM (#8295478) Journal

      IF this is true, the release of the source is the nail in the coffin for Microsoft.

      Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.

      • by bmwm3nut (556681) on Monday February 16, 2004 @02:01PM (#8295652)
        yes, but that's assuming that everyone who finds a simple exploit like this one actually reports it. i can imagine that there'd be a number of black hats that will find and use these kind of exploits and not tell anyone how they did it.

        but i am happy that this leak happened. it just shows that the code should be out for peer review from day one. security-by-obscurity is second only to security-by-telling-people-what-not-to-do. (e.g.: "don't open that door, there's valuable stuff in that room")
      • by Anonymous Coward on Monday February 16, 2004 @02:19PM (#8295867)
        Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.

        There is only one problem: the source code is ilegal.

        Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.

        It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.

        IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.

        Unless MS is trying to pull an SCO, I can't imagine a worst scenario.
    • by HardCase (14757) on Monday February 16, 2004 @01:51PM (#8295510)
      IF this is true, the release of the source is the nail in the coffin for Microsoft.


      Please...you might as well say that BSD is dead. Nobody is happy about all the ruckus that the whole affair is going to raise, but it's a little early to pronounce Microsoft dead.


      -h-

    • "We have an interesting 6 months ahead of us, folks."

      I can see the headlines now;

      "New exploit found in IE5"
      "Yet another exploit found in IE5"
      "Exploit found in Minesweeper"
      "Expolit found in Notepad"
      "Yet another exploit found in Minesweeper"
      "Yet another exploit found in Notepad"
      "New exploit found in IE5"
      "God damn! Another exploit found in Minesweeper"
      .
      .
      .
      "Exploit found in taskbar"
      "Exploit found in Times New Roman"
      "Exploit found in bootstrap"
      "Exploit found in Wingdings"
      "Exploit found in ...."

      Sounds pretty redundant and boring to me. ;)

      -m
  • by superpulpsicle (533373) on Monday February 16, 2004 @01:47PM (#8295420)
    So I should be all set for the next 2 days until the next major security flaw is found.
  • Bugs (Score:5, Insightful)

    by Agent_Number_4 (697721) on Monday February 16, 2004 @01:48PM (#8295445)
    This is just the tip of the ice-berg, just imagine what could be done if the whole code was released, and included source for XP.

    I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.

  • by kyndig (579355) on Monday February 16, 2004 @01:48PM (#8295459) Homepage
    It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.

    • by Savant (85811) on Monday February 16, 2004 @02:03PM (#8295676)
      And yet those who contact Microsoft with patches for the leaked code are marking themselves as individuals who've read that code. As such, they are now fair game for Microsoft should they ever work on a piece of open source or commercial software that duplicates in some way functionality present in Windows.

      I'm staying away from the code, and if I were ever tempted to look at it and did discover a vulnerability, I certainly wouldn't release a patch with my name attached.
  • by secondsun (195377) <secondsun@gmail.com> on Monday February 16, 2004 @01:50PM (#8295489) Journal
    If you were to embed myDoom after the overflow area in the bitmap then when outlook opened the file using ie's render could one have my doom that didn't even need to have the end user open the file? It would just execute replicate, then piss people all to hell? For that matter could I include the windows equivalent of rm -rf / ?
    • by Phillup (317168) on Monday February 16, 2004 @02:24PM (#8295918)
      Congrats... you are the first post I've seen that gets one of the very important points.

      I've seen everyone say that IE 6 isn't vulnerable... and all I keep thinking is: Not to this particular instance of the exploit. That doesn't mean it is free of problems from this class of exploits.

      But, you can bet that the person that wrote this one little bit of code wrote a lot of other code. So, what you have in front of you is a class of problem that can be tried over the entire binary code base. You now know that one image handling routine is succeptible to this flaw... and now you can start targeting them all. Without needing access to the source code for that part of the software.

      Know how many times Windows (a graphical user interface) handles bitmapped files? Every one of those is a possible point of failure that you don't need the source code to find... simply start feeding something like this bmp to each of them.

      Automated testing at it's finest.
  • by Jacco de Leeuw (4646) on Monday February 16, 2004 @01:50PM (#8295493) Homepage
    Kuroshin [kuro5hin.org] has an article about the source code:

    "In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."

    But this IE exploit shows that the author was wrong on at least one account:

    "The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".

  • Outlook (Score:5, Insightful)

    by eth00 (612841) on Monday February 16, 2004 @01:51PM (#8295511) Homepage
    So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.
  • by halo8 (445515) on Monday February 16, 2004 @01:52PM (#8295518)
    a specially crafted bitmap file

    Good thing all thoes Goatse pictures where in .jpeg .gif and .tiff

  • by PierceLabs (549351) on Monday February 16, 2004 @01:52PM (#8295519)
    No system is 100% secure be it Windows or Linux.

    When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.

    Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.

    The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
  • Tad Sad. (Score:5, Interesting)

    by His name cannot be s (16831) on Monday February 16, 2004 @01:52PM (#8295525) Journal
    I'm a bit confused.

    I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.

    I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?

    "The Very Best Kind" :p
    • Re:Tad Sad. (Score:5, Insightful)

      by Boing (111813) on Monday February 16, 2004 @02:26PM (#8295943)
      I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?

      Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.

      It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.

      It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)

  • by Anonymous Coward on Monday February 16, 2004 @01:57PM (#8295595)
    i wanted to post this in the first MS leak story, but oh well, here it is now.

    $ grep -ir " don't care " /win2k/* | wc -l
    332

    check it yourself
  • Well sucks but (Score:5, Insightful)

    by Tobias Luetke (707936) on Monday February 16, 2004 @01:59PM (#8295621)
    It also shows that ms does their job.

    When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.

    Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or .net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.
    • Re:Well sucks but (Score:5, Insightful)

      by Nynaeve (163450) on Monday February 16, 2004 @02:15PM (#8295839)
      It doesn't mean MS found and fixed it. That particular piece of code may not be present in IE6 for a completely different reason.
      If they knew it was a security risk, they'd have fixed it in both IE5 and IE6.
      Since they didn't, you may safely conclude that MS doesn't "do their job."
  • by rjamestaylor (117847) <rjamestaylor@gmail.com> on Monday February 16, 2004 @02:01PM (#8295639) Homepage Journal
    Burn some Live CDs to hand out to friends,
    family, co-workers. Introduce them to Linux and
    warn them of the dangers of LOOKING AT IMAGES
    using Internet Explorer 5.0.

    There are many good ones*. Personally I fell in
    love with the Knoppix 3.4 c't edition with the
    2.6 kernel -- using it gave me my first
    experience of non-stuttering KDE with heavy
    loads, looping MP3s and lots of useable features
    (except detecting the Dell Inspiron 5150's on
    board WiFi -- not Centrino).

    Pick several, spend a few bucks on good CD-R
    discs, make a nice label with "do exactly these
    steps" instructions on the label.

    It's not about world domination, it's about
    stopping the theiving cracker spammers from
    gaining more zombie Windows boxes to do their
    bidding and ruin the Internet for the rest of us.

    * start here:
    http://www.google.com/search?q=live+cds+lin ux
  • by IamGarageGuy 2 (687655) on Monday February 16, 2004 @02:02PM (#8295657) Journal
    I see this is good news in that there is going to be an ongoing stream of exploits in Windows. This is good news. Think of all of the boxes that will be broken in the next few months. I should mention that I make a living fixing Windows boxes. I also fix Mac and Linux - but there isn't really much money in fixing them.
  • I cant wait (Score:5, Funny)

    by Edmund Blackadder (559735) on Monday February 16, 2004 @02:04PM (#8295690)
    I cant wait to read a whole thread of slashdot people saying "i told you so".

    However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".

  • by MetaMarty (38276) on Monday February 16, 2004 @02:06PM (#8295722)
    Did you hear about the image that kills your computer whenever you view it?

  • by Animats (122034) on Monday February 16, 2004 @02:32PM (#8296014) Homepage
    In this Slashdot article [slashdot.org] back in 2000, I reported that vulnerability: So this has been publicly known for years.
    • The ... decompressor for RLE-compressed .BMP files is in the kernel, and contains a buffer overflow.

    You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.

    If Microsoft doesn't read Slashdot, that's their problem.

  • by gexen (123248) on Monday February 16, 2004 @02:48PM (#8296203)
    Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!
  • by MattyCobb (695086) on Monday February 16, 2004 @03:00PM (#8296302)
    i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.

    its really more of an education problem than a software problem. most computer users (not the /. crowd have no idea what they are doing....

    at least thats my 2 cents.
  • by tau_ (154048) on Monday February 16, 2004 @03:23PM (#8296555)
    So, where's the .bmp I can link to my web site that makes IE5 remotely execute Mozilla Firefox installer?

Possessions increase to fill the space available for their storage. -- Ryan

Working...