Microsoft's Urgent Patch Precedes Black Hat Session 232
Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."
sensationalist much? (Score:5, Insightful)
damned if they do damned if they dont?
Standard Operating Procedure (Score:5, Insightful)
1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"
2. Secretly prepare emergency patch and bury it in driver update patches
3. ???
4. PROFIT!!!
Re:Kill ActiveX (Score:5, Insightful)
Doesn't Windows Update (via the webpage) use ActiveX?
Re:It took 18 months... (Score:3, Insightful)
I'd suspect the vulnerability and solution was such a cluster frak, that it took that long to work it out without royally fraking everything else up.
Re:It took 18 months... (Score:2, Insightful)
Re:sensationalist much? (Score:3, Insightful)
Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.
You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?
Re:sensationalist much? (Score:4, Insightful)
"Sad" isn't the word for it. Evil comes close, though. The fact that the flaw was introduced by their own development tools is what's sad. The people who get exploited by this flaw will be sad.
Re:Standard Operating Procedure (Score:3, Insightful)
I believe step 3 here is
3. Maintain that Windows is more secure then other operating systems because bugs are fixed really quick.
Re:Imagine. (Score:5, Insightful)
So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.
Guess what? There are upgrade fees to go from XP to Vista to 7, too.
Re:It's the commonality. (Score:3, Insightful)
Re:Imagine. (Score:2, Insightful)
I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely
Yeah, like if mac was better at security fixes [tuaw.com]...
Re:Imagine. (Score:3, Insightful)
>>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.
Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle, and as you pointed-out you can continue using Win2000 (or even Win98) without problem. In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.
And thus we're back to my point - "A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on. i.e. Macs are expensive to maintain."
Re:Imagine. (Score:3, Insightful)
Somehow people think it's normal to embed in webpages stuff that is executable code for a particular operating system and processor architecture. WTF?!?
This is soooo fucking stupid I almost can't believe it. I've tried for years to convince people of that but they look at me as if I'm an alien.
It was a tremendous lock-in strategy for Micro$oft, though. They're still cashing in on it. Fortunately, the tide is changing, but it will take a long, long time until this ActiveX shit is gone.
Re:The real mystery (Score:3, Insightful)
I do not think that the problem lies in use of C/C++, but in the horrible way of using it. From what I've gathered around the Internet "why win32 is great" is that they lacked any kind of stable way of creating their (old?) APIs; everyone just created a new standard for return values and parameter handling. And on top of that some crazy macros that make Symbian code look readable in comparison.
I mean, I've only learned how to program in C/C++ (at university) but been working as a Java dev for quite some time now. Still I can almost make sense of mplayer [mplayerhq.hu]'s or ffmpeg's source code but every time I see some "Windows" C++ it's just plain awful because of all the macros and #define constants. If you ever read KDE's or Qt's sources and compare those to something done with win32... There is a massive difference.
Every tool can be miserably misused.
Comment removed (Score:5, Insightful)
Re:It's the commonality. (Score:5, Insightful)
Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)
However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!
So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.
Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?
And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.
And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.
Oh, look. Have to issue a killbit for that also.
The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser
Re:Imagine. (Score:4, Insightful)
If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.
Which is close to the cost of an anti-virus subscription.
Re:The real mystery (Score:3, Insightful)
And we still don't have anything better.
Re:Imagine. (Score:1, Insightful)
And for that equal cost, you get increasing operating system performance rather than a gradual slowdown from constantly scanning everything you access. How nice!