Controversy Surrounds Huge IE Hole 907
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
Of course it was irresponsible (Score:4, Insightful)
Irresponsible? (Score:2, Insightful)
Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
Don't say "it'll never happen," cause anything is possible.
Yes!!! (Score:5, Insightful)
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
Were Bugtraq irresponsible? (Score:4, Insightful)
I'd even go as far to commend Bugtraq....it takes balls to do something like that and it *does* benefit the whole community eventually.
-psy
Shooting the messenger .. (Score:3, Insightful)
The article is just stupid
Re:Irresponsible? (Score:4, Insightful)
However I'd also be quite upset at my vendor for letting this happen.
what is the stink about it.... (Score:5, Insightful)
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
Moot point (Score:2, Insightful)
After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.
Comment removed (Score:2, Insightful)
Any kind of bugtraq mailing list (Score:2, Insightful)
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
Know the code, avoid the code? (Score:4, Insightful)
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
Re:Were Bugtraq irresponsible? (Score:2, Insightful)
Was it irresponsible? (Score:1, Insightful)
Easy (Score:4, Insightful)
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
If you still use IE... (Score:2, Insightful)
Re:Of course it was irresponsible (Score:3, Insightful)
How long would a software company just sit on a bug without releasing a fix as long as it wasn't public knowledge?
How long would it take for a software company to release a fix when users are getting fucked up from it on a daily basis?
Accussing bug reporters ?! (Score:1, Insightful)
That leaves us with each other as our ONLY protection. Personally, I WANT to know if users in my network are able to accidentally destory their computers, and I NEED to know how the problem occurs so I can help avoid it. As I already stated, if we can not help each other get past the problems, then malicious programmers will have already won, thats just the MS world. Trusted computing is between users, not with the vendor in these dark times.
Re:Of course it was irresponsible (Score:5, Insightful)
Posting an exploit that is currently available to the script kiddies on BugTraq is a way of bringing exploits that so far are only posted in script kiddy boards into the public eye, so they find out about it, get offended, and get the damn hole patched.
It works. It is PROVEN to work. So I don't know why people still bitch about it.
Microsoft has known of the hole for over two weeks now. It's in the wild. It's not patched. Maybe NOW it will get patched.
Re:Irresponsible? (Score:5, Insightful)
Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).
Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.
Re:Active content... (Score:5, Insightful)
Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.
Re:Any kind of bugtraq mailing list (Score:2, Insightful)
How do you determine need?
If I use the software, I need the information, so I can protect myself. With that in mind, everybody potentially needs the information.
Read the article. The information in question was already available in black-hat circles, and was actively being used in the wild. Do you believe that the white hats shouldn't be on level footing?
Re:Of course it was irresponsible (Score:5, Insightful)
Irresponsible my foot. Mickeysoft WAS given a chance to fix this.
This was a well-known problem in IE for quite some time. Mickeysoft simply chose to ignore it, pretending it wouldn't have any impact. This proof-of-concept exploit shows that they're wrong.
Do you think Mickeysoft would have fixed the problem had no exploit been shown? Of course not, they proved that already. Now that there's an exploit will they fix the problem? I would certainly hope so.
Nothing to see here... (Score:3, Insightful)
It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.
Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.
If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.
This isn't even a particularly good example to use, since the exploit was already public.
Re:irresponsible? (Score:2, Insightful)
No!!! (Score:4, Insightful)
Prevention BEFORE patching! (Score:5, Insightful)
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
Re:Of course it was irresponsible (Score:4, Insightful)
Security Researcher: "There's a security flaw in your product X."
Big Software Company: "No there isn't."
Security Researcher: "Yes, there is. If you don't fix it, I'm going to tell."
(denial leads to public annoucement of problem)
Big Software Company: "OK, there could be a problem, but it's not possible to exploit it."
Security Reseacher: "Yes it is possible. It you don't fix it I'm goint to tell everyone how."
(denial leads to public announcement of exploit)
Big Software Company: "Well, I guess we better fix it."
And wrong. (Score:5, Insightful)
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
Re:Of course it was irresponsible (Score:5, Insightful)
But until a large percentage of the population gets screwed royally by a security hole... a large percentage of the population hasn't gotten screwed royally by a security hole!
Don't get me wrong, MS should be faster to patch their security holes, but where are your priorities? If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Re:Active content... (Score:4, Insightful)
Irresponsible? (Score:5, Insightful)
Could you please explain how one could "properly" describe a bug without giving away how to exploit it? To describe a bug means you show what it is and how it's reproducable, which by definition is how to exploit it. The better you describe it, the better you pave the way for an exploit. So would you rather just no one mention the bug in the first place? Or perhaps just give a hint to the developers: "Psst! Hey, IE has another bug, and this one's a doozy!"
That's part of the problem with security thru obsecurity. If you either only "hint" at the bug or just don't mention it at all, you run the risk of an exploit being discovered and maliciously used while everyone else is still in the dark.
That said, the first step for security related bugs is to inform the original developers (in this case Microsoft). However, if and when the developers do not respond, what responsibility to the general public do you then have? Moreover, in this case the exploit was already out in the public domain (but you have to actually read the article to know that):
"The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."
Given that, it's important that those who are responsible for their own and others security (generally the types who actually read bugtraq) know about this bug and can be prepared for it.
I disagree. (Score:1, Insightful)
Yes. Which is exactly what any vendor needs before working exploit code is placed on a high-traffic mailing list.
It's not like this bug has been around for 6 months. The article says the bug was discovered "earlier in November", which has so far given Microsoft (as of today) twelve working days to fix the bug (and that's assuming it was discovered on November 1!)
Considering Internet Explorer 5.5 and 6 run on over 73% of the computers on the 'Net [onestat.com], Microsoft has a huge responsibility here. BugTraq needs to give Microsoft a reasonable time in which to fix this bug before posting exploit code. I don't feel that ~2 weeks is reasonable for something that large. After all, if the patch crashes a single system and renders it unbootable, or even one out of every 1000 systems, it's a huge amount of trouble for Microsoft!
Now, if Microsoft hasn't posted a fix for 6 months, then I think it's reasonable to take additional steps. However, posting working exploit code probably isn't going to push Microsoft to fix the bug faster. It's just going to irritate the community, put additional pressure on Microsoft to release an untested fix, and allow script kiddies to copy and paste working exploit code into their web pages. It's a lose-lose situation.
Re:what is the stink about it.... (Score:5, Insightful)
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
Re:Any kind of bugtraq mailing list (Score:4, Insightful)
Of course. That is why from now on we have instituted a simple procedure that must be followed any time you want to buy a book or read one in a library.
Just submit to the nearest government office the Request For Information Access form (RFIA-1984) together with all the necessary documentation proving that you need the information. In due time the form will be returned to you, stamped "approved" or "rejected". If it has been approved, take this form to your book dealer or library and you will be granted access.
Please be aware that having multiple requests rejected can adversly affect your future.
Have a pleasant day.
I once "discovered" a virus... (Score:4, Insightful)
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
Re:Of course it was irresponsible (Score:5, Insightful)
What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.
And riddle me this, how is Symantec possibly irresponsible in this matter? They have no responsiblity whatsoever towards Microsoft or any of their products; they're both separate corporations. They both pursue their own separate agendas as they see fit. The good that comes of this is that maybe the public gets a little more aware of the situation.
MS has its own side to this, Symantec has its own side, they both have valid points to their arguments, but what winds up happening is the general public gets caught in the middle. If just one more person wakes up and realizes that because of this, then there's the real benefit.
Re:Irresponsible? (Score:2, Insightful)
Re:Know the code, avoid the code? (Score:2, Insightful)
The point is that even full disclosure only requires 'proof of concept' malicious code. There is no benefit on going the last step and widely circulating examples of code that actually f***s your hard disk.
OTOH, you don't gain that much either because it's generally fairly trivial to make damaging code from a 'proof of concept' exploit.
It's not a big deal either way really. Most vulnerable systems don't get trashed when the next exploit shows because crackers prefer backdooring to trashing. Not because they can't.
Re:Of course it was irresponsible (Score:3, Insightful)
Wonder how you'd feel when the People's Movement For Some Obscure Cause vaporize your town based on those plans...
Re:You can't force people to be free. (Score:2, Insightful)
I append this digital photo to the end of all messages in which I'm using humour for effect. One look at Bob's face and you'll understand why. If you now reread my comment all the way to the end, the meaning should become clear.
Hope that helps.
Re:I can't feel bad for Windows users. (Score:5, Insightful)
But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."
Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.
Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."
Yawn (Score:4, Insightful)
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
Re:Irresponsible? (Score:5, Insightful)
No, and here's why; if I have working code that roots my box, I can start looking for ways to prevent it from running. Know yourself. Know your enemy. The easiest way to beat something is to study it.
Now, that isn't an option in the case of IE, but I don't run it anyway. Still, there is at least some value in being shown how to exploit a vulnerability; it proves that it is real. I could send out an email tomorrow saying "Mozilla has a huge security bug that allows arbitrary execution of malicious VBScript," but unless I show you how, most (technical) people will assume I am blowing smoke. If I put up some code that demonstrates it, though, most (technical) people will say "crap, better 1. stop using Mozilla, or 2. get to hacking out a fix."
Wired's "article" is basically... (Score:4, Insightful)
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
Re:Irresponsible? (Score:3, Insightful)
That's about a month/month-and-a-half. Don't you think they deserve a good solid two months before posting the exploit?
Wrongly Phrased (Score:5, Insightful)
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
Responsibility (Score:4, Insightful)
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Re:Of course it was irresponsible (Score:3, Insightful)
The problem with your analogy is that the atomic bomb has already been created and deployed and it is sitting in your kitchen disguised as a toaster. What's worse is that most of the bad guys already know how to detonate this bomb. This information had already been posted to the web. Here's the quote from the article:
At this point the only logical conclusion is that a working exploit should be shared so that systems administrators can test and make sure that their installations are safe. To go back to the bomb analogy, it's time to tell folks that they need to unplug their toaster and get it the heck out of their house. If that takes having an article on the front page of The New York Times so be it.
Re:Irresponsible? (Score:2, Insightful)
There is a slight difference between windows and linux on this issue...
Usually the responsetime for a security hole that big would be patched within a few hours of the issue becoming known. (for linux) Besides, the patches are usually out before the exploits are.
On windows, I wouldn't expect the security-hole to be plugged for the first two months.
This is an issue Microsoft has known about for more than a month. Why haven't they fixed it?
Releasing the exploit forces Microsoft to release a patch for a hole that should have been patched several weeks ago.
hack update.microsoft.com (Score:3, Insightful)
(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)
Re:I disagree. (Score:4, Insightful)
Re:Of course it was irresponsible (Score:5, Insightful)
The auto is a great example. If you didn't maintain your car (change the tires, fix the brakes, etc.) when it needed to be done, YOU are a danger to yourself and others around you.
People who don't maintain their machines are a big problem on the net. They are responsible for being DDOS agents, virus distributers, etc. MS (and other software vendors including open source) being slow at releasing patches is ALSO an enabler for distructive issues on the net.
Back to the article, it IS irresponsible to release exploits when the vendor hasn't had a reasonable amount of time to fix the bug and distribute the patch. There is an indjustry accepted time frame for this. If the vunerability is already well known in the wild however, keeping it a secret from the public does NO GOOD WHATSOEVER. The script kiddies keep in touch via IRC, and other mechanisms so they will know about the vunerability anyway. Not releasing the info only harms the public as they will have no chance to be prepared. Admins can add filters to their proxies for example, but they need to know details about how the exploit works in order to do so.
Keeping secrets about vunerabilities that are already known to the black-hats only harms the rest of us.
Controversy? What controversy (Score:3, Insightful)
<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>
It's just unfortunate that this is the sad reality.
But is the fault really bugtraq's? (Score:4, Insightful)
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
Re:Of course it was irresponsible (Score:2, Insightful)
Probably not. Neither would you be, once you'd get an answer to "Where was your backup?"
I'm sorry, but things like backups cannot be stressed enough. People should learn that the cost of backup is far smaller than the cost of having to recreate a bazillion documents from scratch. Better they learn now than later. I'm sorry, but I have very little sympathy for people who refuse to make backups.
Re:Any kind of bugtraq mailing list (Score:3, Insightful)
RomikQ asks:
Do you find information on how to build a nuclear device in your library?
I do! Its in a section called 'physics'. Another section called 'history' details the Manhatten project. Still another section called 'chemistry' gives me more knowledge on how to refine it. (The chemistry section is helpful for building explosives as well.) Yet another section called 'metalurgy and metalworking' helps me with the manufacturing skills.
Since you say 'nuclear device', I believe a nuclear pile or dirty bomb would fit in that definition, and the knowledge to build one of those is found in any local library. A true fission bomb needs some information that is not available at the library, but the library gives me one heck of a headstart on a project. For a vehicle bomb with conventional explosives, the library gives more then enough knowledge.
Ignore the anarchist cookbook, its full of half truths and downright lies. Go to the local university and grab copies of all their science textboks, its a lot more dangerous.
Just my $.02
Re:I can't feel bad for Windows users. (Score:3, Insightful)
I am a GNU hippy, I avoid using Windows on the desktop except when necessary, but I have to disagree.
Insecure features like:
It would be interesting... (Score:4, Insightful)
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
Re:Of course it was irresponsible (Score:3, Insightful)
i can't agree though. if this situation was in fact under an open source O.S. (e.g., Linux) how would the tons of potential problem fixers get the details unless the exploit was explicitly expressed on the Internet?
Re:Of course it was irresponsible (Score:2, Insightful)
another point to press upon him would be microsoft's lackluster performance when it comes to fixing said hole.
If more microsoft users out there were negatively impacted by each security hole discovered, I guarantee you there would be much fewer microsoft users in the near future - either that, or microsoft would get off their ass and produce stronger products.
Simple Solution (Score:3, Insightful)
Download and install Mozilla. [mozilla.org]
Yes, Mozilla has had its share of security flaws [slashdot.org], but they generally get fixed faster [archive.org], too.
Re:Of course it was irresponsible (Score:3, Insightful)
Well, not it's not a good idea, since most NYT readers would rather have news coverage on the front page. But that's avoiding the real question, which I believe is "If the New York Times printed detailed instructions on how to build and use a nuclear weapon in their newspaper, would the world be less safe?" The answer, naturally, is that the world would be just fine. Anyone with access to the nuclear materials and technical skills necessary to build an atomic bomb can easily get the information on how to build the bomb.
The information is already out there. By not publishing it in the NYT, you're only making it a little tiny bit harder to get. I guess the terrorists will have to spend a little money to buy some books on the subject. The only way to significantly increase the difficulty of getting the information is to declare the information and anything related absolutely and fundamentally illegal. Of course, if any physics student interested in nuclear power needs security clearance, and any medical student needs a background check before they can learn about anthrax, the cost might prove to be too high. Furthermore, even if you declare it illegal, do you think that someone who has decided to try and kill people with a nuclear weapon is going to be seriously dissauded because the information is illegal? "Gee, I'd like to blow up the infidels, but the infidels has declared bomb making instructions illegal." I think not. The information is already out there, if it becomes illegal you'll just create a black market. End result: people who are genuinely curious about nuclear weapons (say a reporter doing an indepth study to determine the feasibility of terrorists acquiring the materials and skills necessary to build a bomb) won't have access to the information. The bad guys will still have access to the information. Plenty of loss for society, nothing gained.
The carries over (somewhat) to exploit code. The really skilled bad guys can and will create their own exploit code. Once the information is created, the script kiddies can reuse it.
That said, my complaint is with your inappriate comparison, not your point. In reality, most script kiddies are leeches of other people's work. There isn't much of a black market and there is incentive to keep ones work to oneself ("I have an exploit you don't!"), so the information won't travel as quickly. If an exploit is harder to get (because they need to get it off a more skill bad guy instead of off Bugtraq), fewer script kiddies will have the exploit, reducing your risk. Delayed publication of the exploit can reduce the threat in the short term.
Re:Irresponsible? (Score:3, Insightful)
Not that it affects me. I'm MS free.
Re:Prevention BEFORE patching! (Score:5, Insightful)
corvi42 wrote:
Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)
One especially noteworthy point: Microsoft was informed of the bug on October 4th.
So:
My opinion? A wired writer needed a story.
Re:I can't feel bad for Windows users. (Score:2, Insightful)
That's really unfair. What you say makes sense when applied to the slashdot population, but what about my mom? What about your dentist? Most people who use computers aren't IT professionals who can dedicate an hour every day to reading several security-related websites and downloading and installing software patches, and they shouldn't have to be.
Re:Of course it was irresponsible (Score:3, Insightful)
Nope. Microsoft has exploited their monopoly to accumulate a massive amount of cash at the expense of their users. I would hold Microsoft to a higher standard based on the fact that we (the public) have already paid them sufficient cash for us to have a reasonable expectation of secure code or at least responsive support.
Somehow, the hyper-capitalistic viewpoint of a lot of people actually admires Microsoft for their criminal behaviour and uses their success (excess) as an excuse to let them literally get away with whatever they want.
They have your money and they have not delivered the goods. And you admire them for that and wish you could be more like them. Talk about the American Dream on mushrooms.
Re:Of course it was irresponsible (Score:5, Insightful)
This is why, in these cases, I think the argument would be well-served if people avoided analogies altogether. It's difficult enough to attempt to clarify the assumptions and facts so that symbolic logic can be applied to reach sensible conclusions without muddying the waters with literary devices.
MS is recklessly endangering your computer and your data with their shoddy attention to security prior to release. I think BugTraq is doing us all a favor by pointing it out.
Re:Slashdotted Already - Article Text (Score:5, Insightful)
Crap. The simplest and most appropriate technical defense is to switch to another browser. Even Windows users have a choice of browser.
The news does it... (Score:1, Insightful)
Timlock puzzles (Score:5, Insightful)
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Re:Of course it was irresponsible (Score:3, Insightful)
I think you mean:
Big Software Company: "Well, I guess we'd better sue."
No; they decided to define the problem away (Score:2, Insightful)
The flaw, of course, is that it's a lot easier to remove a capability of dubious value from a zone than it is to find and patch the many zone privilege exploits. So, they've made their design that much more fragile. We've all complained about MS's fragile security models; it's nice to have a concrete example.
Linux had a similar problem. Superuser access is too powerful, and there was no way to grant just certain rights to users. Sudo was written as a stopgap, but its model suffers from the same problems as MS's: fragility (although, to be fair, sudo has always been much more robust than IE). Now, however, the capabilities system has been designed, and is slowly gaining acceptance.
The difference between Linux and Microsoft is obvious. The Linux people could recognize a problem and work towards a usable solution; Microsoft simply denies the problem, and no one can convince them otherwise.
yes, of course. (Score:4, Insightful)
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Ahh, more FUD... (Score:3, Insightful)
Really?
Show me the security bulletin on Redhat's website for the issues found in KDE last August.
The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.
Re:Of course it was irresponsible (Score:5, Insightful)
No -- nobody is committing a crime yet. This is more like if Joe Whistleblower were to say, "My town's police are lazy and resistant to change their ways, so I am going to publically talk about their problems. The public needs to be warned for their safety, and the PD needs to get their a** in gear."
Well, after Joe says that, some residents may take extra precautions to protect themselves. Also, some potential criminals now know have information that police response time is bad, and they may take advantage of this by breaking the law.
Whose fault is that? The police, for failing to keep the town secure in the first place? JW, for letting potential criminals know about the flaw in the system? Or was it the criminal's fault because he was the one breaking the law?
I believe that it's mostly the fault of the criminal when crimes are committed, and some blame should also go to the police if they have failed to protect. Joe was just doing his duty.
But comparing MS to the police is too much of a frightening thought, time for the happy pill...
-=Ivan
Re:Of course it was irresponsible (Score:3, Insightful)
Say most homes doors and locks from the same company. Some person discovers that you can open the door by lifting the handle and turning even if the door was locked. If this information wasn't release to the public, then many people would never know. Granted, some people would figure that out, but many would not. One of those that figure it out get his face on the news and let's everyone know how to do that. How fast do you think the company that made the doors would be having a recall then if only a lot fewer people knew and there wasn't as many problems?
The diffrence between Microsoft and this imaginary door company comes however, is that once a few people discover this problem with the doors, the company would issue a recall. Microsoft (though many other companies do this also, Microsoft isn't the only one) in most cases would hide the fact, and even when it was brought public sometimes waits months before fixing the hole.
Granted your front door to your home is usually much more important then your computer, but you can see what I mean...
Re:He Gave Them a Month (Score:3, Insightful)
If it only works if run from computers in the 'local computer' zone, then no, it's not a security hole, it's operation by design.
That's like saying 'there's a huge security hole in the UNIX 'rm' command, which allows the root user to delete entire filesystems!'
Re:Irresponsible? (Score:3, Insightful)
Re:Of course it was irresponsible (Score:3, Insightful)
A more appropriate analogy would be whether it's a good idea for Bulletin of the Atomic Scientists [thebulletin.org] to publish it. And then, yes, it would be responsible reporting.
Re:Of course it was irresponsible (Score:5, Insightful)
Re:Microsoft did decide to fix it. (Score:3, Insightful)
Re:SuperVirus (Score:3, Insightful)
I don't think that any of them are going to write a super virus because that would take a lot of work. They may get a kick out of reformatting someone's box but the aren't going to code for months to be able to do so.
What I would worry about is someone writing a hacking application. It would have a database of most know root exploits for the last 20 years. You could pick your target IP address and it would use programs like nmap to try and figure out as much as possible about the target(s) and then it would start trying all know exploits for that system.
A program like this would actually be worth a serious black-hat hacker's time. Especially if it was written in a way the made it easy to update the database when new exploits were found. It could have a nice GUI and everything.
Luckily, someone white-hat would take the same program and extend it so that the database includes way to fix all the vulnerabilities. Sysadmins could run it on their own networks.
Re:Of course it was irresponsible (Score:4, Insightful)
Code Red got *tons* of coverage, despite it not being all that interesting from a technical standpoint. Joe Public knew about it, even if he didn't know what it was (and didn't know that MS's products were the only ones at fault).
Re:Malicious? (Score:4, Insightful)
Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!
Re:what is the stink about it.... (Score:3, Insightful)
Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.
If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.
Hummmm (Score:3, Insightful)
Yeah, and reading Mein Kampf will make me a nazi.
Reading about guns will make an assassin.
Reading Kama Sutra will make me a Don Juan.
Reading Juan Manuel Fangio's biography will make me a F1 racer.
But not reading any of these will make me dumb.
Difficult choice, isn't?
Re:Of course it was irresponsible (Score:5, Insightful)
Every fricking time someone posts an exploit somebody else has to drag Al-Qaeda into it.
Your analgy is retarded.
It's not even close to simlar. What would be similar is if the NYT posted a story about crappy security procedures at a military base that housed bombs.
What solution do you suggest? Should we just pretend tat the US is going to be the only country ever to have acces to nuclear devices? Is describing how a terroist state could build a nuclear device making it easier for the terrorists, or is it trying to get people like you to pull their heads out of their asses and realize something: That a security vulnerability exists and we should do something about it.
If someone is insecure we shouldn't be pretending that it is. That's what we'd been doing with airplanes. That's part of how 9/11 happend. If someone thinks that security of something has been breached, the have to let others know about it, so that it can actually get fixed. It's really idiotic to pretend that only one person could ever find a certain vulnerability. If one person knows about something,.chances are someone else has figured it out too. If I'm running that program on my machine I want to know about any security issues ASAP. I don't care if there is a fix yet, I want to know. If there's no patch, the decision should be mine, as to whether is want to leave an insecure system attached to the internet or unplug it until a patch is availible.
If a security problem exists, it exists. Keeping it quiet doesn't make it not exist. If there's a bug, your system is vulnerable whether you know it or not.
Think about it this way:
If you keep all security flaws secret (except from the vendor), you a relying on:
I trust myself more than I trust any private company. I can make my own assessments about the likelihood of someone trying to exploit a given vulnerability, and decide what to do about it.
Re:Irresponsible? (Score:2, Insightful)
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
No, I would imediately disable sshd (or if necessary disable networking entirely) and wait the short time necessary for a fix to become available. I would rather know that there is a exploitable bug in my system so I could immediately plug the hole (even if that ment losing some functionality) than not know and risk my system being cracked in the interim. This isn't about keeping infomation from the "crackers" (who if they really care will know already), it is about keeping information from the users, which is wrong. This is mainly motivated by proprietary software vendors who want maintain as much secrecy about their fuck-ups as possible, for obvious reasons.
Re:Of course it was irresponsible (Score:4, Insightful)
I disagree. The script kiddy is the one who is a criminal, but the users who fail to maintain their machines are most definitely acting irresponsibly as well. No, it doesn't give a script kiddy the RIGHT to crack you if you don't patch your machine, but you're still stupid not to. People should use some common sense and try to protect themselves, if only so that they aren't a danger to others.
Your argument is like saying it's totally not my fault if I park my unlocked car with the keys in the ignition in a bad part of LA and someone steals it. Sure, that person was doing something wrong, but I'm still a moron to not take any precautions to avoid its theft. It's exactly the same thing here - yes, the script kiddies shoulder the majority of the blame, but if I'm not stupid I will try to protect myself since there is zero chance the script kiddies are going to go away.
In fact, people not maintaining their machines is even worse than this analogy because a cracked machine becomes a weapon against others. That's more akin to an airline failing to take any security precautions and then saying it's completely not their fault when someone hijacks their plane and flys it into a building.
Re:Of course it was irresponsible (Score:5, Insightful)
It's much more like the local newspaper publishing the limited routes the cops actually patrol, thereby allowing crooks to rob the places that aren't adaquetely protected. Sure, criminals will read the paper and know where they can strike, but the idea is that everyone who lives or does business in such an area is venuerable will learn that they are at risk and put pressure one the cops to clean up their act. One of the biggest factors in making a value judgement in a case like that is what level of effort was made with the cops before widely publishing their weaknesses.
Remeber that Andreas Sandblad contacted Microsoft about this problem on Oct 4 (Wired didn't even read the bugtraq posting they reported). That's six weeks ago... even longer than the 1 month period that Microsoft has suggested is necessary from discovery to disclosure. He published only after Microsoft said they didn't think it was a bug. Since Microsoft essentially claimed it wasn't a problem, the announcement needed to prove otherwise to have any chance of success.
One more quote....
You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things?
Are you suggesting that Microsoft's inaction and refusal to fix the problem when they first learned of it six weeks ago was not harmful?
You probably also believe the infamous exploding gas tanks on the Ford Pinto wasn't harmful, and the deaths and injuries were purely the fault of drivers hitting Pintos. Ford's "laziness" (cheaper to settle out of court with victims than the recall and improve the cars) when they knew of the problem and did not fix it probably wouldn't be an issue for you, would it?
Back to Microsoft... who didn't fix the problem when they learned of it 6 weeks ago... does their inaction ever become harmful in your world view? How about when systems are compromised on a small scale? What about when a virus/worm is released with the ability to exploit it? (and what if someone had made a big stink about it in the press and forced them to fix it before that virus/worm was written) It's all the faults of those hackers, and Microsoft's "laziness" (when they knew of the problem in advance) never receives any of the blame? Yet someone who attempts to force the issue with a high profile public announcement, only after first having made an attempt to get them to fix it, is somehow as guilty in your little world as the actual attachers and at the same time the vendor who refused to fix the problem with advanced notice is not to blame at all?
Re:Fight Fire with Fire (Score:3, Insightful)
With computers, it's a little different. You can't get insurance and the equivalent of "robbing a million cars in a day" is easy as writing a good worm. So Microsoft has to be more carefull, we are trusting our data and business to them, and they should show more caring for the customers.
We demand security, LESS features, ADDED security. At some point, people asked features, now they ask security. The ones asking for more features should know of that trade-off. They do not often link features with code harder to secure.
Re:Of course it was irresponsible (Score:4, Insightful)
The people responsible for keeping PCs secure want to get their hands on the exploit ASAP, so that they can try to put up barriers to stop this problem. If you keep the exploit secret so that they cannot TEST their work, they are just working blind!
I don't really think there is a "plan" like you describe. I think that BugTraq is just doing their duty by disseminating this information. Microsoft should have known at least two weeks ago, that they needed to patch this flaw which could affect millions of users of their products. Yet they still have not done so. By the time BugTraq posted it, most of the electronic intrusion experts throughout the world already knew about it.
-=Ivan
Re:He Gave Them a Month (Score:3, Insightful)
I agree that the fundamental problem isn't that a "local" computer can do things like execute any arbitray command with arguments. (Well, to a point-- why a web browser needs to do this is another question.) However, these cross-zone exploits are so old and offer such a massive potential for misuse there's no excuse for waiting this long for a fix.
In short, yes, the right solution is exactly what Microsoft said. So do it!
Re:Of course it was irresponsible (Score:2, Insightful)
Furthermore, there may be a good way to enhance the Club's effectiveness, but I wouldn't be able to figure that out if I didn't know what was wrong with it in the first place. BTW, turns out that many steering wheels are not that sturdy and a good saw will turn your Club into a useless piece of pipe in about 10 seconds. Knowing that the Club is useless saves me the cost of buying one and the time wasted putting it on the wheel and taking it off. Also, typically a good expose of this nature (and this is where the rubber meets the road) will at least provide tips for dealing with the situation now that we've debunked the false sense of security provided by various gadgets and doodads.
In this case, if there is no fix forthcoming, it's very good that I know about the vulnerability and have some evidence that it's real-- that gives me a solid reason to investigate an alternate browser (and maybe by looking at the exploit I can figure out what to have a proxy filter out, so that I can make my users safer without having to replace their browsers).
This is why Symantec acquired SecurityFocus (Score:2, Insightful)
This exploit is so severe it will no doubt cause the clueless masses to clamor in fear and demonize the full disclosure movement. It would not surprise me in the least if lobbyists for the likes of Microsoft leverage this news event to spin the next pro-Microsoft bill through the legislature.
By this time, the "top dogs" from the old SecurityFocus have no doubt been kerneled and firewalled by Symantec Jr. Exec's filtering their communication traffic both in and out, and managing their task lists. As soon as these guys realize their upcoming irrelevance in the brave new world that is now SecurityFocus, they will be presented with a choice: to a) burn through all the cash Symantec just handed them in litigation to regain control of the firm or b) pursue other interests, as long as none of those interests compete with Symantec, well at least for the next five years.
What a terrible brain drain for the security community.
I do not wish to minimize the efforts and contributions made by the founders of bugtraq...They were an essential catalyst to the full disclosure movement. Still, it is the community that brings life to the movement. IMO, it is time for the community to respond to this situation by establishing a new forum for full disclosure that is outside the influence of corporate interests.
I regret I have only my insight to contribute.
Not everywhere has decent net access (Score:2, Insightful)
A lot of people still pay per minute to be connected to the Internet and using the auto update tool over a 56K modem can take quite a few minutes. Plus, if you have to reload for any reason, you have to go through the whole process again. The autoupdate solution doesn't give you the files with instructions, so you have to run up the phone bill twice.
Re:Of course it was irresponsible (Score:3, Insightful)
If you look at the issue from the other side, you will see that the crackers would use the exploit and happily remain unseen. What you don't know *CAN* hurt you!
Re:Of course it was irresponsible (Score:4, Insightful)
The script kiddies already have the info, and pass it around like wildfire, so it's not telling them anything they didn't already know. The newbies who join the fun because of a publicly-published howto won't amount to a drop in the bucket.
But having the code public does let me the user know what to look for, so if I see Suspicious Web Whatever, I can think to myself, "Self, that looks like Exploit X, tread with caution." And having a real example lets me check out what it looks like in the wild, so I can warn my clients to keep an eye out for it.
Re:Timlock puzzles (Score:2, Insightful)
I don't grok why you'd want to do that. How is it better than sending the exploit to the maintainer and just announcing that you will make it public in a month or so? Isn't that the traditional procedure?
Are you afraid the publisher doesn't believe you'll make the exploit public?
Re:Of course it was irresponsible (Score:4, Insightful)
If I told people that I could disable their electronic car alarms, get around their club, hotwire their ignition switches and drive off with their car in under 2 minutes, they'd scoff. If I did it, they'd take note, and their false sense of security will quickly dissapear.
Likewise with computers; if you tell a person that the product they're using (web browser, web server, operating system, etc.) is insecure, they won't believe you. You could quote statistics, point to empirical evidence, and give them all the hard facts you could muster; but they'll scoff at you and retort "It's never happened to me, so I don't know what you're talking about." But if you go home and proceed to shuffle the files around on their hard drive and leave 'love letters' on their desktop they just might sit up and start paying attention.
I'm all for giving people practical lessons in their own ignorance. The more ignorant, and the more wilful and obtuse that ignorance, the more torture they should be put through.
In an ideal world people would take standard precautions with these extraordinarily powerful batches of silicon they're connecting to a T1-or-greater speed link with the potential to cause severe damage to any number of multi-billion dollar, multi-national computer systems (along with your average run of the mill corporation and home user machines) and/or trust in trained professionals to implement atleast rudimentary precautions for their computers (and home LANs), and perhaps (just perhaps!) take their advise with a little more than just a grain of salt. I've completely given up telling people that Outlook (Express) is an insecure P.O.S. because they just don't listen. Besides that, I've decided that I prefer a business where they keep coming in and occupying one of our benches at $35/hour while we eradicate their latest viral infection or backup any data we can recover before we format their drives and re-install Windows.
(For the record; for many of them, just one instance of being 'schooled' by malicious types doesn't always teach them. We have a lot of repeat customers in the virus / system recovery market)
Long story short; until you kick them in the pants, they just won't believe that it'll hurt.
Re:Of course it was irresponsible (Score:3, Insightful)
Had I owned a Pinto, I would have been grateful to someone who told me under what circumstances my gas tank would explode. That would have been a more constructive announcement than a simple "Pintos blow up a lot."
To pull from other analogies here, "ACME rent-a-cops tend to sleep on the job" or "the police don't patrol the north end of town much" are similarly informative, accurate and constructive. The code was posted in the context of security, okay?
Spafford: general purpose machines are the problem (Score:2, Insightful)
CERIAS' Gene Spafford [purdue.edu] says overpowered, complex, general purpose machines that can do way more than people need are a big part of the problem.
Read the rest of this interview [geartest.com] in which he discusses how increased, unnecesssary complexity combined with a lack of users' understanding of security vulnerabilities and issues, and manufacturers' lack of interest in building in security can make systems more vulnerable to attacks.
Re:Timlock puzzles (Score:2, Insightful)
He's afraid the vendor will seek a court injunction to prohibit him from making the exploit public.