Controversy Surrounds Huge IE Hole 907
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
Its not new anyway (Score:4, Interesting)
Extremely Responsible (Score:2, Interesting)
Re:Of course it was irresponsible (Score:4, Interesting)
As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).
-sirket
Proposition, new topic: Windows Bugs (Score:5, Interesting)
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
Re:Irresponsible? (Score:2, Interesting)
That's getting down to a different point. Did the vendor know of the bug and ignore it, or was it something that wasn't considered? Even Linux has security bugs. Its naive to think that any program is 100% secure.
Bugtraq, not bugtrack, and other squibbling. (Score:5, Interesting)
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
It's a thorny issue (Score:2, Interesting)
However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.
Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?
Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.
Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.
Think of the users. Please.
Re:Irresponsible? (Score:3, Interesting)
Either way... (Score:2, Interesting)
NOT (Score:2, Interesting)
Question (Score:3, Interesting)
Re:Of course it was irresponsible (Score:4, Interesting)
This EXACT sort of thing.... (Score:3, Interesting)
Hypothetical (Score:2, Interesting)
I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.
Easy Solution (Score:1, Interesting)
I can't feel bad for Windows users. (Score:4, Interesting)
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
MS should fix by end of business today (Score:2, Interesting)
Perhaps by giving so much information, MS will get off its lazy rear. There is no excuse for MS not having a fix for this released by end of business today. Anything less is simply inexcusable.
Yes, there is a LOT of work involved here. They need to indentify the problem, find a solution, implement the fix, test the fix, and then release the fix. (with several iterations of implement/test) However, they really should have had people working around the clock on this starting the very minute they found out about it.
Re:Of course it was irresponsible (Score:5, Interesting)
It was reported to Apple in mid August, then patched via software update within nine HOURS. Information was made widely public about just what the bug was and how it worked a day later. That's the way it should be done, and a company with a clue did something about it. The sections of the OS which were involved weren't open-source, so full responsibility for fixing that particular problem was up to Apple.
Any company sitting on a more serious bug like this one for two weeks (whether or not it's widely known) is far more irresponsible. No excuses.
Re:Easy (Score:1, Interesting)
Bah! I wonder how many exploits are known out there which have been reported to Microsoft, and the average Joe doesn't know about. I bet these exploits are known among hacker groups, still, with relative ease. I betch you would be pissed off knowing that Microsoft doesn't fix many of their security problems. That's why everyone needs to know, that way, we can pressure Microsoft into doing SOMETHING.
Security through obscurity is not.
Re:Of course it was irresponsible (Score:1, Interesting)
OT but relevant (Score:4, Interesting)
Differing perspectives on security, I suppose.
Not alright even if "everyone else is doing it" (Score:3, Interesting)
It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.
I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
the security hole is known for two weeks 6-11 (Score:2, Interesting)
C't Browsercheck [heise.de]
You can test your IE and report the results to your boss.
See also:
Sandblad at Securityfocus [securityfocus.com]
SuperVirus (Score:4, Interesting)
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
Re:Of course it was irresponsible (Score:5, Interesting)
Re:Irresponsible? (Score:4, Interesting)
I have to admit I wonder about this myself from time to time.
On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.
On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.
Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?
If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?
As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
Re:Of course it was irresponsible (Score:3, Interesting)
1) ignore the problem 'cause the risk is low and they don't have anything really important on their hard drive or perhaps they only go to one or two trusted sites
2) use a different browser
3) stop browsing altogether until they have made backups of the last two week's work on their magnum opus.
The way people browse, the frequency of backups and the consequences of data loss are different for each user and it should be the user's choice to decide what to do. Failing to notify a customer of a serious product should be a criminal offense.
Suppose you discovered that if the hubcap was left off the wheel of your Fuelguzzler-4000 then 20% of the time the wheel would fall off and your vehicle would roll over. What's more appropriate? Tell people to stop driving till the defect is fixed (but worry that some kid will start stealing hubcaps) or leave everyone in the dark about a potentially fatal defect? I side with full disclosure.
Fight Fire with Fire (Score:3, Interesting)
Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.
Do both suck for the end user? Yes. But they're also both Microsoft's fault.
Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.
Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
Re:Yawn (Score:2, Interesting)
I'm a Unix admin, but I've often worked closely with the NT admins. I know that a considerable part of their day (which for the company means: salaries) is spent on all kinds of busywork that essentially compresses to damage control.
Re:Of course it was irresponsible (Score:5, Interesting)
Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.
And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.
--
Evan
Free research is worth what you pay for it (Score:2, Interesting)
Re:Of course it was irresponsible (Score:5, Interesting)
Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?
Wouldn't negligence in this regard supercede the EULA and make MSFT liable?
Any legal beagles out there have any insight? (IANAL)
What about this? Same debate - different situation (Score:4, Interesting)
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
If it's already in the wild... (Score:4, Interesting)
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
Re:Of course it was irresponsible (Score:4, Interesting)
Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
Microsoft did decide to fix it. (Score:4, Interesting)
Actually, that's not exactly true. The article linked states:
"[Microsoft's] final response were that the technique used to run programs with parameters from the 'Local computer zone' was no security vulnerability. A fix should instead be applied for all possibilities for content in the 'Internet zone' to access the 'Local computer zone'."
This is entirely the right response from Microsoft. They don't want to fix the symptom; they want to fix the underlying problem. I think this should be applauded.
However, fixing the underlying problem is much more advanced than simply fixing a single symptom. It involves finding all possible vulnerabilities for Internet zone sites to become Local zone sites and plugging those holes. It's an architecture change instead of a bug fix.
I agree that Microsoft should release some sort of stopgap measure in the meantime, but every indicator I've seen says that they are taking the problem seriously and want to eliminate all possible vulnerabilities instead of one specific exploit. This is absolutely the right response to the problem.
Re:I disagree. (Score:3, Interesting)
Re:Of course it was irresponsible (Score:2, Interesting)
No - it is that simple. If MS fixes a bug when they're told about it, there is no further problem (without including those who don't patch their systems, and that's irrelevant as I do so)
What if you were one of the people effected by this exploit?
Irrelevant. If MS had first fixed the bug quickly I could not be affected
what if you lost VERY important information because the bug was posted publicly?
Irrelevant. If MS had first fixed the bug quickly I would not lose data because of this bug
what do you do when a script kiddie takes down an important server?
I would realise Microsoft have proved themselves not worth my time, and consider changing platforms. As I have done
What if it happened to your precious macintosh?
Irrelevant. This is an MS Windows bug. Similar Apple bugs have been fixed within hours
It could happen and it would because sites are TELLING PEOPLE HOW TO EXPLOIT
Are you an apologist for the worst of Microsoft, or just not thinking? It would happen because Microsoft failed to fix a bug they knew about well beforehand, and because people continue to blindly run with vendors who just don't care beyond fresh sales $. You can apportion blame all you like further down the track, but once a vendor knows of a serious problem and makes a decision not to provide a remedy, all further consequences stem from that inaction.
Was it responsible (Score:4, Interesting)
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
Re:No!!! (Score:1, Interesting)
Re:No!!! (Score:3, Interesting)
Already awake; using Mozilla exclusively.
MS addicted office drones and the like dont take security seriously enough. Everyone (except maybe you) knows this. This is why those pathetic worms spread a quickly as shit through a goose, week after week.
If one million people all got wiped out by one exploit, it would forever change the worlds prespective about MS products. Certainly, all the people who have been warned for years would suddenly take the concept of switching from Outlook / IE much more seriously.
Mass mailing worms are too easy to clean out with AV software. Everyone thinks that they are a minor issue at best....completly wiping a hard drive.
That is something utterly different.
It would be the ultimate wake up call. It would make a difference. Think about it; what if someone planted this on every link at the front page of CNN.com?
Use your inmagination.
Re:Of course it was irresponsible (Score:2, Interesting)
Re:just a rehash of an old advisory (Score:3, Interesting)
True. This URL was the first mentioned on Bugtraq when this exploit was announced.
http://wwx.dino-soft.org/auto.html
(scrambled for your protection, as always: change wwx to www)
I tried it on two Windows 2000 machines.
One is patched up to date, the other is somewhat out of date. Both have SP3, though.
Results: The exploit failed on both machines.
When clicking on the link, four things pop up, each popping up on top of the previous:
So, I don't know the exact conditions that are needed to trigger this bug, but machines are not 100% vulnerable at this point.
Re:Of course it was irresponsible (Score:2, Interesting)
The Code Red Fix (Score:2, Interesting)
What is the Problem Here? (Score:3, Interesting)
As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.
The login bug in Unix (esp. Solaris) (Score:2, Interesting)
In fact, there were a few machines for which we did not have root password and we used the exploit to patch the machine (closing the hole behind us).
Having a very visible exploit definitely helps NOT only the vendor, but the reluctant administrator!
Quality only comes through the finding (exploiting) of bugs. Covering up problems is not the answer. Ignoring problems for which there are no known exploits is also not the answer.
Re:just a rehash of an old advisory (Score:3, Interesting)
We've tested this on 4 boxes here. I actually took another variant of this script (the one that wrote a file to your C:\ folder and opened minesweeper) and modified it to run CHKDSK, and put it on my work webserver. The results:
My desktop XP w/ IE6: blammo. It's exactly as they say it is. Brown trousers time.
Co-workers Win2k w/ IE6: no effect. Much as you describe above
WinNT box with IE5.5: blammo. More brown trousers time.
Win98 box with IE5.5: no effect.
While it doesn't seem to work on 100% of machines (Win##'s are immune?) it does seem to work on others.
The script is just 30 lines long, and that's including spacing and comments. Even if MS came out with a quick patch, the amount of damage you could do to 50% of the PC/IE systems out there could be pretty staggering.
Let's hope nobody hacks CNN and replaces their frontpage tonight.
(sing along!) Call Me Irresponsible.... (Score:4, Interesting)
- Say Nothing
- Notify the Vendor/Manufacturer (V/M)
- Send it out to the Bad Guys Not a good choice. Certainly involves serious ethical issues and potentially legal problems as well.
- Publish it for all to see Rather a good choice. The V/M sees the bug just as quickly as in sending it to them directly and gets an added incentive to fix it. But until the bug is fixed the people who don't get the news are vulnerable. "There you have it."
- Send the info to a third party with an interest and reputation for being honest. Quite a good choice - especially if they pass it on to the original V/M.
- None of the above
- All of the above
My personal current choice is (more or less) all of the above. I'll send the info to the original V/M (if they've not managed to peeve me too much previously) and to a second party (Symantec, CERT) as appropriate. I'll then wait some reasonable time (time enough, however minimally, for a fix to be found and circulated) and publish it more widely, then after a bit more time just announce it to everyone who will listen.Not a good choice. Someone else will find it and potentially abuse it badly. This is the classic action of a stupid "Keep it secure through obscurity." fool. Often enough the original vendor.
An OK choice. In my experience V/Ms are all too likely to do their best to bury the hole and any knowledge of it till they've published a fix. Thats ok, but big organizations tend to take a while to get the fix out, during which time the Bad Guys may be abusing it.
I've also been seriously insulted by people representing V/Ms who have said things like "You shouldn't oughta do that.", or "Its not a bug, its a feature.", or "Nobody would ever do anything like that." or worse. One of my favorites was good ole DEC who told me after I sent them a bug report (and potentially a security hole) - and a commented fix - that I really shouldn't be looking at the code (it was early DEC Ultrix and we had a source license as well as source and the license for the ATT/BSD code on which it was built)). A V/M gets one such message these days and then I wont tell them. I've usually found these bugs/holes while doing perfectly legitimate things, so the "don't do that" response is just a mite annoying. (Or (sigh) in the process of making and fixing bugs.)
In another case it took the threat of publication to get the system admins to fix a problem - one that involved the tax records for an major metropolitan (um) state.
Leaving it a secret, or limited in knowledge to only myself and a laggard V/M seems to me to be just as ethically remiss as sending it out to the Bad Guys. And sending it out to the world is so much more likely to result in something.