Controversy Surrounds Huge IE Hole 907
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
Of course it was irresponsible (Score:4, Insightful)
Re:Of course it was irresponsible (Score:4, Interesting)
As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).
-sirket
Re:Of course it was irresponsible (Score:4, Interesting)
Re:Of course it was irresponsible (Score:5, Insightful)
What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.
And riddle me this, how is Symantec possibly irresponsible in this matter? They have no responsiblity whatsoever towards Microsoft or any of their products; they're both separate corporations. They both pursue their own separate agendas as they see fit. The good that comes of this is that maybe the public gets a little more aware of the situation.
MS has its own side to this, Symantec has its own side, they both have valid points to their arguments, but what winds up happening is the general public gets caught in the middle. If just one more person wakes up and realizes that because of this, then there's the real benefit.
Re:Of course it was irresponsible (Score:5, Funny)
Riiighhhhtttttt ... so "Joe Public" is reading /. and Wired now is he(/she)? :)
Re:Of course it was irresponsible (Score:4, Insightful)
Code Red got *tons* of coverage, despite it not being all that interesting from a technical standpoint. Joe Public knew about it, even if he didn't know what it was (and didn't know that MS's products were the only ones at fault).
Re:Of course it was irresponsible (Score:4, Interesting)
Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
Re:Of course it was irresponsible (Score:5, Insightful)
This is why, in these cases, I think the argument would be well-served if people avoided analogies altogether. It's difficult enough to attempt to clarify the assumptions and facts so that symbolic logic can be applied to reach sensible conclusions without muddying the waters with literary devices.
MS is recklessly endangering your computer and your data with their shoddy attention to security prior to release. I think BugTraq is doing us all a favor by pointing it out.
Re:Of course it was irresponsible (Score:5, Insightful)
Re:Of course it was irresponsible (Score:4, Insightful)
The script kiddies already have the info, and pass it around like wildfire, so it's not telling them anything they didn't already know. The newbies who join the fun because of a publicly-published howto won't amount to a drop in the bucket.
But having the code public does let me the user know what to look for, so if I see Suspicious Web Whatever, I can think to myself, "Self, that looks like Exploit X, tread with caution." And having a real example lets me check out what it looks like in the wild, so I can warn my clients to keep an eye out for it.
Re:Of course it was irresponsible (Score:5, Insightful)
No -- nobody is committing a crime yet. This is more like if Joe Whistleblower were to say, "My town's police are lazy and resistant to change their ways, so I am going to publically talk about their problems. The public needs to be warned for their safety, and the PD needs to get their a** in gear."
Well, after Joe says that, some residents may take extra precautions to protect themselves. Also, some potential criminals now know have information that police response time is bad, and they may take advantage of this by breaking the law.
Whose fault is that? The police, for failing to keep the town secure in the first place? JW, for letting potential criminals know about the flaw in the system? Or was it the criminal's fault because he was the one breaking the law?
I believe that it's mostly the fault of the criminal when crimes are committed, and some blame should also go to the police if they have failed to protect. Joe was just doing his duty.
But comparing MS to the police is too much of a frightening thought, time for the happy pill...
-=Ivan
Re:Of course it was irresponsible (Score:4, Insightful)
The people responsible for keeping PCs secure want to get their hands on the exploit ASAP, so that they can try to put up barriers to stop this problem. If you keep the exploit secret so that they cannot TEST their work, they are just working blind!
I don't really think there is a "plan" like you describe. I think that BugTraq is just doing their duty by disseminating this information. Microsoft should have known at least two weeks ago, that they needed to patch this flaw which could affect millions of users of their products. Yet they still have not done so. By the time BugTraq posted it, most of the electronic intrusion experts throughout the world already knew about it.
-=Ivan
Re:Of course it was irresponsible (Score:5, Insightful)
It's much more like the local newspaper publishing the limited routes the cops actually patrol, thereby allowing crooks to rob the places that aren't adaquetely protected. Sure, criminals will read the paper and know where they can strike, but the idea is that everyone who lives or does business in such an area is venuerable will learn that they are at risk and put pressure one the cops to clean up their act. One of the biggest factors in making a value judgement in a case like that is what level of effort was made with the cops before widely publishing their weaknesses.
Remeber that Andreas Sandblad contacted Microsoft about this problem on Oct 4 (Wired didn't even read the bugtraq posting they reported). That's six weeks ago... even longer than the 1 month period that Microsoft has suggested is necessary from discovery to disclosure. He published only after Microsoft said they didn't think it was a bug. Since Microsoft essentially claimed it wasn't a problem, the announcement needed to prove otherwise to have any chance of success.
One more quote....
You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things?
Are you suggesting that Microsoft's inaction and refusal to fix the problem when they first learned of it six weeks ago was not harmful?
You probably also believe the infamous exploding gas tanks on the Ford Pinto wasn't harmful, and the deaths and injuries were purely the fault of drivers hitting Pintos. Ford's "laziness" (cheaper to settle out of court with victims than the recall and improve the cars) when they knew of the problem and did not fix it probably wouldn't be an issue for you, would it?
Back to Microsoft... who didn't fix the problem when they learned of it 6 weeks ago... does their inaction ever become harmful in your world view? How about when systems are compromised on a small scale? What about when a virus/worm is released with the ability to exploit it? (and what if someone had made a big stink about it in the press and forced them to fix it before that virus/worm was written) It's all the faults of those hackers, and Microsoft's "laziness" (when they knew of the problem in advance) never receives any of the blame? Yet someone who attempts to force the issue with a high profile public announcement, only after first having made an attempt to get them to fix it, is somehow as guilty in your little world as the actual attachers and at the same time the vendor who refused to fix the problem with advanced notice is not to blame at all?
Re:Of course it was irresponsible (Score:5, Insightful)
But until a large percentage of the population gets screwed royally by a security hole... a large percentage of the population hasn't gotten screwed royally by a security hole!
Don't get me wrong, MS should be faster to patch their security holes, but where are your priorities? If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Wrongly Phrased (Score:5, Insightful)
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
Re:Of course it was irresponsible (Score:5, Interesting)
Re:Of course it was irresponsible (Score:5, Insightful)
The auto is a great example. If you didn't maintain your car (change the tires, fix the brakes, etc.) when it needed to be done, YOU are a danger to yourself and others around you.
People who don't maintain their machines are a big problem on the net. They are responsible for being DDOS agents, virus distributers, etc. MS (and other software vendors including open source) being slow at releasing patches is ALSO an enabler for distructive issues on the net.
Back to the article, it IS irresponsible to release exploits when the vendor hasn't had a reasonable amount of time to fix the bug and distribute the patch. There is an indjustry accepted time frame for this. If the vunerability is already well known in the wild however, keeping it a secret from the public does NO GOOD WHATSOEVER. The script kiddies keep in touch via IRC, and other mechanisms so they will know about the vunerability anyway. Not releasing the info only harms the public as they will have no chance to be prepared. Admins can add filters to their proxies for example, but they need to know details about how the exploit works in order to do so.
Keeping secrets about vunerabilities that are already known to the black-hats only harms the rest of us.
Re:Of course it was irresponsible (Score:4, Insightful)
I disagree. The script kiddy is the one who is a criminal, but the users who fail to maintain their machines are most definitely acting irresponsibly as well. No, it doesn't give a script kiddy the RIGHT to crack you if you don't patch your machine, but you're still stupid not to. People should use some common sense and try to protect themselves, if only so that they aren't a danger to others.
Your argument is like saying it's totally not my fault if I park my unlocked car with the keys in the ignition in a bad part of LA and someone steals it. Sure, that person was doing something wrong, but I'm still a moron to not take any precautions to avoid its theft. It's exactly the same thing here - yes, the script kiddies shoulder the majority of the blame, but if I'm not stupid I will try to protect myself since there is zero chance the script kiddies are going to go away.
In fact, people not maintaining their machines is even worse than this analogy because a cracked machine becomes a weapon against others. That's more akin to an airline failing to take any security precautions and then saying it's completely not their fault when someone hijacks their plane and flys it into a building.
Re:Of course it was irresponsible (Score:5, Interesting)
Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.
And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.
--
Evan
Re:Of course it was irresponsible (Score:5, Interesting)
Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?
Wouldn't negligence in this regard supercede the EULA and make MSFT liable?
Any legal beagles out there have any insight? (IANAL)
Re:Of course it was irresponsible (Score:5, Funny)
Re:Of course it was irresponsible (Score:5, Funny)
Re:Of course it was irresponsible (Score:5, Insightful)
Posting an exploit that is currently available to the script kiddies on BugTraq is a way of bringing exploits that so far are only posted in script kiddy boards into the public eye, so they find out about it, get offended, and get the damn hole patched.
It works. It is PROVEN to work. So I don't know why people still bitch about it.
Microsoft has known of the hole for over two weeks now. It's in the wild. It's not patched. Maybe NOW it will get patched.
Re:Of course it was irresponsible (Score:5, Interesting)
It was reported to Apple in mid August, then patched via software update within nine HOURS. Information was made widely public about just what the bug was and how it worked a day later. That's the way it should be done, and a company with a clue did something about it. The sections of the OS which were involved weren't open-source, so full responsibility for fixing that particular problem was up to Apple.
Any company sitting on a more serious bug like this one for two weeks (whether or not it's widely known) is far more irresponsible. No excuses.
Re:Of course it was irresponsible (Score:5, Insightful)
Irresponsible my foot. Mickeysoft WAS given a chance to fix this.
This was a well-known problem in IE for quite some time. Mickeysoft simply chose to ignore it, pretending it wouldn't have any impact. This proof-of-concept exploit shows that they're wrong.
Do you think Mickeysoft would have fixed the problem had no exploit been shown? Of course not, they proved that already. Now that there's an exploit will they fix the problem? I would certainly hope so.
Re:Of course it was irresponsible (Score:5, Informative)
If a sysadmin is able to have access to specific code that causes such an exploit, he can develop filters on a web proxy to prevent his network from accessing such pages, and thereby prevent large scale disasters. Without access to the actual code in question, he would not be able to do this and would be at the mercy of M$ to provide a patch quickly.
Re:Of course it was irresponsible (Score:4, Insightful)
Security Researcher: "There's a security flaw in your product X."
Big Software Company: "No there isn't."
Security Researcher: "Yes, there is. If you don't fix it, I'm going to tell."
(denial leads to public annoucement of problem)
Big Software Company: "OK, there could be a problem, but it's not possible to exploit it."
Security Reseacher: "Yes it is possible. It you don't fix it I'm goint to tell everyone how."
(denial leads to public announcement of exploit)
Big Software Company: "Well, I guess we better fix it."
Irresponsible? (Score:5, Insightful)
Could you please explain how one could "properly" describe a bug without giving away how to exploit it? To describe a bug means you show what it is and how it's reproducable, which by definition is how to exploit it. The better you describe it, the better you pave the way for an exploit. So would you rather just no one mention the bug in the first place? Or perhaps just give a hint to the developers: "Psst! Hey, IE has another bug, and this one's a doozy!"
That's part of the problem with security thru obsecurity. If you either only "hint" at the bug or just don't mention it at all, you run the risk of an exploit being discovered and maliciously used while everyone else is still in the dark.
That said, the first step for security related bugs is to inform the original developers (in this case Microsoft). However, if and when the developers do not respond, what responsibility to the general public do you then have? Moreover, in this case the exploit was already out in the public domain (but you have to actually read the article to know that):
"The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."
Given that, it's important that those who are responsible for their own and others security (generally the types who actually read bugtraq) know about this bug and can be prepared for it.
Re:Of course it was? (Score:5, Informative)
"The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums,"
Symantec insists that it was already publically available. This is simply a very well known/well respected company alerting both the public and the problem company of the possible problems. In reality, when a company as large as Symantec makes a stink like this, the offending company will be quick to resolve the issue.
and isnt that what this is all about? Patching a security issue?
Re:Of course it was irresponsible (Score:5, Insightful)
Every fricking time someone posts an exploit somebody else has to drag Al-Qaeda into it.
Your analgy is retarded.
It's not even close to simlar. What would be similar is if the NYT posted a story about crappy security procedures at a military base that housed bombs.
What solution do you suggest? Should we just pretend tat the US is going to be the only country ever to have acces to nuclear devices? Is describing how a terroist state could build a nuclear device making it easier for the terrorists, or is it trying to get people like you to pull their heads out of their asses and realize something: That a security vulnerability exists and we should do something about it.
If someone is insecure we shouldn't be pretending that it is. That's what we'd been doing with airplanes. That's part of how 9/11 happend. If someone thinks that security of something has been breached, the have to let others know about it, so that it can actually get fixed. It's really idiotic to pretend that only one person could ever find a certain vulnerability. If one person knows about something,.chances are someone else has figured it out too. If I'm running that program on my machine I want to know about any security issues ASAP. I don't care if there is a fix yet, I want to know. If there's no patch, the decision should be mine, as to whether is want to leave an insecure system attached to the internet or unplug it until a patch is availible.
If a security problem exists, it exists. Keeping it quiet doesn't make it not exist. If there's a bug, your system is vulnerable whether you know it or not.
Think about it this way:
If you keep all security flaws secret (except from the vendor), you a relying on:
- The guy who discovers the flaw not to use it for fun/profit.
- The company to recognize and fix it in a timely manner.
- The silly assumption the the guy who found the flaw is the only person who ever could.
If you make them public you are relying on:I trust myself more than I trust any private company. I can make my own assessments about the likelihood of someone trying to exploit a given vulnerability, and decide what to do about it.
The Wired, huh? (Score:5, Funny)
Dude; since when did Lain start writing technical articles?
Yes!!! (Score:5, Insightful)
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
Re:Yes!!! (Score:5, Funny)
Right in the point man. Now, I'm running the code right now to see if im vulne
No!!! (Score:4, Insightful)
But is the fault really bugtraq's? (Score:4, Insightful)
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
yes, of course. (Score:4, Insightful)
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Re:Yes!!! (Score:5, Funny)
It's a self-fixing exploit!
Ahhh... but (Score:5, Funny)
Re:Ahhh... but (Score:5, Funny)
You might think you're joking, but there would be no better way to get microsoft to quickly fix this than to create a web page that downloads a debian install floppy and starts up a network install
User: Hmmm, my computer is acting subtly different, oh well...
MS: Oh no, we've lost another one!
Were Bugtraq irresponsible? (Score:4, Insightful)
I'd even go as far to commend Bugtraq....it takes balls to do something like that and it *does* benefit the whole community eventually.
-psy
Re:I disagree. (Score:4, Insightful)
Microsoft did decide to fix it. (Score:4, Interesting)
Actually, that's not exactly true. The article linked states:
"[Microsoft's] final response were that the technique used to run programs with parameters from the 'Local computer zone' was no security vulnerability. A fix should instead be applied for all possibilities for content in the 'Internet zone' to access the 'Local computer zone'."
This is entirely the right response from Microsoft. They don't want to fix the symptom; they want to fix the underlying problem. I think this should be applauded.
However, fixing the underlying problem is much more advanced than simply fixing a single symptom. It involves finding all possible vulnerabilities for Internet zone sites to become Local zone sites and plugging those holes. It's an architecture change instead of a bug fix.
I agree that Microsoft should release some sort of stopgap measure in the meantime, but every indicator I've seen says that they are taking the problem seriously and want to eliminate all possible vulnerabilities instead of one specific exploit. This is absolutely the right response to the problem.
Re:I disagree. (Score:4, Informative)
Microsoft were informed (from the BugTraq posting, not third hand) on October 4th.
Quoting direct from the original Bugtraq advisory dated 6th November (incidentally, not the link to a ZDNet forum which seems to have got everyone fussing):
Microsoft KNEW of the issue, and actually dismissed the issue, saying it was a necessary feature.
Don't shoot the messenger, shoot the retards who despite proof to the contrary regard bugs as feature.
Its not new anyway (Score:4, Interesting)
Thanks (Score:4, Funny)
Active content... (Score:4, Informative)
Hence why I as a matter of course disable them.
How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
Re:Active content... (Score:5, Insightful)
Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.
Re:Active content... (Score:4, Insightful)
Re:Active content... (Score:4, Funny)
Sometimes encouragement is not necessary. I installed mozilla on my sister's machine, changed the IE link on the desktop to link to mozilla (but still with the blue 'e' icon) and installed an IE-lookalike skin [mozdev.org] on mozilla and she hasn't noticed the difference yet. (It's been about a month now.)
what is the stink about it.... (Score:5, Insightful)
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
Re:what is the stink about it.... (Score:5, Insightful)
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
Slashdotted Already - Article Text (Score:5, Informative)
----------
Serious Internet Explorer Defect
This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830
SUMMARY
A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.
Simple, working exploit software was recently published to a public mailing list.
There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.
It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.
The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:
1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:
Click the Tools menu item and select Options
Click the Security tab
In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:
In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:
These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.
2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.
3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.
ADDITIONAL SECURITY MEASURES AND INFORMATION
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.
Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":
http://www.jmu.edu/computing/info-security/engi
Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.
The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.
A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
Re:Slashdotted Already - Article Text (Score:5, Insightful)
Crap. The simplest and most appropriate technical defense is to switch to another browser. Even Windows users have a choice of browser.
Know the code, avoid the code? (Score:4, Insightful)
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
Fight javascript with javascript (Score:5, Informative)
Also, I've come up with this possible solution:
In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:
javascript:void(location.replace=null)
then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)
This works with annoying exit pop-up ads too:
javascript:void(window.onunload=null);
You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).
Major inspiration from this cnet builder page [netscape.com].
Proposition, new topic: Windows Bugs (Score:5, Interesting)
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
Easy (Score:4, Insightful)
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
Bugtraq, not bugtrack, and other squibbling. (Score:5, Interesting)
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
This Linux's big chance! (Score:5, Funny)
Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE!
Where's the Mac version of the exploit? (Score:5, Funny)
Re:Where's the Mac version of the exploit? (Score:4, Funny)
I thought it was a waste of money until I scanned all the M$ Office documents sent to me by Windows users. About 60% had macro viruses on them. Of course, I never noticed before and it never effected my system, but it was nice to clean out the 'Windows Cooties' from my Mac.
I can't feel bad for Windows users. (Score:4, Interesting)
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Re:I can't feel bad for Windows users. (Score:5, Insightful)
But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."
Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.
Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."
Another Link (Score:5, Funny)
Nothing to fear. Just a link.
Re:Another Link (Score:4, Funny)
Want to take a break? Click here - and see how you can have a much deserved break from work right now!
Prevention BEFORE patching! (Score:5, Insightful)
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
Re:Prevention BEFORE patching! (Score:5, Insightful)
corvi42 wrote:
Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)
One especially noteworthy point: Microsoft was informed of the bug on October 4th.
So:
My opinion? A wired writer needed a story.
What luck! (Score:4, Funny)
The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"
New distributed client built in to Windows! (Score:4, Funny)
Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!
Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!
Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!
See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!
Use Trojaned@Home(TM)!
Ha! You already are(TM)!
Dissapointing WINE performance (Score:5, Funny)
Tried it on WINE using CrossOver Office.
and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.
All i got was HTML help and a script error. No files written to my "C:" and no exploit.
*sigh* Guess WINE still needs some work.
I once "discovered" a virus... (Score:4, Insightful)
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
OT but relevant (Score:4, Interesting)
Differing perspectives on security, I suppose.
Re:OT but relevant (Score:4, Informative)
Schneier on "Full Disclosure" (Score:5, Informative)
SuperVirus (Score:4, Interesting)
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
Yawn (Score:4, Insightful)
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
Wired's "article" is basically... (Score:4, Insightful)
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
Responsibility (Score:4, Insightful)
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
He Gave Them a Month (Score:5, Informative)
Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
Worse than goatse (Score:4, Informative)
Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.
And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
What about this? Same debate - different situation (Score:4, Interesting)
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
"Mined" web pages have been proposed before (Score:4, Informative)
http://online.securityfocus.com/archive/1/28213
Bits of note include:
"The key is the Format command's "/autotest" flag, which I believe was
put into place early on in MS-DOS's history to assist in batch
processing, and was probably dropped from the documentation some time
back (it's not in my DOS 5.0 manual as far as I can tell -- although
that's not too far in the past). It can be tested for by entering:
"Format a:
The automated format via web page can be accomplished as follows (with
the example shown demonstrating how to create a link on a web page which
will automatically format Drive A):
1) Either:
Create a
"C:\WINDOWS\COMMAND\FORMAT.COM a:
And Working Line set to:
"C:\WINDOWS\COMMAND"
Or:
Create a
"format a:
(Should the user wish to format another disk, the a: may be
replaced with c:, d:, e:, etc.)
2) Link to the file on a web page as follows:
Click Me [slashdot.org]
Or:
Click Me [slashdot.org]
According to the method chosen for implementation in step 1. These
links may be placed beneath graphics or text, as would be found on a
regular web page.
3) Upload the html document and
server directory and wait for an unwary user to click the link and
'Open'.
Spooky, eh?
These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
It would be interesting... (Score:4, Insightful)
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
If it's already in the wild... (Score:4, Interesting)
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
Thanks for the Help Microsoft! (Score:5, Funny)
Malicious? (Score:4, Funny)
Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?
Re:Malicious? (Score:4, Insightful)
Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!
Timlock puzzles (Score:5, Insightful)
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Was it responsible (Score:4, Interesting)
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
Re:Irresponsible? (Score:4, Insightful)
However I'd also be quite upset at my vendor for letting this happen.
Re:Irresponsible? (Score:4, Informative)
The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
Re:Irresponsible? (Score:4, Interesting)
I have to admit I wonder about this myself from time to time.
On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.
On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.
Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?
If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?
As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
Re:Irresponsible? (Score:5, Insightful)
Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).
Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.
Re:Irresponsible? (Score:5, Funny)
I wouldn't be so pissed as long as the attacker did this often. It's such a hassle to wait for my system to do a monthly e2fsck when the partitions have readched their maximal mount count.
Re:Irresponsible? (Score:5, Insightful)
No, and here's why; if I have working code that roots my box, I can start looking for ways to prevent it from running. Know yourself. Know your enemy. The easiest way to beat something is to study it.
Now, that isn't an option in the case of IE, but I don't run it anyway. Still, there is at least some value in being shown how to exploit a vulnerability; it proves that it is real. I could send out an email tomorrow saying "Mozilla has a huge security bug that allows arbitrary execution of malicious VBScript," but unless I show you how, most (technical) people will assume I am blowing smoke. If I put up some code that demonstrates it, though, most (technical) people will say "crap, better 1. stop using Mozilla, or 2. get to hacking out a fix."
And wrong. (Score:5, Insightful)
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
Re:Shooting the messenger .. (Score:5, Funny)
Whoopsie [com.com]
Daisy [tom.me.uk]
Re:Shooting the messenger .. (Score:5, Informative)
Their version of november is not actually the real november. From Andreas Sandblads mail:
"Microsoft was initially contacted 2002-10-04."
Re:Any kind of bugtraq mailing list (Score:4, Insightful)
Of course. That is why from now on we have instituted a simple procedure that must be followed any time you want to buy a book or read one in a library.
Just submit to the nearest government office the Request For Information Access form (RFIA-1984) together with all the necessary documentation proving that you need the information. In due time the form will be returned to you, stamped "approved" or "rejected". If it has been approved, take this form to your book dealer or library and you will be granted access.
Please be aware that having multiple requests rejected can adversly affect your future.
Have a pleasant day.
Re:BAD BAD BAD! Why? Now the script kiddies have i (Score:5, Funny)