Four New Unpatched Windows Vulnerabilities

peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."

YAWN

[tarunthegreat2]

Hmmm, so windows has bugs in it. Surprise surprise. Merry Christmas everyone. In Soviet Russia, Windows Exploits you...oh wait...

Forced Upgrade.

[datadriven]

Vulnerable:
Windows NT
Windows 2000 SP0
Windows 2000 SP1
Windows 2000 SP2
Windows 2000 SP3
Windows 2000 SP4
Windows XP SP0
Windows XP SP1
Windows 2003
Not vulnerable:
Windows XP SP2

They'll do anything to get you to upgrade.

Re:Forced Upgrade.

[Dekks]

Funny you should mention that, my father still uses Windows 98 and netscape 3, and never runs into any problems. So much for progress eh?

Re:Forced Upgrade.

[m50d]

Netscape's the key. Stay off IE and you're fine, even in win 3.0.

Re:Forced Upgrade.

[mtenhagen]

Just wait until longhorn comes out. Then XP SP2 will have some exploits aswell. This is just a microsoft consipracy to make us upgrade. Dont believe the people who claim microsoft developers spend more time on new features then on creating good code.

Re:Forced Upgrade.

[DrEvil]

It has to be a conspiracy. Anyone who claims that this might be a consequence of the year-long security push for SP2 and that a high-level fix made during this push might prevent certain classes of bugs from being exploitable is clearly evil and has been exposed to too much software engineering. I'd suspect such a person of spreading facts instead of FUD.

Re:Forced Upgrade.

[Mystic0]

Okay, so Service Pack 2 has some nice security enhancements. But it also has a lot of other stuff that some people may not want. Why do you think they decided to release such a large update in a large batch? Because it allows them to quietly force extra features on you. These tag alongs are allowed to slip by unnoticed in the midst of more important security updates. I would appreciate it if MS would take a more modular approach. For example, they could say, "Click here to download a security update f

Re:Forced Upgrade.

[jerw134]

The Windows Firewall has been included with XP since SP1. If you don't want it, just turn it off.

Re:Forced Upgrade.

[bryanp]

a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet.

b) The list you give is mostly patches. There are four base OS' on that list and 6 patches, all of which are free.

c) If it bothers you, feel free to run an unpatched OS of your choice, whether it be Windows, MacOS or one of the many *nix variants.

Re:Forced Upgrade.

[CaptainZapp]

a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet

Uzi is fine. But when he shows you his monkey dance then you know youre in deep trouble.

Especially when he sits on you afterwards.

Re:Forced Upgrade.

[Krach42]

Very true... let me weigh in with my experience running an unpatched OpenBSD box.

"Only one remote hole in the default install, in more than 8 years!"

That didn't go ++ when the OpenSSH hole gave some hacker access to my machine remotely. Or was the number fixed after the default install doesn't open any ports?

Either way, it's misleading. Not that I don't *like* OpenBSD, it's just upsetting that they're not more open about it being just as vulnerable unpatched as any OS is.

Re:Forced Upgrade.

[Evangelion]

Umm, yeah it did. Before the OpenSSH hole, it was at zero.

(Speaking as someone who was rooted while trying to install the patches to that version...)

use a frickin dictionary

[Sleepy]

Your statement is untrue. "Forced" means coercion, which you interpret can only be delivered through violence (an Uzi) but is not a true definition.

Your narrow definition of forced is plain wrong.

Try this new software.. it's called a dictionary:
forced [reference.com]. Come back when you finish your homework. Other suggested reading. [reference.com]

Re:Forced Upgrade.

[m50d]

That's only while he's preparing you. The XP SP2 vulnerabilities will be ones which make your monitor explode, then in Longhorn we'll start seeing ones where an attacker can pull an uzi on you.

Re:Forced Upgrade.

[Foolhardy]

If you put it that way, Windows 2003 (NT5.2) is an upgraded version of XP (NT5.1) which is an upgraded version of 2000 (NT5.0) and 2000 is an upgraded version of NT4->NT3.51->NT3.5->NT3.1 and NT3.1 was written from scratch using ideas and a team from VMS.
The only other base OS series from Microsoft is the 9x line, based on Win3.1.

Many of the divisions between those OSes were manufactured by the marketing department; 2000 Server has exactly the same files as 2000 Professional, plus a couple of regi

Re:Forced Upgrade.

[BESTouff]

Not vulnerable:
Windows XP SP2

You must be wrong: the slahsdot title clearly states that the vulns are unpatched, so SP2 has to be exploitable too.

Re:Forced Upgrade.

[Bert64]

Perhaps other features of sp2 mitigate the vulnerability somewhat, or make it harder to exploit or whatever..

Not vulnerable: Windows 98 SE

[stankulp]

Now that it takes less than 5 minutes connected to the Internet for a Windows box to be hijacked, I have gone back to dual-booting Linux with Windows 98 SE.

A lot of Windows viruses simply won't run on it.

All I need is Office, so it's good enough.

another wonderful holiday season

[jokach]

a time when many companies and home users are least prepared to deal with the problems.

Looks like I know what i'll be doing over the Xmas holiday. If not fixing the problem at work if it becomes a problem, but fixing the problem with my family as well.

But I guess this is only a problem if some genius releases a virus containing the exploit ....

Re:another wonderful holiday season

[northcat]

RTFA. Exploits have already been released. Exploits are enough.

.. posted from newly esspee2d xp abomination

[maharg]

so it's christmas eve 2004, i'm at the in-laws, just spent 3 hours adawaring, spybotting, esspee2ing from a cd burnt on the latest stage 1. go figure.

30 megs of critical/av signatures to be done over diallup another time

damn you micro$hite

Re:.. posted from newly esspee2d xp abomination

[StormReaver]

I recommend just telling them that you no longer support Windows. Then you could actually enjoy your holidays (and every other day in the year).

And leading by example works.

Re:.. posted from newly esspee2d xp abomination

[maharg]

.. yeah, telling them no would help my wife's disabled nephew no end. They find XP challenging enough - they are *not* ready for linux. I think you have possibly misread my frustration at gates and co as resentment that any member of my family would ask for help with their computer. I am loving the holidays with my wife and sons. Leading by example does work, and I heartily recommend that you try it sometime.

Happy Holidays Everyone !!

Re:.. posted from newly esspee2d xp abomination

[harks]

Is the problem Microsoft, or is the problem that people don't feel the need to update? I think its a little of both.

Re:.. posted from newly esspee2d xp abomination

[upsidedown_duck]

Is the problem Microsoft, or is the problem that people don't feel the need to update?

The only things that people spend as much money on as computers are things like cars and appliances. How would you feel if your dishwasher was badly designed, shipped with flaws, and needed you to take it to a repairman several times a year? The time you would have spent removing the dishwasher from the cabinet, lugging it to your car, and driving to a repairman is comparable to the amount of time people waste with pat

Re:.. posted from newly esspee2d xp abomination

[gnu-generation-one]

"so it's christmas eve 2004, i'm at the in-laws, just spent 3 hours adawaring, spybotting, esspee2ing"

So Mepis CDs all around, for christmas presents then?

bugtraq links for the vulnerabilities / demo

[tsager]

Demonstration of exploits:
http://www.xfocus.net/flashsky/icoExp/index.html [xfocus.net]

http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html [derkeiler.com]
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html [derkeiler.com]
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html [derkeiler.com]

(Source: http://www.heise.de/newsticker/meldung/54610 [German])

Instant Reboot on windows

[EqualSlash]

Warning: If you are on Windows Don't download
www.xfocus.net/flashsky/icoExp/KERNELBLUE.ani

Instant Reboot. This is a very critical vulnerability. Reminds me of the old exploits that referenced "CON" [microsoft.com] in the file path inside a webpage to trigger a BSOD.

Re:bugtraq links for the vulnerabilities / demo

[Cylix]

FC3 won't open the HLP files.

Damn you linux... you have hindered me for the last time!

But...

[RAMMS+EIN]

Will they allow me to install Linux once i 0wn the machine?

Don't suppose anyone...

[NoMoreNicksLeft]

Knows where a person could find a pre-compiled, local only 2k/XP administrator access binary? Something that would just open a cmd.exe with the correct privileges, to say, install java on Firefox?

I'm not a script kiddy, just not patient enough to go through the 3 month process of maybe getting it approved to be installed by IT...

Firefox passes the test

[Adam9]

I'm not sure if many people have tried it already, but I loaded the exploit page with Firefox.

Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

It took a few seconds to load on my p3 600mhz, but it got there just fine.

Re:Firefox passes the test

[NoMoreNicksLeft]

Partially. Firefox with java requires a registry entry, which is my problem. The machine already has java 1.4.x, so in theory, just adding the NS###.dll's to the plugin dir would do the trick. Still not working though.

Re:That depends on how angry your IT dept is.

[NoMoreNicksLeft]

That's not really an option. I can't change anything permanently. Was hoping for an exploit that gives me a temporary admin cmd.exe, I install, and then reboot. No one knows how it was installed then.

Doesn't even have to be a new exploit. Just as long as it works. And as I said, I'm not a script kiddy, so a local-only exploit would be fine too.

Give this as a gift for the holidays

[Skalek]

Nothing is more annoying about the holidays then going to visit family and friends and then being sucked into fixing their damn computers While everyone is drinking and having a good time we are the schmucks trying to figure out how to remove that damn proces from windows 98!

This year I wash my hands of it and am giving them a printout of a tutorial I found that has helped some friends. It is basic, but they do not bother me as much anymore:

Simple and easy ways to keep your computer safe and secure on the Internet [bleepingcomputer.com]

Re:Give this as a gift for the holidays

[Stevyn]

Yeah, I always get stuck doing this too.

Do people ask plumbers to unclog toilets on holidays? I don't fricken think so!

Re:Give this as a gift for the holidays

[lew3004]

You're lucky. I cherish the moment they want me to fix their PC. That way I don't have to listen to all the other drunken idiots.

Re:Give this as a gift for the holidays

[museumpeace]

I'd suggest either feigning a stroke that has caused you to "forget" everything you ever knew about computers or download the ISO from mepis.org and burn a bunch of live CDs to give out to your clueless friends. My son's old laptop utterly refused to be upgraded to XP and its ME was hosed...it got so bad you couldnt even get a chance to break into the BIOS. I gave him the Mepis CD and just let him fool with it for a while. At breakfast the next morning, he was beaming. He'd figured out how the partion editor worked, wiped the microshit completely off the HD and was enjoying his trip up the KDE learning curve. We have gone from "I think its a doorstop now" to "its a little slow opening files and I think we need to find the right driver for my PCMCIA ethernet card".

Give those friends and relatives an opportunity to experience winning, to experience being just a little bit competant with a computer and there is a chance that they will be both bothering you less and talking to you more intelligently in the future. But for godsake don't let them leave the room if you have to be in the driver's seat for the repair sessions: make'em bring you a drink and make them listen and describe in their own words each step you take at the keyboard

Re:Give this as a gift for the holidays

[MicroBerto]

This has been holiday tradition for me since about 1999.. it's nothing new anymore.

Problem is that people are starting to bring laptops, family members are startin to have kids, and I'm still just one guy who wants to eat too and drink too much and pass out.

Hand Out Ubuntu CDs

[SeinJunkie]

I know the feeling. When I visited my family back home for a week, I worked on 8 PCs before I left. If you're handing out stuff in lieu of fixing hte computer, you might consider the Ubuntu CD package. Last I checked Ubuntu [ubuntulinux.org] is still shipping free pressed CD packs [ubuntulinux.org]. I just received all 10 of mine yesterday, and they look good. The package includes both a Live CD and an Install CD, with a brief explanation of what each does. I plan to hand the CD out to people I think would be interested in trying something di

Re:Give this as a gift for the holidays

[Krunch]

For French-speaking users, there is also this nice document [sebsauvage.net].

Ho Ho Ho

[mslinux]

Merry Christmas... from all the people at Microsoft. Buffer overflows for everyone this year ;)

what ever happened...

[Lord Bitman]

remember that test someone did where garbage code was thrown at IE and firefox in order to see how they held up and find things like buffer overflows which could be potentially exploited?
What ever happened with that? Were the bugs in firefox fixed? I remember that IE did well in that test, but I dont remember any specifics.
Anyone know?

Re:what ever happened...

[imroy]

IIRC, those tests were done by a lab closely associated with Microsoft. i.e, MS had already fixed up those problems in IE and deliberately got someone to "discover" how it was better in this one tiny area. Just like the infamous Mindcraft tests all those years ago. I don't know if Mozilla has fixed its code yet.

Re:what ever happened...

[YU Nicks NE Way]

The parent [slashdot.org] is so wrong it is sickening.

The fuzz tester wasn't written by a lab close to Microsoft.

It isn't a "tiny" area: Browsers read files that contain HTML. No matter what, corrupt files should not crash a browser.

The Linux kernel was rewritten after Mindcraft. There was a serious problem in the way signals were handled under high load.

Mozilla has fixed the three bugs that Zalewski's original posting described. There are still issues in Firefox 1.0 that the tool discloses.

Great

[Segosa]

Stupid question, but does the LoadImage() one affect images which are viewed in FireFox or Thunderbird?

Grr

[Alioth]

Why do they have to release this stuff JUST BEFORE we actually get time off? Are they deliberately being bastards to us Bastards who have to herd Redmondware amongst the other less sucky things?

At least I won't have to spend Christmas removing viruses, trojans and spyware from my Dad's computer. I bought him a Mac. Worth every penny in reduced aggro.

Re:Grr

[Gordonjcp]

I put Linux on my Mum's computer. Works great, everything is supported, no adware/spyware/crapware, no patches required, *peace and quiet*....

Silent Night

[Electronik]

Silent night, holey night,
All is calm, all is bright,
Round yon virgin PC and screen,
Holey computer, so exploitable and keen,
Sleep with spyware downloading,
Sleep with spyware downloading.

On the fourth day of Christmas...

[localroger]

my True Love gave to me,
Four hacked boxen
Three spywares
Two viruses
And another Windows vulnerability.

"the Chinese company"?

[wertarbyte]

Is it "the company" or "The Company"?

The important question here is...

[gregorio]

...does Internet Explorer use any of these functions to load internet images?

We cal discuss all day about some local API exploit but there is a big difference between a local API bug and a remote bug.

Does IE use these functions to load images? Or does it handle these kind of primitive formats using his own code? After all, is not that hard to "parse" BMPs and ICOs and it would be much better to handle all file formats inside an internal library, thus avoiding conflicting API methodologies.

I'm really c

digital signatures

[antibryce]

It sure is a good thing Microsoft digitally signs everything. Clearly they are lightyears ahead of open-source in terms of security.

Re:digital signatures

[Krunch]

What do you mean ? Your distro doesn't provide digitally signed upgrades ? [debian.org] (well Debian doesn't really sign packages but they do sign the list of packages wich contains md5sums of said packages which are checked at installation)

Twas the morn before christmas

[killerface]

Twas the morn be for Christmas and all through the cage.
Not a creature was stirring not even a 10th level mage.
Then Flash, i look at my bookmarks and what did appear!?
A story on slashdot spreading with fear.
"Peril Peril", It screamed with fervor and fight.
"What shall we do about this vulnerability tonight?"

It's christmas eve and in the story lay more,
For this affected Santa and hurt him to the core.
His Server Used Exchange to give and recieve,
a malicious cracker got in to make Santa Grieve.

The clean cut elves said format and reinstall, while the ones with long beards solved it in no time at all.

"There will be no Christmas this year" Santa Said with dismay.
The naughty and nice list was lost in the fray.

And yet with precision and care the elves brought out from back,
santas new gift! a blade server rack!

"It runs Linux in fact!" said the elves in unison
"cron jobs too, back up that old piece of Sh.."
one interupted "Stop it Sam",

So christmas would go on with ease and ablitity, that is until santa went on his killing spree.

The End

IE == Exploit

[HangingChad]

Take one of your gift cards and go buy yourself a copy of Xandros 3.0 (www.xandros.com). It's a good distro if you're a Wincrip. Superior hardware detection, CrossOver Office which can run some of your "must have" Windows apps.

At least dual boot, shhez. What does it take for MSFT users before they finally get enough?

If it gets any worse they're going to have to start including a jar of anal lube with a Windows license. Knowing MSFT they'll try to charge you for it and blame users for not being able

Unpatched?

[JanusFury]

How can these exploits be unpatched if SP2 isn't vulnerable? Or do they mean that while the other windows versions are exploitable, SP2 just crashes?

Re:Unpatched?

[peeon]

SP2 is vulnerable to the winhlp32.exe Heap Overflow Vulnerability, according to xfocus. Buqtraq posting [securityfocus.com] They dont know if LoadImage is vulnerable in SP2.

Re:SP2 not immune

[YU Nicks NE Way]

The parent [slashdot.org] mentions a paper by David Litchfield. It's good to read that paper, but you should know several things about it.

1. All of his attacks are hypothetical. Only one attack against the stack canaries has ever worked.
2. The SP2 stack canary order was changed precisely in order to prevent that one attack.

i wonder...

[hitmark]

why in this day and age, 99%-100% of automated exploits still happens to be some kind of overflow. why do we keep thinking that we dont have to check the sizes when moveing data about as its defined by a standard anyways? its like not checking to see if you have room for something in your house or car before buying it at the very least.

Re:i wonder...

[the_rev_matt]

Go to any Wal-Mart, Target, Best Buy, Home Depot, Lowes, or comparable store on a busy weekend. Count how many people bring out more stuff than they have room for in their car. Be it one large item or just too many small ones, I see this happen all the time.

Mozilla products appear safe

[CTho9305]

A quick search of the source code [mozilla.org] seems to show that the native OS LoadImage function is only used to set Mozilla icons (system tray, window icons, etc) and the splash screen (and the cck [mozilla.org]). Since none of these images come from untrusted sources*, it seems that the LoadImage hole is not exploitable via Mozilla.

*without major user intervention, like installing an XPI or messing with the JAR files that make up Mozilla

Definition of "Patched/Unpatched"

[jamesl]

Slashdot has made subtle changes to the definitions of Patched and Unpatched.

Patched Open Source: A vulnerability has been identified and someone is thinking about fixing it. Because the time between discovery and fix is vanishingly small, there are no unpatched open source vulnerabilities.

Patched Windows/Proprietary: A patch has been available for not less than 12 months and is installed on not less than 99% of affected systems. It will be several months, if not years, before vulnerabilities fixed by Windows XP SP2 will be considered patched.

People will still buy windows

[upsidedown_duck]

Microsoft could stick a thumb up your ass, and people would still buy more of it.

"This thumb is better than ever! It's new easier installation interface and slick operation will make upgrading well worth it. Yet, it is 100% compatible with your old thumb!" (a lie, of course, as the new thumb tries to emulate the old one but breaks the memory management).

"Four New Unpatched Windows Vulnerabilities"

[RzUpAnmsCwrds]

"Four New Unpatched Windows Vulnerabilities"

What a load of bull. This article is blatant Microsoft bashing.

Repeat after me: XP SP2 is not affected

Since when has "fixed in SP2" been the same as "unpatched"?

Re:Timing of the post

[Moth7]

Or for crackers to exploit them given the flood of unpatched machines that will no doubt come online over the Christmas period?

Re:Timing of the post

[tarunthegreat2]

when corporate computer use is at a minimum?

Not in my office... our mailserver just went down due to a large number of 'seasonal' flash attachments coming and going out and PHB OutOfOffice AutoReplies. I can just see the SysAdmin's tears shorting out the domain controller as we speak....

Re:Timing of the post

[Jessta]

Sysadmins should have already fixed this problem. SP2 was available months ago. If you aren't patching your systems when the patches are out then you deserve everything you get.

Re:Timing of the post

[MarkByers]

XP SP2 is also vulnerable to at least one of the exploits. See..

Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability

Re:Timing of the post

[eofpi]

And if you blindly install new patches on everything without testing them first, you deserve everything you get.

Re:Timing of the post

[1010011010]

How about, "If you use Windows, you deserve what you get." Except that doesn't really sound fair. It sounds like punishing innocent people; people who didn't know any better.

Re:Timing of the post

[Chandon Seldon]

Windows has been a known security hole for almost 10 years now. Until very recently, you could expect to spend $1000+ on a new computer - that's worth the investment of the amount of time it would take to find out that running Windows is dangerous.

Re:Timing of the post

[kuiken]

yeah XP SP2 will do alot of good on this w2k network.

Bah!

[rubberband]

Hi, you've missed the point. I hope you're not trolling, because I'm going to bite.

Every box at my workplace is patched with SP2. In this case, it doesn't matter - one of the exploits is still useable.

The problem is not (this time, thankfully) the corporate enterprise deployment of windows. It's friends and family. Every time a new windows exploit like this comes out, jerk spyware/worm/virus writers are on it within 24 hours, populating their zombie networks with your mom's, friends' and families' computers. Manditory regular patching at work is easy. The same for people you see occaisionally who are not computer literate is not. These are the people who it really screws with - for example, all one of my buddies wants to do with his dell is play games, send email and surf. He knows nothing beyond that, and is certainly not going to run down to the basement on christmas eve to make sure his operating system is secure RIGHT NOW.

This business of "patch or you deserve it" is utter BS. I maintain that virus writers should be dragged into the street and beaten with keyboards, followed shortly by geeks who empower them by putting any of the blame on the end user. If I paid thousands for an OS site license, I should not be spending my holidays fixing it. If I spend hundreds for an oem copy at home, the same applies. The only ones who deserve ANYTHING bad here are the exploiters and the providers of the crappy OS in question.

Re:Bah!

[Chandon Seldon]

You might have had a point 7 years ago when this whole "Windows has a new remote exploit" thing was a little bit more... new and unexpected.

But in late 2004, with almost 10 years of evidence that running Windows is just asking to be exploited, I find it hard to blame anyone but the users.

If you were to travel somewhere known for it's pickpockets during tourist season and kept $1000 in your wallet in the inside pocket of a loose jacket, I'd blame you (not the pickpocket) when you lost your money. The polic

Re:Bah!

[rubberband]

I still think the point is valid. Consider that a) That means that the vendor has had 7 years to secure their product. I any other industry they would have litigated into oblivion by now. It is *NOT* the end user's fault that the current world standard for personal computer operating systems is frequently bugged.

Sure, carrying $1000 in cash is dumb, but there are easily accessible alternatives. Credit cards, debit cards, traveller's cheques, travel wallets, etc are all viable alternatives. Carrying cash is like opening attachments from unknown senders. Getting your windows box 0wned without your action because a new exploit came out 8 hours ago is like the jacket manufacturer attaching a big red "steal from me!" sign to the back and cutting a pickpockt access hole out, too. (Except then they take over the world jacket manufacturing business and force you to wear one unless you want to freeze or learn to sew).

To use the token comparison to a vehicle - yes, when you buy a car you should be responsible enough to get it serviced from time to time, and act on any critical recall issues that might arise. You shouldn't however have to open the hood and check the internals 3 times per day to ensuire it doesn't explode and require expensive maintenance the next time you turn the key in the ignition.

Don't get me wrong - I'm not saying sysadmins should have no responsability whatsoever. They are after all paid to deal with systems. But when was the last time you head of a dell salesperson telling an unexperienced buyer that if they wish to have their computer on regularly they'll need to spend 5 minutes every single day, and an hour of two each week making sure they're machine doesn't get destroyed?

Re:Bah!

[Chandon Seldon]

It's perfectly possible to use a Mac, or even to use desktop Linux. Heck, I bet the average user would be fine on OpenBSD if it supported their hardware.

What software you use is really your choice, and the security implications of Windows make that choice seem pretty sketchy.

If the only jacket manufacturer offered pickpocket access holes and "steal from me" signs, I'm sure that people would activly consider sweaters and coats instead.

Re:Bah!

[AndroidCat]

I maintain that virus writers should be dragged into the street and beaten with keyboards

No worries there, I have an IBM model M keyboard that'd drop them in their tracks, but it'd never be clean again. And the disposable keyboards just don't pack the wallop to down a full-grown spammer. Your best bet is to set up a ramp to a camouflaged log chipper and lure them in with calls like "I need a mortgage", "I want v14gr4!", "I want to invest in Nigeria". Works like a charm!

Re:Bah!

[YU Nicks NE Way]

I was actually kind of surprised by the repeated allegations that SP2 was vulnerable to the last pair of attacks. I tried to run the exploits, and couldn't get them to open at all. Apparently, they're chinese help files, and I don't have a Simplified Chinese version of SP2 here.

Given that, I'm a little suspicious about the "issue".

Re:Timing of the post

[global_diffusion]

I figured it was a slap at Microsoft. "Merry Christmas, and Happy New Years Developers!"

Now that's not really in the Christmas Spirit! Even if it is Microsoft, that's really mean.

Re:The fifth bug

[tarunthegreat2]

explorer? PSHAW! Everybody knows that the Great Satan's name in reverse Mesopotamian is inetinfo.exe. Don't you dare mod me down or I shall curse you with the following: May you be forced to plug a memory leak in a Visual Basic app sharing C++ structs over the Christmas Holidays....

Re:I don't get it....

[faragon]

The OS itself should not be shout-down just by an user level privilege rights. If ie6 or any other application causes system crash under non-root privilege level, it is an OS fault, as the OS must guarant interprocess safetyness and security, etc.

Re:I don't get it....

[chorns]

The LoadImage API is implemented in kernel-mode for speed so a bug in there can bring down a system.

Re:I don't get it....

[AndroidCat]

If you don't have any fancy admin rights, you shouldn't be able to anything in code to crash your machine, regardless of the OS.

Re:I don't get it....

[AndroidCat]

You managed to.

Re:I don't get it....

[AusG4]

You should remember that, according to Microsofts testimony to the DOJ, Internet Explorer and the Windows OS itself are now inseperably linked.

As much as I think it's idiotic that the two couldn't be decoupled, such deep integration does suggest that a fault in a user-mode application could indeed transcend the user/kernel seperation and bring the whole works down.

Of course, this is fantastically poor design, but what did you really expect from the people who brought us Microsoft Bob?

Re:I don't get it....

[Spacejock]

what did you really expect from the people who brought us Microsoft Bob?

Actually, they tried to bring us Bob but we didn't want it. So now we have Clippy, just because some ideas are too damned good to kill off.

Re:I don't get it....

[AusG4]

Clippy... too funny.

"Goodbye, Cruel World...."

Blip!

"Hi there! It looks like you're writing a suicide letter. May I make the following suggestions:"

Re:I don't get it....

[cnettel]

This doesn't have to apply to kernel stuff. A lot of Windows apps rely on for example the "common controls" API. It handles toolbars, tooltips, listviews and so on. Quite a lot of UI goodies. Most of those are implemented without any kernel side, they're normal user mode controls/"windows" with their own drawing.

Now to the point: This DLL was updated quite a few times with Internet Explorer 3, 4 and 5. The versions in Windows 98, 2000 and XP are/were directly related to the matching (sub-)version of Internet Explorer. If you wrote an app for Win-95 and wanted to use one of those common controls, the recommended redistribution scenario was redistributing IE.

If they simply ripped out anything that is officially part of the "IE codebase", it's completely true that quite a few apps would fail.

This is of course even more true of some of other APIs with a more apparent connection to Internet Explorer, like WinInet for interacting with HTTP/FTP without doing sockets yourself (and using the IE cache and other stuff) or employing the IE HTML/XML parsing and possibly rendering hosted in another application. I chose common controls because they're very frequently used, and some quite significant updates were introduced through IE. These updates are still there in "Win98 lite" and whatever you would do to a Windows system to rip out IE, but retain a reasonable level of compatibility. Just because it's part of the OS and a frequently used API doesn't mean it's kernel mode. And very little IE related code is *in the kernel*.

Now to the point: LoadImage is quite a low level function. Display drivers are allowed to use it on their own and modify its functionality. That makes it belong in kernel mode. Even if they moved back some more UI stuff from the kernel, stuff like this probably belongs there, if you buy the concept of placing display drivers in kernel mode at all.

Re:Is it really this hard...

[twiddlingbits]

Nice try, but you should check the return code from malloc(). If it is -1 then there is a problem and you don't need to do the If statement. A lot of times the trouble comes not when allocating memory but when using a pointer to WRITE to memory. It's a C programmer trick to set up a pointer to a block of size X and write to it via the pointer, of course if you lose track of the pointer address you can easily go too far. Common errors are off by one in the count, assuming you are writing 8/16/32 bits without checking the underlying data type first,
or just writing to whatever address the pointer says w/o checking that *p > MAX_MEMORY_ADDRESS. These are errors a beginner programmer would make, and from the looks of how common these errors are in Windows that is the type of folks MS uses. It also says to me that they don't use any sort of Automated Code Analysis tools which can catch these sorts of errors. Or maybe they don't do any indpendant QA at all? It's pretty pathetic when the worlds most popular software is made by a company that probably doesn't meet SEI Level 2 criteria. I only wish that the laws allowed someone to sue for lost time/income from the "basic" errors that shouldn't have been present.

Apparently....

[Duhavid]

For calloc() and malloc(), the value returned is a pointer
to the allocated memory, which is suitably aligned for any
kind of variable, or NULL if the request fails.

Re:Apparently....

[twiddlingbits]

Hey, I was going from memory! I haven't written OS code in probably 10 yrs and ANY code in 5 yrs. I would have looked it up to refresh my memory before I wrote the code. Which again makes me wonder if the guys at M$ can read a manual? MS programmer: "Manual? We don't need no steenking manual, We are Microsoft, we WROTE the manual and know what it says. Code it and ship it!"

Re:Is it really this hard...

[Krunch]

Nice try but if malloc(3) [ucsd.edu] is not too buggy (if it is, you have other problems) it will only return NULL or a valid pointer. If it never supposed to return -1 (unless -1 is a valid pointer) or some value larger than MAX_MEMORY_ADDRESS (from where does this macro come anyway?).

Re:Is it really this hard...

[Krunch]

memory addressing starts at zero

AFAIK there is nothing in the ISO C99 standard that says all valid pointers should be > 0. n869 [open-std.org] page 58:

Any pointer type may be converted to an integer type. Except as previously specified, the result is implementation-defined. If the result cannot be represented in the integer type, the behaviour is undefined. The result need not be in the range of values of any integer type.

Of course most archs don't use negative pointers but one could invent some weird platform wh

Re:Is it really this hard...

[Gopal.V]

Vulnerabilities are not hard to write - they are hard to detect and often easy to fix.

Most FOSS programs are the result of someone who really wants to write something good. Rarely have I seen someone being forced to write FOSS code to meet a release date schedule or to remain competitive. It's about It'll be done when it's done, sort of Code Poetry [thinkgeek.com]. Most of the code was written to run in a hostile environment where black hats can read the code (like the above peice) and screw everyone who runs bad code. The term security in obscurity as far as coding style does not even enter your mind.

Also vulnerabilities are easier to find when you have the source - like that professor who set his students to find vulnerabilities in FOSS. Unlike a corporate setup - you have a practically unlimited number of reviewers if your program is popular (and if it is not, a vulnerability is no big deal anyway, right). Also everyone runs a different binary, slightly different from what everyone else runs (security often needs you to recompile stuff with stack canaries)

So FOSS software evolves (yes, Natural Selection) to avoid these vulnerabilities by dying out or it "adapts" - Someone adds more good ideas and makes it better like.. (s/ideas/genes == Sexual reproduction) . Also the good ones read Wietse's papers [porcupine.org].

Re:Is it really this hard...

[Taladar]

I think the release schedule thing has much to do with bad code. You have good intentions but when the deadline is near you drop them to "just get the thing done at all".

Re:Is it really this hard...

[yotaku]

Most FOSS programs are the result of someone who really wants to write something good. Rarely have I seen someone being forced to write FOSS code to meet a release date schedule or to remain competitive.

I'm sorry but I think that that is a little naive. An FOSS programmer still likely has desires that someone actually use their product and so they force themselves to work faster to keep up with the market. You are also discounting the fact that a large portion of open source work is done by large compa

Re:Honestly,

[Taladar]

You could use all your mod points to mod every comment in these "news" stories redundant but I don't think it would be worth it.

Re:Umm.

[jamesl]

You are reading it right. SP2 is not vulnerable. No rational person would call it "unpatched" but this is slash... oh, nevermind.

Re:Something I've been wondering...

[spectecjr]

does XP SP2 have some kind of buffer overflow protection besides NX?

Yes. The reason SP2 is so huge is because the entire OS was recompiled with their stack canary protection from Visual C++.NET