Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft's Urgent Patch Precedes Black Hat Session 232

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."
This discussion has been archived. No new comments can be posted.

Microsoft's Urgent Patch Precedes Black Hat Session

Comments Filter:
  • Imagine. (Score:5, Interesting)

    by rolfc ( 842110 ) on Wednesday July 29, 2009 @07:57AM (#28864929) Homepage
    There are still people that think ActiveX is a gift to humanity.
    • by Hassman ( 320786 )

      Its not?

      It has a cool name...I've been tricked!

    • Re: (Score:3, Informative)

      I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely, but Mac has its own undesirable flaws. Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on.

      i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

      (And Linux won't install my Netscape ISP's Web Accelerator software - so that's not an option either.)

      • Re:Imagine. (Score:5, Insightful)

        by bstreiff ( 457409 ) on Wednesday July 29, 2009 @08:58AM (#28865683)

        So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

        Guess what? There are upgrade fees to go from XP to Vista to 7, too.

        • Re: (Score:3, Informative)

          by billcopc ( 196330 )

          Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

          Mac apps are, like their makers, excessively trendy so whenever a new OS X build is released, the great majority of developers "embrace" the new features and it seems very few are committed to backward compatibility. This much is true of both big-name vendors and homebrew/shareware authors ("Free" isn't so big yet in that sphere).

          • Re: (Score:3, Insightful)

            >>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.

            Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle, and as you pointed-out you can continue using Win2000 (or even Win98) without problem. In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.

            And thus we're back to my point - "A $100 fee every year to upgrade from 10.4, to 10.

            • Did the apps you installed in 10.4 stop working or were you one of those "trendy" people?
            • Comment removed (Score:5, Insightful)

              by account_deleted ( 4530225 ) on Wednesday July 29, 2009 @10:07AM (#28866675)
              Comment removed based on user account deletion
              • Re:Imagine. (Score:4, Interesting)

                by ehrichweiss ( 706417 ) * on Wednesday July 29, 2009 @11:06AM (#28867807)
                VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".
            • I've got a Powerbook G4, running 10.5.x... which is still a fairly powerful machine, right? Well, yes, but... increasing numbers of software packages won't run on anything but Intel-based Macs, or alternatively, have features crippled when running on PPC Macs. So even though there's nothing wrong with the machine, and it still has sufficient horsepower to do just about anything... Steve is going to force me to buy a new one if I want to run modern software. Yay, Mac.
              • Yeah. I'm pissed off because my 4-or-so-year-old dual 2.7Ghz G5 tower is becoming less and less viable - even though it's still a fast, powerful machine, even by today's standards.

      • I've not found the upgrades to be necessary for compatibility reasons, though we did upgrade one of our older macs (a G5) to get the benefit of the performance boost. It had been running with the OS it came with for...I'm going to say about 4 years. I'm not sure why you feel that you'd be obligated to purchase upgrades, care to offer some insight?

        Certainly if you feel that a point change in the OS X world is equivalent to a service pack, I can see how you might be put out by having to pay for one. But I th

        • 2000 > XP or Vista > 7 might be better analogies--lots of fluff changes, less so under the hood. :) (Or at least, for 10.4/10.5. Not sure how to classify 10.6--lots of under the hood, but very little fluff.)
      • Re: (Score:2, Insightful)

        by koolfy ( 1213316 )

        I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely

        Yeah, like if mac was better at security fixes [tuaw.com]...

      • Re:Imagine. (Score:5, Informative)

        by TheRaven64 ( 641858 ) on Wednesday July 29, 2009 @09:49AM (#28866419) Journal

        Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

        I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29 [apple.com], and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

        • Re:Imagine. (Score:4, Insightful)

          by Anonymous Coward on Wednesday July 29, 2009 @10:20AM (#28866897)

          If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

          Which is close to the cost of an anti-virus subscription.

      • by jedrek ( 79264 )

        If $100/year to not have to deal with Windows' virus/trojan/takeover bullshit is a lot for you then you might want to consider finding a job that pays more than minimum wage.

      • Re: (Score:3, Interesting)

        by jvkjvk ( 102057 )

        i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

        And I bought a Mac with 10.4 and haven't spend a dime since then for OS updates. i.e. Cheap.

        And, just for those who are complaining about software - all my software works, still, on that version of the OS. Everything I have wanted to get has happened to work on that version of the OS.

        Maybe it's because I'm boring, and don't want or need all new shiney software every ten seconds, but there it is - I have had no reason to upgrade.

        So much for anecdotes, you have one, so do I.

        • Re: (Score:3, Funny)

          by jonadab ( 583620 )
          > I bought a Mac with 10.4 and haven't spend
          > a dime since then for OS updates. i.e. Cheap.

          Alright, I am now officially tired of this "whose upgrades are cheaper" argument between the Mac and Windows folks, so listen up:

          I got a CheapBytes Debian CD in 1998, and updates are always free. That makes my total cost something like six bucks, including shipping, in eleven and a half years, which averages out to fifty-some cents per year.

          So everyone who spends more than a dollar a year on software can just S
      • Linux has traffic shaping software that is far superior to your ISP's "Web Accelerator" software. I would be willing to bet that Mac has the same features.

        Web accelerators are for dialup connections, primarily. You only get ~48k on that connection, no matter what. The pages can't be fed to you any faster than 56k, period, and quality and length of wire between you and the ISP will decrease that. Wondershaper or Firestarter can ensure that QOS rules are followed, and that interactive web apps (such as yo

    • by tjstork ( 137384 ) <todd@bandrowsky.gmail@com> on Wednesday July 29, 2009 @08:49AM (#28865557) Homepage Journal

      The thing about Active X is that is just a way to put an object oriented wrapper around a DLL. So really, its just a DLL.

      The problem with DLLs is that they are good for process re-use on a desktop but not the kind of thing you want to be shoving into a browser. However, if Microsoft closed off Active X entirely in browsers, they would break Flash and third party OpenGL and movie plugins... and probably would wind up getting ripped for it.

      The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

      • Re: (Score:3, Insightful)

        by rolfc ( 842110 )
        I know, a lot of people believe that when there is more users, there are more incentive to exploit and that is the only difference between Windows and Linux. It's just that it doesn't work that way. They are implemented in a different way, and since my confidence in the security of Microsoft isn't that great, I don't believe you are right.
        • by DavidTC ( 10147 ) <slas45dxsvadiv D ... neverbox DOT com> on Wednesday July 29, 2009 @10:08AM (#28866701) Homepage

          Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

          However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

          So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

          Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

          And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

          And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

          Oh, look. Have to issue a killbit for that also.

          The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser

        • by account_deleted ( 4530225 ) on Wednesday July 29, 2009 @10:48AM (#28867419)
          Comment removed based on user account deletion
      • by makomk ( 752139 )

        The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

        Well, part of the problem is that ActiveX isn't just used for browser plugins, so there are a huge number of ActiveX controls out there that can be loaded into a browser but really weren't meant for this purpose. Unless the control is marked "safe for scripting", Javascript can't interact with it directly, but it's still loaded.

      • by neonsignal ( 890658 ) on Wednesday July 29, 2009 @09:53AM (#28866475)

        There is truth in your argument that third party additions to a browser pose a security problem, but you are comparing coffee and fish.

        Plugins pose a security risk because you are running software from unknown sources as part of your browser. However, you don't need to install the plugins in order to enjoy the browser functionality.

        Active X on the other hand was always intended to be integrate with web pages, which means that in many cases you would not even have been able to view the content without downloading a COM object of dubious origin. Fortunately this has largely failed, and most web content is still accessible without it (though there are a number of commercial services on the other hand that require Active X to work).

        The better comparison with Active X is other dynamic web code, such as scripting languages like javascript, and of course Java, which have been used for similar purposes. There are clear differences, because Active X is running native code, and so is notoriously difficult to sandbox effectively. It is obviously a matter of degree; no system is fully secure. But whereas exploits of Active X tend to often be total (access to the host machine), exploits of systems such as javascript often revolve around more subtle issues such as masquerading.

        I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues. I don't think the solution is merely to improve the containment of the downloaded code (indeed, that only makes it harder for the plugin to do anything useful). The problem is one of trust: how do I know if the binary code is trustworthy (Microsoft rubberstamp certification just doesn't do it for me!); and why do most sites need Active X at all (shouldn't we just be trying to agree on some browser standards like video formats so that typical functionality can be built into the browser!).

      • Re: (Score:3, Informative)

        he thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well

        People tend to like to forget about that. ActiveX is no more or less unsafe than FF plugins [mozilla.org]. Executable code running on the client machine, non-sandboxed. Both FF and IE will prompt you before installing such things, and that's the extent of the protection you get from them. Both can be very easily abused by a malicious creator - all you have to do is get people to install it (bunnies!); or install it yourself as part of another application.

    • Confusing summary. Will Wednesday's demo show how to exploit ActiveX even after the patch is applied or not?

    • Re: (Score:3, Insightful)

      by daem0n1x ( 748565 )

      Somehow people think it's normal to embed in webpages stuff that is executable code for a particular operating system and processor architecture. WTF?!?

      This is soooo fucking stupid I almost can't believe it. I've tried for years to convince people of that but they look at me as if I'm an alien.

      It was a tremendous lock-in strategy for Micro$oft, though. They're still cashing in on it. Fortunately, the tide is changing, but it will take a long, long time until this ActiveX shit is gone.

      • Re: (Score:2, Informative)

        by cyberdrop ( 939759 )
        The code is not embeded in the web page!

        An ActiveX Control is a Plugin for your browser. The browser is also bound to an particular operating system and processor architecture!
    • There are still people that think ActiveX is a gift to humanity.

      Well, nobody said it was a good gift. :-P

  • by timmarhy ( 659436 ) on Wednesday July 29, 2009 @07:58AM (#28864945)
    yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

    damned if they do damned if they dont?

    • by noundi ( 1044080 )
      I have to agree. I don't see the reason why patching a security hole asap is an issue. Also to make it clear I'm only referring to this isolated action, nothing else.
      • Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

        • Re: (Score:3, Insightful)

          by pfleming ( 683342 )

          Patching a security hole ASAP is a good thing. But it's still unusual behavior from Microsoft. One would expect them to wait 2 weeks for the normal Patch Tuesday.

          You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

          • by noundi ( 1044080 )

            You mean you would expect them to wait 18 months and two weeks? That's absolutely ridiculous! The only reason to release now is that it's being exploited in the wild. Do you really think they would have fixed it on patch Tuesday if they hadn't done so in 18 months?

            Nope, what's your point? I made it very clear. I'm only referring to the isolated action of patching something asap. I'm not defending nor attacking MSs methods. Please read the posts more thoroughly when you reply to them.

            • by noundi ( 1044080 )

              Please read the posts more thoroughly when you reply to them.

              Now that was embarassingly ironic. I apologise sincerely.

        • by commodore64_love ( 1445365 ) on Wednesday July 29, 2009 @08:44AM (#28865501) Journal

          I thought the weridness came from using a "killbit" solution. Any spybot programmer will easily be able to override that.

          • How, pray tell?

          • by WD ( 96061 ) on Wednesday July 29, 2009 @12:36PM (#28869671)

            Sure, it's easy to disable killbits if you have the ability to run code on a windows system. But if you've already reached the point of running arbitrary code on a windows system, why would you go through the trouble of disabling a kill bit and then hope that the ActiveX control gets exploited so that you can... run code on a windows system? Think about it.

      • by Rashkae ( 59673 )

        It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

        • by noundi ( 1044080 )

          It's not an issue exactly, but I can't off the top of my head recall a time that MS has released an out of schedule patch that wasn't to fix a problem already well known and being actively exploited.

          Me neither, but it's still a good thing. Perhaps there should be Black Hat sessions every week? ;-)

    • by mortonda ( 5175 ) on Wednesday July 29, 2009 @08:10AM (#28865073)

      You missed the part where they knew about the flaw 18 months ago. That's just... sad.

    • by Fred_A ( 10934 ) <fred@fredshomTWAINe.org minus author> on Wednesday July 29, 2009 @08:32AM (#28865343) Homepage

      yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

      Not only that but they patch it urgently for the 175th time. If that isn't urgent I don't know what is.

      I don't know of any other OS company that's that focused on security that it patches the same kind of thing that many times : "We have to make sure, the security of our users is important to us !".

      Now that's dedication !

      • Not only that but they patch it urgently for the 175th time.

        MS haven't patched this vulnerability 175 times. They've issued 175 patches that have made use of the ActiveX killbit mechanism to disable various old controls, as opposed to patching the vulnerability in those controls.

  • by eldavojohn ( 898314 ) * <eldavojohn@gma[ ]com ['il.' in gap]> on Wednesday July 29, 2009 @08:04AM (#28864995) Journal

    Microsoft refused to explain the flaw and even put a cone of silence around researchers

    Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

  • To make a patch that simply turned off ActiveX? I better be misreading this...
    • by mortonda ( 5175 )

      To make a patch that simply turned off ActiveX? I better be misreading this...

      Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

      In other news, why was my machine set to install automatically... and reboot automatically... Gah! What a stupid setting!

      • To make a patch that simply turned off ActiveX? I better be misreading this...

        Not only that, but it forced a reboot. Why do you need a reboot to turn off a service?

        Welcome to the best feature of Windows 7: turning off/on processes on demand, including IE!

      • Not only that, but it forced a reboot.

        Woke up this am to find my token Winders box had rebooted overnight. Luckily I only use it as a weather station. I would have been pissed to wake up and find a work environment automatically rebooted. I save my work but sometimes I'll be in the middle of a project and it takes a lot of time to restore the workspace.

        ActiveX is from the devil.

    • Re: (Score:3, Insightful)

      by jo42 ( 227475 )

      I'd suspect the vulnerability and solution was such a cluster frak, that it took that long to work it out without royally fraking everything else up.

    • Re: (Score:3, Informative)

      by VGPowerlord ( 621254 )

      The ActiveX killbits weren't the only thing updated. Microsoft also updated Visual Studio 2003 SP1, 2005 SP1, 2008, and 2008 SP1; along with their respective runtimes.

  • by Drakkenmensch ( 1255800 ) on Wednesday July 29, 2009 @08:07AM (#28865037)

    1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"

    2. Secretly prepare emergency patch and bury it in driver update patches

    3. ???

    4. PROFIT!!!

    • Re: (Score:3, Insightful)

      by RenHoek ( 101570 )

      I believe step 3 here is

      3. Maintain that Windows is more secure then other operating systems because bugs are fixed really quick.

    • Re: (Score:3, Funny)

      by abigsmurf ( 919188 )
      Doesn't sound like a bad tactic to me.

      *Haxx0r ur world con 2009*

      Today I will demonstrate on this stage a vulnerability that MS have known about for a year! I will show off an attack that will give me control of any system!

      *opens IE and visits the site with his exploit*
      *nothing happens*
      ...
      *becomes aware of the sound of crickets and 2000 people in the audience*
  • When I hear about killbits [technet.com], killbill [howbits.com] comes in my mind. I don't know why though...
  • by dobedobedew ( 663137 ) on Wednesday July 29, 2009 @09:30AM (#28866135)
    I'm not going to get into why having automatic updates on is generally a bad idea, that subject has already been beaten to death here.

    WindowsXP-KB972260-x86-ENU.exe /quiet /norestart

    That is the one for XP with IE6, the filenames are different for the other flavors. The list of all of the different patches is at:
    http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx/ [microsoft.com]
    • Every MS patch allows a /norestart option, but sometimes the software they patch is memory resident (especially IE based stuff), so rebooting afterward makes sense.
    • I just installed using the automatic updates thing (prompt before install) and I was not asked to reboot.

  • by griffjon ( 14945 ) <GriffJonNO@SPAMgmail.com> on Wednesday July 29, 2009 @12:29PM (#28869537) Homepage Journal

    Microsoft has issued 175 killbits fixes so far.

    So, how many kilobytes of killbits is that?

Life is a game. Money is how we keep score. -- Ted Turner

Working...