Slashdot Mirror

II. Impact

The potential exists for an intruder to have inserted back doors, Trojan horses, or other malicious code into the source code distributions of software housed on the compromised system.

III. Solution

We encourage sites using the GNU software obtained from the compromised system to verify the integrity of their distribution.

Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site. Note that it is not always sufficient to rely on the timestamps or file sizes when trying to determine whether or not a copy of the file has been modified.

Background

When downloading software from online repositories, it is important to consider the possibility that the site has been compromised. One of the threats that users face is that intruders could include malicious code in the software packages distributed by those sites. This code could take the form of Trojan horse programs or backdoors.

Take a look at cpan and some of the modules you have on your machine. How many are updated with normalcy? What about the whole sourceforge/freshmeat concept of 'sysadmining', where you find a neat program supported for what... a year? Maybe 2 if you're lucky...

Sometimes it seems the cool Open Source gets, the more issues come out with it.

The Borland InterBase database server had a backdoor in place for 6 years! It wasn't until the product was open sourced that the backdoor was made public. See here for details.

I think you're right. Here's the link.

"It was introduced by maintainers of the code within Borland."

So that just leaves the Sendmail trojan, which lasted how long? 8 days?

This is a specious argument. It assumes that bad code can somehow be slipped into open source code while proprietary code could never ever have such bugs.

There have been software packages that have had backdoors in them for a decade and these were not found until someone open sourced the code.

CERT(R) Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door Account

Even Microsoft code has been found to have back doors in it:

Netscape Engineers are Weenies

Yes, there will be mistakes made. Security is a process, not a state. The biggest mistake would be for a company to assume that software is secure just because it is open source. No, just being open source doesn't sprinkle magic pixie dust on your product, but it does let you get the sources from the vendor, have another firm or your own in house programmers audit the code to ensure that it is back door free and relatively clean and then you build the code yourself.

Before writing opensource software I recommend all programmers read the following:

Secure Programming for Linux and Unix HOWTO

This document covers everything the article covered and a lot more.

As a last note. Open source software is to computer programming as the scientific method is to science. It is a peer review process that slowly results in better and better software over time. Closed source software is like alchemy of the old days. In just 20 years the open source programmers have build entire platforms that can challenge anything that the proprietary programmers can develop. Where will we be in another 20 years? in 100 years? in 1000 years?

Although the webpage still says 1 hole, it's actually been 2 holes for quite a while - since OpenSSH was exploited in Sept 2003.

You can spoof your IP address in IPv4. It's easier if you're on the same network segment as the spoofed address, though. If the segment isn't switched, it's trivial to get the responses by putting the NIC into promiscuous mode. If the segment is switched then you should be able to steal the target address by using MAC spoofing or ARP spoofing. With ARP spoofing you can also become a man-in-the-middle for extra fun. If you're not on the same network segment the possibilities are admittedly more limited. However, if the machines you're sending your spoofed packets to are running to still don't have a good TCP ISN generator (many don't) it should be possible to predict the ISN and to set up a connection without seeing the replies. You don't have to limit yourself to one guess, of course.

it's a very good hoax

If you notice, one of the links is googles cached copy. Or perhaps your suggesting Google uses IE for it's spider?

Yes, there is a bug. If the phisher puts a special character before the @ sign, then the url bar in the browser doesn't display the true destination. So educated or not, the user has no idea that they aren't really talking to citibank, fdic, etc.

Although I can't think of any better examples, here is an excerpt from Cert's Nimda advisory:

The email message delivering the Nimda worm appears to also have the following characteristics:

• The text in the subject line of the mail message appears to be variable.
• There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different email messages. However, the file length of the attachment appears to consistently be 57344 bytes.

Besides, I'll bet that ISPs could be held liable for filtering customers' email in the first place.

We can search the CERT website for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

[snip]

'Apache' gives 180 results.
'Microsoft IIS' gives 830 results.

Your search query is flawed.

A query for 'Apache' indeed returns 180 results:

Document count: Apache (180)

And while a search for 'Microsoft IIS' brings up over 800 hits, it's returning pages that contain either 'Microsoft' or 'IIS':

Document count: microsoft (839) iis (81) microsoft iis (28)

The results are totally skewed because of all the pages regarding advisories for Internet Explorer, Outlook, and so on. A more accurate comparison would be to query just 'IIS,' which returns around 80 documents.

Not that I believe IIS is inherently more secure than Apache, but I had to point out what I felt was a pretty big hole in your theory.

-leigh

We can search the CERT website for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

[snip]

'Apache' gives 180 results.
'Microsoft IIS' gives 830 results.

Your search query is flawed.

A query for 'Apache' indeed returns 180 results:

Document count: Apache (180)

And while a search for 'Microsoft IIS' brings up over 800 hits, it's returning pages that contain either 'Microsoft' or 'IIS':

Document count: microsoft (839) iis (81) microsoft iis (28)

The results are totally skewed because of all the pages regarding advisories for Internet Explorer, Outlook, and so on. A more accurate comparison would be to query just 'IIS,' which returns around 80 documents.

Not that I believe IIS is inherently more secure than Apache, but I had to point out what I felt was a pretty big hole in your theory.

-leigh

We can search the CERT website for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

[snip]

'Apache' gives 180 results.
'Microsoft IIS' gives 830 results.

Your search query is flawed.

A query for 'Apache' indeed returns 180 results:

Document count: Apache (180)

And while a search for 'Microsoft IIS' brings up over 800 hits, it's returning pages that contain either 'Microsoft' or 'IIS':

Document count: microsoft (839) iis (81) microsoft iis (28)

The results are totally skewed because of all the pages regarding advisories for Internet Explorer, Outlook, and so on. A more accurate comparison would be to query just 'IIS,' which returns around 80 documents.

Not that I believe IIS is inherently more secure than Apache, but I had to point out what I felt was a pretty big hole in your theory.

-leigh

"If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!"

If everyone repeats this refrain enough people may actually start to believe it, and that would be good in counteracting that old 'many eyes make all bugs shallow' phrase we keep hearing about open source.

Taken at face value the statement seems reasonable, but I'm a scientist and I like to hold theories up to the light of reality and see how they do. I know that testing theories annoys people because it makes them question their deepest held beliefs, but hey I'm an annoying guy anyway.

We could test the statement by finding an Open Source project that has much more market share than a closed source project, then compare the rates of exploit. Hmmmm... how about Apache vs. MS IIS?

According to Netcraft Apache has about 67% of the market and Microsoft's IIS has about 21% of the market. The often quoted FUD says that Apache is used by so many more people it must have many more exploits.

We can search the CERT website for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

Advisories

Incident Notes

Security Improvement Modules

Vulnerability Notes

'Apache' gives 180 results.

'Microsoft IIS' gives 830 results.

Wait! That means that just because something is used much more widely than another thing it does not result in more attacks! That proves the statement that if Linux were used more it would have more viruses is a false statement! It could be that open source actually does produce more secure code after all!

If Linux had 60% or 70% market share, there would probably be more viruses written for Linux than there are now. But, as we can see with the real world example of Apache and Microsoft IIS, the open source development model produces more secure software.

Sorry to step on that often quoted line about linux and viruses, but I like reality.

to say that "[Microsfot] SQL Server [...] has an archetecture that virus and worm writers have been able to exploit" is simply pathetically desprate misleading of the audience. Here is why.

The Slammer worm has used a vulnerability that was NOT an architectural design flaw across the product. It was a simple stack buffer overflow in an implementation of the SQL Resolution Service.

On a seemingly unrelated topic, here is a plethora of buffer overflow vulnerabilities of Oracle from some time ago. How much mass media attention did that receive. Close to none, because it doesn't pay the media in advertising revenue to show an expert talking tech about buffer overflows and authorization headers. But does pay off to create a bombastic news report on a big-time screw-up of the largest software company in the world.

I am sorry to bust your balls, but I do recall several instances of similar problems such as an Apache worm on FreeBSD. I am not arguing that Apache et al. have more flaws, I am just pointing out that everyone who has coding skills prefers to explore IIS's quality rather than some Apache's because of simple "I can pick on the weaker guy easier" predatory concept from kindergarten.

to say that "[Microsfot] SQL Server [...] has an archetecture that virus and worm writers have been able to exploit" is simply pathetically desprate misleading of the audience. Here is why.

The Slammer worm has used a vulnerability that was NOT an architectural design flaw across the product. It was a simple stack buffer overflow in an implementation of the SQL Resolution Service.

On a seemingly unrelated topic, here is a plethora of buffer overflow vulnerabilities of Oracle from some time ago. How much mass media attention did that receive. Close to none, because it doesn't pay the media in advertising revenue to show an expert talking tech about buffer overflows and authorization headers. But does pay off to create a bombastic news report on a big-time screw-up of the largest software company in the world.

I am sorry to bust your balls, but I do recall several instances of similar problems such as an Apache worm on FreeBSD. I am not arguing that Apache et al. have more flaws, I am just pointing out that everyone who has coding skills prefers to explore IIS's quality rather than some Apache's because of simple "I can pick on the weaker guy easier" predatory concept from kindergarten.

to say that "[Microsfot] SQL Server [...] has an archetecture that virus and worm writers have been able to exploit" is simply pathetically desprate misleading of the audience. Here is why.

The Slammer worm has used a vulnerability that was NOT an architectural design flaw across the product. It was a simple stack buffer overflow in an implementation of the SQL Resolution Service.

On a seemingly unrelated topic, here is a plethora of buffer overflow vulnerabilities of Oracle from some time ago. How much mass media attention did that receive. Close to none, because it doesn't pay the media in advertising revenue to show an expert talking tech about buffer overflows and authorization headers. But does pay off to create a bombastic news report on a big-time screw-up of the largest software company in the world.

I am sorry to bust your balls, but I do recall several instances of similar problems such as an Apache worm on FreeBSD. I am not arguing that Apache et al. have more flaws, I am just pointing out that everyone who has coding skills prefers to explore IIS's quality rather than some Apache's because of simple "I can pick on the weaker guy easier" predatory concept from kindergarten.

SIP was affected by another vulnerability awhile back, however. So it might affect Vonage equipment, eh?

Not flaming here, but you may be comparing apples to oranges. You are complaining that /. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.

If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house.

There are some vulnerabilities for passive monitoring also. A search of CERT database for snort or tcpdump gives you a following list:

• Heap overflow in Snort "stream4" preprocessor
• Buffer overflow in Snort RPC preprocessor
• tcpdump enters infinite loop when parsing crafted ISAKMP packets
• tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets
• tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets
• tcpdump, ethereal vulnerable to DoS

A listen-only box gives you some protection but it cannot be the only protection for your traffic recorder.

This is a crappy idea. It got kicked to hell on the Full-Disclosure list about 2 Months ago...

VU#865940 - Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element IE will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to "application/hta". An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE.

(Other resources: eEye Digital Security Advisory AD20030820, MS03-032, MS02-040, CAN-2003-0532, CAN-2003-0838, CAN-2003-0809)

Then explain the OpenSSH trojan a few years back.

Borland's Interbase SQL database had a secret admin password backdoor for years before the code was opened up. (Even then it took the O/S team cleaning up the code a year before they found it.)

What was Interbase used for? Around my company, we put it into embedded products that needed bullet-proof DB restarts. In particular the selling point made to us was that it was very popular in defense projects.

Could this mean that Microsoft are, at long long last, taking security seriously?

Hahahaha! Tell me another one! That was GREAT.

Come on. "Trustworthy Computing" was supposed to be Microsoft's stab at taking security seriously - an initiative that, in two months, will be two years old. Not much has changed.

Trustworthy Computing was the launch of some kind of supposed effort by Microsoft to tighten down security in their products. That obviously failed. So now, rather than stomp out the bugs in their products, they figure they might have better success by simply eliminating those who exploit the bugs.

Here are the links you asked for: OpenSSH Sendmail

In both cases the download sites were compromised by intruders to insert trojan code.

Here are the links you asked for: OpenSSH Sendmail

In both cases the download sites were compromised by intruders to insert trojan code.

All of the vulnerabilities I listed made it into official releases before being patched. The bug this story is about didn't make it one day in the source tree, let alone into an official release.

Sorry about the Protegrity one, I must've linked the wrong one. I was looking for this one (the one exploited by the slammer worm).

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Backdoor to windows not due until Longhorn ? ?

Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

You mean like Borland's Interbase? The compiled in backdoor wasn't discovered until after the database opensourced.

My favorite quote from the advisory is:

"This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."

How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."

The advisory dates from 2001 -- you do the math.

And Microsoft can't even write a program to send email without massive defects? Get real.

caugh caugh what about sendmail......

Show us the bugs

not trying to help out a troll here but he is right take a look at this, looks like Linux based advisories are just as common as Windows ones if not a little bit more common. check it out

But the Outlook worm designed to do this isn't scheduled until next week. There's no way to move it up, there are too many other releases in the pipeline.

It was quite a long time between flashable BIOSes and this getting released.

I think Murphy's Law (the original form) applies here; if you design hardware that can be destroyed[1] in software, someone will figure out how to incorporate that into a virus.

[1] Many people have nitpicked that reflashing a BIOS isn't actually destroying hardware. Technically perhaps it isn't, but in the case of surface-mounted BIOSes it's not practical to reflash/repair the BIOS. If the cheapest repair option is buying a new motherboard, I consider the old one effectively 'destroyed'.

100% Virus free?

• VU#147587 10/22/2001 Mac OS X utility gm4 contains format string vulnerability
• 
  VU#869548 05/19/2003 Apple Mac OS X IPSec mechanism fails to handle certain incoming security policies that match by port
  VU#177243 09/10/2001 Mac OS X Finder creates world-readable ".FBCIndex" file thereby disclosing sensitive information
  VU#439395 06/10/2001 Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem
  VU#945747 10/18/2001 Mac OS X executes 'recent items' with privileges of foreground application VU#467828 05/27/2003 Mac OS X LDAP plugins transmit user credentials in clear text
  VU#583020 05/07/2003 XMMS Remote input validation error
  VU#479268 05/28/2003 Apache HTTPD contains denial of service vulnerability in basic authentication module.
  

And in regards to Virex/Norton AntiVirus etc. Just because a product exists doesn't mean it's useful or needed. In ten years of using Macs, I've had one problem with malware, total, and that was eight years ago.

Read this, then do a search for OS X here, followed by one for Windows.

That should answer a lot of your questions.

OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.

Microsoft has been good lately about doing proactive security reviews, and they often find holes before anyone else does.

Our thanks to Microsoft Corporation for the information contained in their security bulletins. Microsoft has credited the following people for their help in discovering and responding to these issues: Greg Jones of KPMG UK and Cesar Cerrudo, The Last Stage of Delirium Research Group, David Litchfield of Next Generation Security Software Ltd., Brett Moore of Security-Assessment.com, Joao Gouveia, and Ory Segal of Sanctum Inc.

Problem's been known for over 10 months now though, there's probably a patch.

It's a little unclear whether the new problems in OpenSSL have been patched. According to the CERT page, Apple is reporting the vulnerability as fixed in 10.2.8. On the other hand, I have a 10.2.8 machine that still indicates OpenSSL version 0.9.6i, which is supposedly vulnerable.

Again, on a side note, I wish Apple would allow security updates to be installed independently of the main bulk upgrade.

Fortunately, the OpenSSH bug appears to be difficult to exploit. But I agree that Apple needs to unbundle security updates from all others.

I also don't like the way Apple hides security problems until they have a patch. They were one of the few Unix vendors not to issue a statement in response to the CERT advisory. I understand that a patch might need to go through QC, but Apple should still let their users know about the problem so that they can restrict services until the patch is available.

Check out CERT's vunlerability notes to see if you are vulnerable. Most of the major distros of Linux are NOT vulnerable since they backported patches to pre-3.7p1 versions rather than upgrade their users to 3.7p1 or 3.7.1p1.

http://www.kb.cert.org/vuls/id/602204

IBM eServer and Cisco are still listed as unknown.

• ACL`s on the filesystem, usefull in real life where groupa full acces, groupb none just doesn`t cut it
• ACL`s on individual configuration options in the registry! Got a newbie admin you dont want messing with one of the settings of any single application (say crypto strength negotiation)
• A system for small to medium networks to actually get a central database of users into those ACL`s on every machine on the net
• A central place where all security relavant choices to be made can be set with adequate documentation (securit

I started getting the worm in my mailbox Friday morning. By Friday night I had already copied CERT's incident notice to my company's network status web page. (Not that anyone is actually going to read it until after they have a problem.)

Out of curiosity where do you go every morning for 5 minutes of bug checking?

CERT's vulnerabilities page makes a good start, covering almost anything worth noticing.

For the really big exploits, such as Blaster, just checking Slashdot and/or NewsForge daily will inform you of their existance at least a few days before they hit the mainstream press (and, more importantly, before the Script Kiddies have a nice and tidy all-in-one package to take advantage of the problem). That alone leads me to the statement I made about lazy admins not doing their jobs if they ignore major patches - Not a single regular reader of Slashdot has the teensiest bit of "plausible deniability" regarding the recent Blaster worm problems.

Unfortunately, we can only hope that CERT remains a decent source of info on this topic, what with them recently agreeing to act as the lackeys of the US government. But I can hope that they'll at least remain moderately valuable in reporting exploits early enough to avoid damage.

.../been using pine since 1996...

Oh, but wait; pine has been vulnerable in the past due to various buffer overflows and mime errors. For example, see
CERT Vulnerability Note VU#780737. Granted, most users don't run Pine as root (thus limiting the damage), but it could still cause some real problems; that is, it could if everyone used unpatched versions of pine.

The problem with Microsoft products is due to monoculture as much as bad software engineering.

Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97?

If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?