Slashdot Mirror

I'm replying to this comment mainly because it makes the issue a race to see which happens first: MS fixes the problem or the script kiddies attack.

I belong to the main (afaik) security list, NtBugTraq, and from what I can tell, almost all exploits are revealed to MS well in advance of the

While there are a few MS people on the list (who seem very helpful), a number of people generally seem to get the cold shoulder or dismissed by MS.

The exploits are released after a certain amount of time to encourage MS to actually fix the bugs, but sometimes MS twiddles it's thumbs for many months.

I'd say its worse to make people actively go to a website and check on the security bugs vs. subscribing to an email list and having the bugs automatically delivered to your mailbox. I'm not sure if MS has this type of feature - it would be useful. BTW, bugtraq covers most if not all security holes while NTBugtraq focuses on NT/Windows. I'd think they would suffer more from the copyright statement.

Check out www.ntbugtraq.com

Indeed!

I wonder how many Linux bugs will be found on NTBugTraq?

It is HERE

There's already exploit code out there. Links to it were provided in the USSR Labs' advisory, which appeared on NTBugTraq this morning.
Their advisory can be found in the NTBugTraq archives, here.

No NT Admin should ever be without NT Bugtraq.

Subscribe to the mailing list and sit back and watch your inbox. Dig through the archives if you're a new user. You'll be amazed at the sheer volume of security issues that floats through on a daily basis.

I'm affraid you are (partially) wrong. Outlook 98 and Outlook Express will execute script attachements when previewing e-mails if the security zone they're running in allows them to do so. Here is a chart from ntbugtraq showing the behavior of Outlook wrt various situations/configs.

My understanding is that Outlook's default security zone disables automatical script execution. However I'm not MS-fluent enough to know if changing that security zone config is a common/useful thing to do with Outlook.

My point is, yes it's flamebait to say that all Outlook versions/configs do this, but it isn't true either to say that Outlook "doesn't do this and never did". This also shows that the ILOVEYOU trojan wasn't only propagated by stupid users double-clicking on the script. It also took stupid configuration by stupid users/sysadmins to achieve such a great success :)))

Date: Mon, 15 May 2000 21:07:41 -0400
Reply-To: Russ
Sender: Windows NTBugtraq Mailing List
From: Russ
Subject: Outlook Email Security Update
Comments: To: "NTSecurity (E-mail)"
Content-Type: text/plain; charset="iso-8859-1"

Today Microsoft announced the "Outlook Email Security Update", scheduled for
availability from;

http://officeupdate.microsoft.com

on May 22nd, 2000.

I was briefed on this update last week, and during this discussion I
presented several recommendations. Microsoft have chosen not to implement
any of them, despite the nearly 10 days available prior to its availability.
Presumably they still haven't resolved the issues they have getting content
onto their update sites in a timely fashion.

Before I go into what is in this update, there are several critical
incorrect assertions in it. Quoting from the official press release;

"Heightened Outlook default security settings increase the default Internet
security zone setting within Outlook from "trusted" to "restricted." The
restricted zone disables most automatic scripting and ActiveX=AE Controls
from opening without the user's permission. Users who prefer less security
can easily change their Outlook settings to trusted zone."

I guess the Microsoft Office Product Group has never bothered to read my
page on how Outlook works and what needs to be done to the Restricted Sites
Trust Zone for it to be truly safer;

(http://ntbugtraq.ntadvice.com/outlookviews.asp)

Of course without the modifications to the default settings of the
Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
will happily invoke any ActiveX control marked safe for scripting and
present on your system (ActiveX downloads are disabled.)

I more than pointed this fact out to the Briefer, one Lisa Gurry from the
Microsoft Office product group when she presented the functionality to me. I
told her to either not make the switch to the Restricted Sites Trust Zone,
or, make the switch and alter the defaults. I explained how just making the
switch would yield very little benefit while misleading folks into thinking
they were more secure, especially against scripting worms.

The fact that ILV was relatively stupid as worms go seems to have been
missed by many people. A slightly modified version sent as HTML that doesn't
bother with the address book (who needs it, most people have lots of mail in
their folders from all sorts of interesting folks to reply to) will likely
get by these new features since scripting can still be done. The fact that
"attachments" won't invoke any more isn't likely going "to thwart the spread
and impact of many computer viruses."

This presumes, of course, that some 45 million people already realize just
how stupid they were to click on that attachment in the first place...and
maybe have told a few friends...;-]

MS seem incapable of doing what some coder at;

http://www.slipstick.com/dev/code/zaphtml.htm

has done with relatively few lines...namely convert inbound HTML-based
emails to something else (Rich Text) which completely eliminates the
vulnerabilities of scripting emails.

Of course they further show their ignorance of the realities of corporate
email systems by providing this quote;

"Given the global impact of the I Love You virus and the growing threat of
malicious hackers, we strongly believe we must take the unprecedented step
of limiting certain popular functionality in Outlook to provide a
significant, additional security option for our customers,"

...which, of course, has probably triggered thousands of email gateway
scanners to throw the message back as containing a worm...duh!

Granted, its unprecedented to remove functionality in favor of
security...after a product's been released. This usually occurs during
development...;-]

Anyway, to the features in this update;

1. "Email Attachment Security":

Attachments won't be put through to users email. That's right, they'll go
into never-never land. I haven't received an answer to my question as to
just where they will go. I've been told that a user will somehow,
miraculously know that there was some sort of attachment on a given piece of
mail but that it's been stripped in the interest of their security...

We'll have to tune in next week to find out where those objects get tossed
to. ISPs may end up with thousands of little (or not-so-little) fragments of
messages left behind by Outlook POP3 users who's mail simply says "Nope, I
don't want that thanks"...with no ability for the user to delete it cause
they can't see it...

A full list of extensions being excluded is below (which will make even more
dumb email gateways break as they can't figure out whether the presence of
the text string "vbs" is a script or not)

2. "Object Model Guard":

Well, to be more precise is the "Address Book Guard" really. If Outlook
detects lookups in your address book (that are somehow distinguishable to an
invocation of the "Find" command", it, um, pops up a dialog. Not sure what
the dialog says, but presumably it will be sufficiently verbose to explain
what might be happening. Haven't seen what the dialog box options are, say,
for someone trying to script a newsletter or a marketing document. Guess
lots of folks are going to learn how to use distribution lists (making
scripting worms easier in future as they just look for distribution lists
instead of lots of addresses.)

I should say, however, that this was one of the features I was looking for.
Would have been nice to know how they're doing that, but...

3. "Heightened Outlook default security settings":

I covered this. They ignored my advice, don't know how their products work,
and then told the world they were doing a good thing(tm)...NOT!

I *have* to believe we'll see different wording in the final web page...I
don't think they'd continue to lie so blatantly about their product.

Get the feeling I'm not going to get briefed again in the future...;-]

Conclusion:

MS dropped the ball. I told them to make this thing appear as an interim
step. It's not a patch, its Outlook on Training Wheels. I thought it was
going to be a complete product (i.e. you download it and that's how that
version works, get the full version to do more harm to yourself). As such,
it made a lot of sense to have a version that was severely restricted. Put
users on that till you're satisfied they aren't going to shoot themselves in
the foot.

Nope, they gotta tout it as more than that.

So, bottom line, unless they change the thing before it gets released next
week, make sure anyone you suggest it to also gets this URL;

http://ntbugtraq.ntadvice.com/outlookviews.asp

and turns off scripting and scripting of activeX components marked safe for
scripting.

I'm not even going into the fact that Outlook Express isn't being updated.
Let's get real Microsoft, its the only email package included in every
shipping OS you make! Oh, and let's not forget the "It can't be removed on
Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
virus...come on, we all know it can't replicate itself to another
machine...that's done automatically at installation of the OS...

In case you can't tell, I'm not pleased with the press release, or the
completeness of the update.

That said, I made another suggestion today that hopefully will get
implemented. One of the biggest problems that exist with all of this is the
fact that most people never update their systems with any patches, security
or otherwise. I've suggested that they put a download counter on the site so
we'll be able to see just how many people actually get the thing. Doesn't
say much other than show the realities. MS could put a lot more effort into
a better update, and it probably still wouldn't be applied by most folks
(even if they did something so the patch could apply to more of the millions
of folks the patch isn't intended for, i.e. those that use Outlook Express
only.)

For those interested, here's the list of extensions to be blocked by the
update;

ADE Microsoft Access Project Extension
ADP Microsoft Access Project
ASX Streaming Audio/Video Shortcut
BAS Visual Basic Class Module
BAT Batch Files
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Applications
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
JS Jscript File
JSE Jscript Encoded Script File
Ink Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source Files
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHS Shell Scrap Object
URL Internet Shortcut
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File

Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)

read this page on ntbugtraq.com and you'll find 2 articles about the dll. Read them, and you know what's all about.
--

The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251

The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251

The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251

The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251

According to one source I read, the only use of the file is for ASP support for Visual Interdev version 1.0. Deleting the file will break Visual Interdev 1.0 support, not in and of itself a big deal, most people have either run away from Microsoft authoring tools, or upgraded to a recent version of FrontPage.

On the other hand, knowing Microsoft I wouldn't be surprised if the manner in which Visual Interdev support is broken is by the server crashing when a Visual Interdev 1.0 client makes a request for ASP info. This would replace the security hole with a denial of service attack.

----

Take a look here
for a decent explaination. It's from Russ Cooper from NTBugtraq, who usually has some pretty good contacts. Basically, the exploit is not as far reaching as people think. The attacker needs to already have permissions to edit a website on the server. Then they can change another user's site.

Jason

Russ Cooper just posted a more educated summary of the problem to NTBUGTRAQ. It's in the archives at this location.

It's NOT as bad as first reported. Russ says that his comment that it affects "almost every web hosting provider" was based on the info that it was some sort of Front Page issue. It's not that simple, and it seems that it's only exploitable by users who have already been granted web authoring permissions on the box.

Have fun,
Dave

--

There's nothing up on microsoft.com about it yet either, which also strikes me as strange.

There doesn't seem to be anything in the NTBugtraq or NTSecurity archives on it either (search for dvwssr.dll turned up nothing).

OTOH, people here have run strings on the file and it has turned up the phrase... so...?

--
Repton.

Its mostly a matter of competition. Bugtraq and NTBugtraq are not related other than by name. Bugtraq has been around since 1993 (started by a former boss of mine, Scott Chasin). NTBugtraq's only been around since 1997. Personally, I'm not a big fan of NT Bugtraq. Everything posted there is also posted on Bugtraq, and there have been issues with Russ Cooper holding back information thats been submitted to the list for weeks until the bugs are fixed, which Russ might think is a good idea, but, unfortunately thats not what full disclosure is all about.

As you are one of the most well-known security-focused-groups today, you must surely attract a lot of young people who would want nothing more than to follow in your footsteps. Every kid nowaday wants their umpteen minutes of fame and TV air time.

What are your thoughts on the reponsibilities you have as frontal figures for the "hacking community"? (For some non-disclosed definition of "hacker")
Do you feel such a responsibility to steer the young and naive hacker-wannabies into white-hat territory? - or are you more into "give them the knowledge, let them choose side for themselves"?

If you feel an obligation to inspire kids towards non-illegal, non-confrontational, non-disruptive hacking; how do you take on such a task? Your choice of a name that surely goes well within script-kiddie-hacker territory indicates to me either a wish to attract such a following, or perhaps it is just an indication of your history, coming from that background.


Enough rambling, I guess my question more or less boils down to "How do you install a sense of decency in your fan groups?"

By the way, thank you for all your good security work. It seems you appear in my bugtraq and ntbugtraq e-mail folder every other time I look... I hope I don't come across as insulting or demeaning in my question, I am seriously interested in your answer.

21, is that all? join the NTBugTraq list and you'll hear about much more than 21 patches!!

So Wise Guy, how do I get on Microsoft's program to get their Hot Fixes beamed to me? Right now keeping up with security vulnerabilities on NT requires subscribing to the ntbugtraq.com, list, and searching Microsoft's site. That sure is a pain, but the alternative is waiting around for Service Packs. At least Windows 98 has the Critical Notification Update thingie which helps.

Red Hat has a page that can be monitered, and an e-mail list. And if that's not what you want, you can let someone else bundle the fixes together for you in something like MS' service packs. Try LSL for example.

I don't know about you, but I'll take keeping Red Hat up to date over NT any day.