Slashdot Mirror

OK, so why is it not generally considered sufficient to reinstall IIS when you get 0wned by one of the ubiquitous worms? And then, of course, there's this issue.

Compare this with Windows XP, where you plug a network cable in, and the OS pops up a dialog saying "hey! a network!", without you even having to touch anything.

Also, as an administrator, I don't necessarily want my users bugg^H^H^H^Hsetting up their own network parameters. If it's broken, I want them to be bringing it to my attention.

Microsoft had a chance to do something truly new and good with XP. They blew it.

They will blow it again with LongHorn.

They also blew a chance to move towards real security. XP is still design insecure.

But when I tried to get my (short-lived) Mandrake 8 box to talk to my Windows box, Mandrake gave me a pagefull of textboxes labelled with jargon.

<deadpan>Ah, well, at least you didn't have to edit the registry (note their typoe near the end) to get it all working.</deadpan> It's all point-and-click on my Mandrake 8.2. In fact, with a sniffer I can make it pretty much automatic. What did you do wrong?

They already know. Remember a couple of months ago, when Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. The architecture of Windows is inherently insecure and cannot be fixed. Read all about it here.

PLEASE NOTE: Some virus scanners are alerting people to the presence of a "Win32/Beavuh" virus within the sploit.bin file in the Shatter zipfile. This is not a virus. The scanner is correct in flagging it - the code in this file is designed to open a command shell and bind it to a network socket. This is a bad thing to do in general, so the scanner is correct in generating an alert. This code is designed to be malicious in terms of its functionality, but the scanner is incorrect when labelling it as a virus.

Watch out when downloading the 'shatter' application!!!!!!! It contains a virus!

This is not a troll. Check it yourself: This an infected file

Norton reports:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Beavuh
File: H:\Documents and Settings\Username\Desktop\shatter\sploit.bin
Loca tion: Quarantine
Computer: MACH5
User: Username
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Aug 07 13:26:14 2002

Ok, so I took a look at the paper and then the e-mail response from Microsoft; and found this in the 4th paragraph, "In our essay, the 'Ten Immutable Laws of Security'i, these are Law #1-- "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore," and Law #3 -- "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." (see http://www.microsoft.com/technet/columns/security/ essays/10imlaws.asp for the full essay)."

So does this mean when those of us apply the Microsoft backdoors, I mean Service Packs to our systems, that give them unrestricted access to our systems, aren't we breaking one of Microsoft's rules, rule #3? I guess if it favors them it really doesn't matter.
Yeah those of us who run Microsoft software probably should deal with it; but it does raise some interesting ideas, expecially with Palladium. I guess if it [Palladium] comes about, those of us who run it truly will not own a PC, Microsoft will.

'Nuff said.

If it is, then it seems a bit dishonest for the microsoft message author (Dave at the Security Response Center) to say that they don't consider it to be a bug.

If it isn't, then there must be another problem which is even more serious. Oh dear!

I'm really, really disgusted that this even got posted. This isn't a Win32 vulnerability, it's a Virusscan vuln. (Watch my karma burn, I'm actually defending MSFT... but hear me out.)

For those of you who aren't familiar with Windows programming, here's what he's doing. Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input. So, he adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.) He then inserts shellcode in it, attaches a debugger to the process and searches all of memory for the start of the shellcode. Real efficient, this one.

He then sends it a WM_TIMER message to trigger it. WM_TIMER is usually sent to your window on a regular interval when you've called SetTimer(), and contains either an integral ID or a pointer to a callback in memory. So, he sends it a fake WM_TIMER, and Viruscan executes the callback blindly.

You know what, I use WM_TIMER too in my apps - but, there's two simple ways to defend against it.

if ((void *) msg.lparam != known_cb_address)
{
return false;
}

if (0 != IsBadCodePtr((FARPROC) msg.lparam))
{
go_fuck_yourself();
}

And if I'm not using it, special-case it so that it doesn't fall through to DefWindowProc().

Seriously, all this guy is doing is buffer overflowing a poorly written program to get Administrator privs. That's like claiming that glibc is insecure and should be thrown out because it has sprintf() or gets(). Ya know, I can buffer overflow a poorly written suid app too, but that doesn't make the libc to blame, nor have we published articles lambasting the GNU Project for not putting bounds checking into those functions.

This guy's just trying to sell himself, and you guys were more than helpful. Maybe I should write a system service that subclasses MSIE's WndProc with a single function that calls ExitProcess(1), and see if Slashdot will find me a security job.