Slashdot Mirror
Intel FDIV bug vs ILUVYOU
geophile sent us a really interesting comparison of the similarities and differences between Intel's notorious FDIV bug of ages past (well, at least it seems like ages) and the recent ILUVYOU macro virus. Its amusing, but at the same time
it really gives an interesting perspective on the whole deal. Hit
the link to read it
The following was written by Slashdot Reader geophile
Pentium FDIV Bug Outlook Macro Viruses Nature of the bug Loss of precision in floating point division. Gaping security hole due to the combination of VBA scripting and Outlook. How to provoke the BUG E.g. x - (x/y)*y for some x, y. Open the ILUVYOU attachment. Damage caused by the bug Probably none in practice Millions of damaged files and registries Bug found by Thomas Nicely, Math Prof Numerous virus writers. Bug created by Intel. Microsoft. First response by bug's creator. Claims the problem isn't serious. It's a feature, not a bug. Second response by bug's creator. Free replacement of faulty CPU. It's a feature, not a bug. Cost to public Probably $0 Probably $millions Cost to creator of bug $billions $0
As you clean up your registry and replace your damaged files, just keep a few things in mind:
- Microsoft just wants to be free to innovate and to bring great software to consumers.
- We wouldn't have great software like Windows and Office if Microsoft hadn't violated anti-trust laws.
Pretend that you are the CIO of a large corporation. You have 10,000 users. Due to the amazingly skilled people in HR, 99% of the users are not idiots. Congratulations, 100 users just double clicked on ILOVEYOU and took down the mail server.
Mea navis aericumbens anguillis abundat
Someone please show me where the bug is. I don't get it.
.vbs (analogous to a perl script or a shell script). It must be run manually in order to do anything.
I can write a shell script that sends out billions of messages too, if you run it. I can make it attach itself to email addresses, and I can make it do it using your pine address book.
Where is the bug?
The only bug is the idiot moronic users who run attachments without knowing what they are.
Remember, ILOVEYOU does *NOT* spread on it's own, and does NOT execute automatically, and contrary to what this article says, is NOT an 'outlook macro' virus. It's just some vbscript, in a
This isn't a script that runs inside of Outlook people. It's a VBScript that runs using the Windows Scripting Host. It's just like a bash script, or a perl script. SAME DEAL. It's just like people getting an .EXE in the mail and running that. It's a trojan not a virus. There are two reasons this caused so much damage. Reason 1, people are stupid. Plain and simple. Reason 2, people aren't used to seein files with a .vbs extension. If someone got a .pl in the mail and ran in on their unix box and it fucked shit up, everyone would be like "STUPID USER!". With this everyone is going "MICROSOFT BAD, DIE MICROSOFT!!!". Now granted Outlook security is extreamly lacking but this is not a fault in Outlook. It's a fault of people and people are dumb.
No bug caused the m/billions to be lost, but rather a feature caused the money to float away.
Although not entirely responsible for the trojan macro, the feature is the security breach that allowed the macro to happen. Oxygen's responsibility for WWII is significantly less than this feature's responsibility for the fiasco. The proper analogy that Glowing Fish is looking for is not oxygen, but rather guns and stupid politicians.
Before I entered the IT field for real, I disliked MS but thought "Oh, what the hell." Now when I hear Gates and Co. talk about their right to innovate, I just think of this and all the other malicous macros. These are not "innovations", they are poorly planned and implemented features. These features have done far more harm to business than they have helped. I wonder about the usefulness of storing macros in normal.dot and I challenge anyone to give a good reason for including VB/A/Script in an e-mail message.
I can't help but feel as though MS's "right to innovate" has seriously limited business. Now, even small companies have to have dedicated IT departments. A mis-implemented feature causes world-wide computer havok. Promised productivity increases seem to melt away. A crash in a browser, a friggin' Internet browser, takes down the entire system. Users trying to get work done turned into beta testers so that MS can hit a product timeline. It's crazy.
And why don't the PHB take note? Because IT departments like fat budgets, and like fish, PHB like shiny things. -sk
Personally, I'm really interested in seeing if it's possible to add a 'graphic' to a vCard which is actually disguised VBscript. Malware that propogates via infected vCards should be able to fly under the radar for quite a while. Certainly long enough to become very, very widespread.
Lacking <sarcasm> tags,
The designers of the scripting capability in MS Outlook are responsible for this, and the writers of this particular version of the ongoing Outlook security exploit are pointing out that somewhere along the line, someone was seriously ignorant (as in lacking knowledge of thirty years of networked security issues) and unwilling to learn.
/etc/aliases?
... has them turned off, personally.
Under what circumstances should sendmail have a feature allowing it to automatically forward messages to everyone in
Should every installation of procmail include, by default, a well-known filter that will delete files specified by the incoming email?
If it is valid at all to design in features that permit large-scale spamming without the consent of the user, or features that will modify files without the consent of the user, is it valid to turn these features on by default, so that the least competent users are likely to be the most badly affected? How is it possible to call the ability for random strangers to delete your files "ease of use" (with a straight face)?
On a slightly gruesome note, I only wish that viruses were really as deadly as, say, ebola or bubonic plague. In that case, they might contribute to evolution--the early death of the unforgivably stupid. But that may be too harsh, and there is a good chance that the fool who designed (or ordered to be designed) such trivially easy-to-abuse features
Amy!
There are firsthand accounts of it happening posted here.
Where? There are no firsthand reports of this trojan running in the preview pane, and indeed there can't be, since the preview pane Outlook Express vulernability has different permissions than this worm. Specifically, a preview pane OE virus can "only" run Java Script code and/or insert arbitrary code into your StartUp directory to be run upon reboot. In any case, the source for this worm is widely available, and anyone who understands the issues involved can see that it does not run without being specifically clicked on by the user.
Finally, the preview pane vulnerability has been closed via a patch for months. Most users probably haven't applied it, but there's really nothing more MS could have done (besides not designing ActiveX so poorly in the first place).
{sigh}
.exe files they get in the mail, too.
.exe equivlent on my mac or GNU/Linux system, then I would expect SOMETHING to happen. Think of the Windows scripting stuff as the old batch files (or scripts). They do stuff, but people don't know how much damage they CAN do.
I see, once again, that MS is coming under fire, and probably for good reason (the address book thing is simply an error on the part of microsoft, I admit, and it shouldn't be so easily used by outside applications), but they're not the sole part of this blame.
The visual basic script is equivelent to an executable file in Windows. Most users don't see the vbs on the end, which is partly the "funny" naming convention of the file. (All bold til the extention.) People will learn from this, I hope, but then again, many people still run
I would say that if I got a file and I activated the contents, no matter what operating system I'm using. If I ran the
The blame for this falls on the shoulders of the virus (?) writer(s) and the users stupid enough to activate it. Microsoft should fix the address book thing in Outlook, but there's no security hole unless it's the one where the users brain shoulda been.
Don't gimme that "Well, if they're using windows, they're stupid users and MS should have anticipated that." They have no responsiblity if someone's a complete screw up, no more than Saturn is responsible for the girl that nearly ran me over yesterday (SEE THE STOP SIGN!)
Fully anticipating "flamebait."
Dan
Wrong. If you don't realize it, this is Microsoft's biggest mistake. That mistake is to make writing complex programs and wielding administrative power over computers "trivial." The ability to design complex programs with system administrative capabilities should be difficult to master. Only with experience comes responsible behavior. By tying their web browser (IE), application programming languages (VB), office automation tools (Outlook), and other sundry "features" to their monopoly operating system they make it easier for inexperienced people to write destructive programs (virus, worm, other).
I'm not strictly advocating making computer programming more difficult on purpose, but I think Microsoft went just a little too far in trusting the "average Joe" users of their software. It's like they totally ignored human nature in that there will always be a subset of society that is destructive. It's almost like putting guns in the hands of kids and saying, "You're not being fair! It's not their (those that distribute guns to kids) fault that there are some bad apples out there!"
Note that this is quite different that the current litigation blaming responsible gun manufacturers for the use of their product. We have laws that restrict the access to guns and other potentially destructive technology to responsible adults. Why don't we have the same type of rules for computer technology? What type of rules should they be? Certainly we can't limit access to computer technology to minors. That would be just plain stupid. But, how about making it illegal to have the default install state of email programs to even be able to "run" applications, at least? What about requiring manufacturers with over 20% market share in their field of endevor responsible for not fixing problems with the fundamental architecture they have designed if it shows repeated occurances of actively promoting loss of business and productivity? Especially if the loss is not limited to the individual using the product irresponsibly?
Hey. Read that over again. Sounds like that could apply to a lot of technologies and not just computers. Take car manufacturers for example. If some car maker designs a part, say a gas tank for a car, in such a way that it explodes or catches fire unreasonably often if "used" in the wrong way (such as getting in an accident, which you certainly don't try to do), wouldn't they be forced to redesign their product so that it wasn't so defective? Especially if it caused harm to those innocent people (the people in the car with the defective gas tank who got rammed from behind by no fault of their own)?
Or, take gun manufacturers, again. They certainly couldn't be sued if someone sticks a gun in their mouth and pulls the trigger. But, if a gun model routinely misfired and caused harm to the person who pulled the trigger or those nearby (but not aimed for!) there certainly would be cause for the ATF to push for a redesign (or pulling that particular model all-together).
I don't know. Sometimes I just don't understand Microsoft supporters. It's like they just don't have a clue. And this from someone who used to be an avid Microsoft supporter (in the mid-late 80's) and personally purchased many-a Microsoft C, Basic, MASM compiler/assembler.
One of the quotes from the article:
Microsoft is partly to blame for the bug because the company puts a priority on adding new features to its programs instead of security, said Mikko Hypponen of F-Secure Oyj, an Internet security company in Espoo, Finland. ``It's a Microsoft problem, and it's hurting them,'' he said. Microsoft's Windows operating system, used in 90 percent of personal computers worldwide, includes scripting software that allows anyone to rewrite programs. Hypponen advises most companies to get rid of the scripting software for their employees who don't need it. "
___
The "slashdot community" (whatever that is) typically never takes a "blame the tool" approach. Things like Napster which facilitate music piracy never receive the blame for piracy - the user does. This example is applicable to many of the issues which are discussed on slashdot.
The only exception to this rule is a Microsoft tool.
If Microsoft writes a tool which users fuck themselves over with, Microsoft - and not the clueless users - get the blame. Why is Microsoft an exception to "guns don't kill people, people kill people".
IMHO, anybody who supports Napster on the basis that it is only a tool, yet blames Microsoft on this worm (or any other worm which was not coded within Microsoft), needs to have clues beaten into them severely, and spoon-fed to them for life.
everyone is on crack!!!
how come everyone is saying that this isn't a problem and moderating up other folks who say that this isn't a problem?
this is a HUGE freaking problem. 60% of ALL the email systems in sweden were taken down. 30% of the email in england. All the canadian government email was taken down.
look at that. millions of people without email for a prolonged period of time and tell me there isn't a problem here.
And it isn't over yet. Everyone is looking for email with "ILOVEYOU.txt" on it but they aren't looking for the email with "warn I love you virus" as the subject. For the next couple months that's what were going to see. Except it won't be a warning. It will be the virus with a different name. Seriously. Now there are thousand of people out there who know they can disable a the email system in a school or a town or a company just by changing the subject line of the email and sending it to someone in there.
Think about a new ILOVEYOU virus every week for the next three months. Still think there isn't a problem?
but the real problem is far deeper and longer lasting. I remember when I first was introduced to email when i came to america in 96. The first question I'm asking myself is, "can't people hack our computer?" See back then I didn't know the difference between a hacker, a cracker, a hax0r, script kiddie, a virus writer, or anything. All i knew was that it didn't sound good.
The general public still doesn't fully trust computers and they trust the network even less. There are a couple people at my college whose parents didn't let them have the internet in their house.
There are many more who don't use instant messaging still because of fear of hax0rs.
Or i could rant about all the helpfull aunts out there who send people forwards with hoax email virus warnings. It's not the aunt's fault. It's the fault of negligent computer companies who allow for real email viruses. It's harder to make an email program that will allow an virus to propagate than it is to make a secure email client so they can't even claim they did it out of laziness.
It's stupid stuff like this that puts a barrier infront of people that might otherwise benifit from technolodgy.
Some of the commenters are blaming it on the outlook users. That's not very smart in my opinion. Why should the users be afraid to open attachments? Why should they be afraid to look at email. We aren't talking about email from friends as was the case with this virus. I'm talking about email from complete strangers.
I am on a couple of mailing lists and I get email from over a hundred strangers every day. But do i worry about it? NO! I just open it right up and look at it. That's because my email client will only read text and pictures. No executables. No viruses. No trojans. I can just open it up like there was nothing to it. AND THAT'S THE WAY IT SHOULD BE!!:(
No, they aren't. Just ask them what they think they're about to do before they do what you say they're doing. They're highly unlikely to say "I'm going to manually run this executable".
More likely, they'll say "I want to see what's in this file!". And that's what double-clicking an icon is for. (Except in certain contexts, when a sizable percentage presumably knows double-clicking runs a program. Reading email is clearly not one of those contexts.)
The fact that they aren't shown what's in the file, but instead have arbitrary code with the equivalent of Unix `root' privileges executed on their system, in an environment where tight integration among applications basically guarantees easy access to all sorts of personal data, makes this a highly preventable, as well as insidious, bug in the design of Microsoft software.
IMO, the biggest enabler of this bug was the decision by Microsoft, at the highest levels, to deploy Windows 9x as an "easy-to-use" OS for people wanting access to the Internet.
Even at the time that decision was made, Microsoft certainly had more than enough expertise to know it was a technically unsupportable one, from a security standpoint. I.e. they knew the Internet was hostile, that Win 9x was unsecure, that their highly integrated software made even security-by-obscurity basically irrelevant, and that their targeted user base had no expertise in securing themselves against the inevitable problems.
(At least, I really doubt I understood these issues better as a 16-year-old in the mid-'70s than the geniuses at Microsoft did circa 1995. Actually, even in the late '70s, I couldn't understand how these newfangled personal computers could fit a whole OS in 64K, until I was stunned to find out they'd ignored the whole timesharing security model. The viruses that swept the PC- and Mac-using world were never a surprise to me, of course, nor to most anyone else hacking timesharing systems before the PC generation.)
The estimates I've heard of losses are in the $Billions, but I agree Microsoft won't have to pay a dime (i.e. they won't recall Win 9x for all Internet users).
And bear in mind I'm not saying MS should have taken steps to prevent people using Win 9x for Internet use. They should have made it clear it wasn't suitable, and left it up to end users to decide whether to install 3rd-party software that let them ride the 'net. Of course, that wouldn't have earned MS the huge extra $Billions in income, or the huge additional stock valuations, which is why they didn't do the obviously "right" thing.
BTW, my wife, whose responsibilities include an IT department at the world headquarters of a well-known institution, was, needless to say, not happy about the ~36 hours of organization-wide downtime suffered due to this bug. Especially when I said "gee, don't y'all have your SMTP servers reject any incoming email that have unrecognized, or code-bearing, attachments?", she said "no, we can't make our [MS-based] software do that", and I pointed out that it was a topic often covered as being fairly easy to do on the qmail mailing list. I had assumed, obviously erroneously, that last year's Melissa had convinced everyone to get their act together, disable certain kinds of attachments, etc. Not that I pay much attention to viruses: I run GNU/Linux, and use a dialup (no static IP), among many other things. The only time I see virus-protection software being run is when it's being run on someone else's computer!
Why businesses willingly pay $Millions to Microsoft so they can get "flashy" software that causes them random downtime of days per year, with "nobody to sue" as the anti-Open-Source FUD goes, is something I have yet to be able to explain using logic. (Using psychology or anthropology, however....)
Practice random senselessness and act kind of beautiful.
Just the same way that accidental gun deaths are a user education issue. And prescription drug overdoses. And smoking-related lung cancer. And traffic accidents. All of these things could be prevented if the user just *weren't* *so* *dumb*.
Wrong. A user clicks on an email message, and their email client automatically starts running an attached file? Stupid-user or not, this 'feature' is just plain unjustified. How many seconds would you have to use up to think of a way to make this program more secure? How about prompting the user: "Run attached file: ILOVEU.VBS? (Y/N)"
Writing software that makes it easy for strangers to take advantage of the use is just plain negligent. Plenty of sensible software writers know that their software is going to be used by users of a variety of skill levels, and take this into account when writing. mIRC, for example, is set by default to decline DCC sends of .exes, .vbs, etc. This is just good sense.
Which is better, to make a program secure by default, and let users turn off security if they want? Or to make it insecure by default, and blame the users for not turning on the security?
hm.
--
share and enjoy
I am as anti-Micro$oft as the next red blooded American, but this is not quite fair. This table seemes to say that the bug in M$ Outlook is responsible for the ILOVEYOU virus...which it isn't. The feature or bug in M$ Outlook is there because it is supposed to be helpful (which it probably isn't), but it is not malicious, and would not causes any damage if somebody else had not tried to be malicious.
To say the bug caused billions of lost files is an arguiment of insufficient causation. It was one of the causes, but not the finishing cause, of the loss of files. Much like the presence of Oxygen in the atmosphere was neccesary for WW II to be fought, but that doesn't mean it caused World War II.
Just my $0.02 U.S.
Hopefully I didn't put any [] around my words.
The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. --from http://www.symantec.c om/avcenter/venc/data/wscript.kakworm.html.
Granted, this is the kak virus, and granted MS issued a patch, how long is it before someone ports the ILUVU virus to exploit this hole where the user DOES NOT NEED TO OPEN THE ATTACHMENT, just view it. Outlook and OE have horrible security. Tying the scripting language into the system was their way to make MSN as easy (sorta) to set up as AOL. Ever tried to set up MSN? Uses pervasive scripting which does not always ask for a prompt before runnning. This is not a buffer overflow error, but one (perhaps of many) exploits where windows scripting does not ask for permission to run.
Be ot or bot ne ot, taht is the nestquoi.
Well, first ask yourself these simple questions.
Did we have these problems before Microsoft started "innovating"? I remember when people would send out warnings about "THE GOODTIMES VIRUS". We all laughed, because we knew it could never happen.
Do we have these problems now? Well, yes, many Windows users have these problems. Users of Microsoft products and products that support Microsoft "standards" are affected.
How long has this been a real problem? For at least 6 years, ever since people found out you could do this in Word 6.0 for Windows 3.1.
So what is Microsoft doing about this?
From their page:
So does their advice help any, for preventing the spread of ILOVEYOU?
No, it doesn't. ILOVEYOU sends you messages from people you trust. Why would you send a message back asking them about it? I get messages from people all the time that say "Hey, read this, it's funny." I'm not going to write them back and say "Yeah, but will it crash my computer?", because that doesn't make any sense. Macro virus protection and scanning doesn't apply here either, because Outlook doesn't even offer a warning! The user just clicks on the attachment to see what it is, like usual, and BLAM, their system is hosed. In fact, there have been some reports of Outlook opening it with the "Preview Pane" (perhaps if earier patches for Melissa weren't installed).
So, in my opinion, Microsoft isn't doing enough. They never should have created Word BASIC in the first place, they should never let what should be a formatted text file make system calls, they should never let users run everything essentially as 'root', and they should fix their software *AND* pay back the community bigtime for damages.
But hey, make your own decisions. If that wasn't enough to convince you, go read what the media has to say. I'll just sit here quietly, wondering what's wrong with the world, as my machine doesn't crash.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
From: 5kr1p7.k1dd13@hotmail.com
To: black.parrot@where.ever.ur
Subject: ILOVELINUX.txt
Hi. Please type the following at your prompt -
sudo rm -rf /
Love ya,
5kr1p7
--
Sheesh, evil *and* a jerk. -- Jade
Arguable whether it's a feature, but whatever.
If I wrote a unix shell script that grepped through a user's home directory for email addresses and then used sendmail to propagate itself to those people, it would be very very similar to the love bug. The -only- significant difference is that Outlook makes it trivially easy to open and run attachments. It's a trojan horse: only works if the user actually launches it.
Feel free to lambast the intelligence level of your typical Outlook user, but pick your battles.
I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.
First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a .vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.
So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a .vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.
The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)
Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.