Intel FDIV bug vs ILUVYOU

geophile sent us a really interesting comparison of the similarities and differences between Intel's notorious FDIV bug of ages past (well, at least it seems like ages) and the recent ILUVYOU macro virus. Its amusing, but at the same time it really gives an interesting perspective on the whole deal. Hit the link to read it

The following was written by Slashdot Reader geophile

Pentium FDIV Bug Outlook Macro Viruses Nature of the bug Loss of precision in floating point division. Gaping security hole due to the combination of VBA scripting and Outlook. How to provoke the BUG E.g. x - (x/y)*y for some x, y. Open the ILUVYOU attachment. Damage caused by the bug Probably none in practice Millions of damaged files and registries Bug found by Thomas Nicely, Math Prof Numerous virus writers. Bug created by Intel. Microsoft. First response by bug's creator. Claims the problem isn't serious. It's a feature, not a bug. Second response by bug's creator. Free replacement of faulty CPU. It's a feature, not a bug. Cost to public Probably $0 Probably $millions Cost to creator of bug $billions $0

As you clean up your registry and replace your damaged files, just keep a few things in mind:

• Microsoft just wants to be free to innovate and to bring great software to consumers.
• We wouldn't have great software like Windows and Office if Microsoft hadn't violated anti-trust laws.

very fair

[sethgecko]

Two words: The Kak Virus

The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. --from http://www.symantec.c om/avcenter/venc/data/wscript.kakworm.html.

Granted, this is the kak virus, and granted MS issued a patch, how long is it before someone ports the ILUVU virus to exploit this hole where the user DOES NOT NEED TO OPEN THE ATTACHMENT, just view it. Outlook and OE have horrible security. Tying the scripting language into the system was their way to make MSN as easy (sorta) to set up as AOL. Ever tried to set up MSN? Uses pervasive scripting which does not always ask for a prompt before runnning. This is not a buffer overflow error, but one (perhaps of many) exploits where windows scripting does not ask for permission to run.

Microsoft to blame?

[pb]

I'm sure everyone here has an opinion of whether or not Microsoft is to blame.

Well, first ask yourself these simple questions.

Did we have these problems before Microsoft started "innovating"? I remember when people would send out warnings about "THE GOODTIMES VIRUS". We all laughed, because we knew it could never happen.

Do we have these problems now? Well, yes, many Windows users have these problems. Users of Microsoft products and products that support Microsoft "standards" are affected.

How long has this been a real problem? For at least 6 years, ever since people found out you could do this in Word 6.0 for Windows 3.1.

So what is Microsoft doing about this?

From their page:

How Do You Prevent the Spread of Viruses?

You can prevent the spread of a macro virus. Here are some tips to help you from being attacked.

Know where you get a document If someone sends you a document or file, be sure you know you can trust them. Is this person someone you work with? Would this person send around files that have been sent from untrustworthy sources?

Talk to the person who created the document If you are unsure whether or not the document is safe, contact the person who created the document.

Use Office 97 macro virus protection In Office 97, the applications will tell you if a document you open contains macros. This feature allows you to either enable or disable the macros as you open the document. For more information, read Turn On Macro Virus Protection.

Use virus scanning software to detect and remove macro viruses Virus scanning software can detect and often remove macro viruses from documents. Microsoft recommends using anti-virus software that is certified by the International Computer Security Association (ICSA). You can view a current list of ICSA-certified anti-virus products at the ICSA Web Site.

So does their advice help any, for preventing the spread of ILOVEYOU?

No, it doesn't. ILOVEYOU sends you messages from people you trust. Why would you send a message back asking them about it? I get messages from people all the time that say "Hey, read this, it's funny." I'm not going to write them back and say "Yeah, but will it crash my computer?", because that doesn't make any sense. Macro virus protection and scanning doesn't apply here either, because Outlook doesn't even offer a warning! The user just clicks on the attachment to see what it is, like usual, and BLAM, their system is hosed. In fact, there have been some reports of Outlook opening it with the "Preview Pane" (perhaps if earier patches for Melissa weren't installed).

So, in my opinion, Microsoft isn't doing enough. They never should have created Word BASIC in the first place, they should never let what should be a formatted text file make system calls, they should never let users run everything essentially as 'root', and they should fix their software *AND* pay back the community bigtime for damages.

But hey, make your own decisions. If that wasn't enough to convince you, go read what the media has to say. I'll just sit here quietly, wondering what's wrong with the world, as my machine doesn't crash.
---
pb Reply or e-mail; don't vaguely moderate.

Re:Not quite fair

[portnoy]

Well, maybe. Viruses need an environment in which to thrive as well as the organism itself. The question is whether MS should have recognized the danger in the environment that they created.

When we discuss the Internet Worm, for example, the blame doesn't fall totally on RTM. A sizable segment of blame goes to the authors of the finger and sendmail daemons that the Worm used to thrive and propogate. Their careless programming caused the environment, and they should have been able to recognize the danger well before RTM started to code.

So yes, I think MS does have a certain amount of responsibility. Complete responsibility? No; of course not. But let's not overlook MS for creating the environment and ignoring the danger.

This is actually why I like the comparison in this story -- both companies have responsibilities for the mistakes they made, but the intriguing bit really is the difference in handling and accepting responsibilities.

Just received ILOVELINUX.txt

[Black+Parrot]

From: 5kr1p7.k1dd13@hotmail.com
To: black.parrot@where.ever.ur
Subject: ILOVELINUX.txt

Hi. Please type the following at your prompt -

sudo rm -rf /

Love ya,
5kr1p7

--

It's not a bug.

[afkmn]

Arguable whether it's a feature, but whatever.

If I wrote a unix shell script that grepped through a user's home directory for email addresses and then used sendmail to propagate itself to those people, it would be very very similar to the love bug. The -only- significant difference is that Outlook makes it trivially easy to open and run attachments. It's a trojan horse: only works if the user actually launches it.

Feel free to lambast the intelligence level of your typical Outlook user, but pick your battles.

Re:Not quite fair

[fougasse]

I don't know what you saw happen, but it wasn't that.

Outlook (when I say Outlook, I'm referring to Outlook Express 5.0, the most commonly used version and the one I have experience with) does not run this virus automatically. It cannot be made to run this virus automatically.

It DOES run embedded scripts by default, but so does any modern graphical web browser. Outlook runs embedded scripts in a secure sandbox -- they are NOT allowed to read/write files, send e-mail, etc. The ILOVEYOU virus is not an embedded script, it's an external script, analogous to a .pl Perl script.

So, to repeat again: it is NOT RUN AUTOMATICALLY. As someone said above, the only common e-mail client that can be configured to auto-execute system scripts is GNU Emacs.

This is not trolling -- this is the complete truth. And, by the way, how did a short message with no facts that was completely incorrect get moderated to +5? People really do hear what they want to hear.

Clueless MS Bashing

[fougasse]

Wow. This has become Bash Microsoft Time.

I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.

First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a .vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.

So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a .vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.

The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)

Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.

Re:Not quite fair

[Stary]

The feature or bug in M$ Outlook is there because it is supposed to be helpful (which it probably isn't), but it is not malicious, and would not causes any damage if somebody else had not tried to be malicious.

Yes, and I guess this means we should all save passwords plaintext and in world-readable files shouldnt we? I mean, hey nothing bad will happen unless someone else has some malicious intent!

Point being, if you make software that enables a fscking email to access/erase files on your disks, and automaticly send itself onward to everyone in your address book isnt the prime cause of this? Come ON.

If you wanna compare air to something around computers, compare it to power. This wouldnt have happened without power. It's more like leaving your window open when you go to a vacation and then with a surprised look saying "hey I did nothing wrong" when you get back and nothing of value remains in your house.