Slashdot Mirror
Report Of New Outlook Exploit
viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field.
MS says they're going to
release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.
Dear:
[ ] Clueless Newbie [x] Loser [ ] Troll
[x] Signal 11 [ ] Pervert [ ] Geek
[ ] Spammer [ ] Nerd [ ] Elvis
[ ] Fed [x] Freak [ ] FascdotKilledMyPr
[ ] AOLer/Euronetter/PIer/MSNetter
[ ] Other: Unbearably self-righteous person
You Are Being Flamed Because:
[ ] You posted something unfunny that will inevitably be modded up as "+1 Funny"
[x] You posted something unfunny that will inevitably be modded up as "+1 Funny" by you using another one of your accounts
[ ] You started an off-topic thread
[ ] You continued a long, stupid thread
[ ] You posted a bitchy "Slashdot sucks!" message
[ ] You said "me too" to something
[x] You suck
[x] You brag about things that never happened
[x] You spend all day tapping the refresh button
[x] You posted something totally uninteresting
[ ] You posted sexist shit
[x] You wish to avoid the "wrath of the trolls" by flaunting your "edgy" sense of humor
[x] You masturbate to pictures of CmdrTaco's shoes
[ ] You are the leader of a secret Natalie Portman human-sacrifice cult
To Repent, You Must:
[ ] Give up your AOL/Euronet/MSN/Planet Internet account
[ ] Bust up your modem with a hammer and eat it
[x] Jump into a vat of acid while holding your monitor
[x] Actually post something relevant
[ ] Read the f****** FAQ
[x] Be Katz's love slave
[x] Apologize to me
In Closing, I'd Like to Say:
[ ] Blow me
[x] Bite me
[x] Get a life
[x] Never post again
[x] I pity your parakeet
[x] Go to hell
[ ] I think your IQ must be 5, join the Marines
[x] Take your s*** somewhere else
[ ] Learn to post or f*** off
[x] Do us all a favor and start linking to Illiad. He's funnier than you.
[x] See how far your tongue will fit into the electric outlet
[x] Go crying home to your mommy...wait, you still live at home. Nevermind.
If this were almost any other app or company this wouldn't be front page news. How many other apps have buffer overflow exploits? Yes, Outlook has had its problems but look at other apps that have had them. How many problems were there with sendmail? The problems got fixed and it continues to be used today. Until someone comes out with a product to truely compete with OutLook people won't switch. What other LARGE enterprise mail systems are out there that offer the features of Exchange? Security people don't usually pick the mail system, management does. Management just can't pass up the calendaring and scheduling features of Exchange.
Instead of constantly bashing OutLook someone should actually go write a competing client. I'm currently using Mozilla's IMAP client. So far it's the most full featured by far. Sadly, it crashes about 3 times per day and on restart it sometimes won't create new messages. I can't wait for Evolution, but how long will that be?
I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.
The earliest that I know of happened before you probably ever heard of the Internet. Go look up the Morris Worm.
And I am sure that was not the first, I heard of it because it was the last time that an individual accidentally took down the Internet.
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I myself have been wondering ever since Win2k came out with this "feature" how exactly M$ was going to issue system patches & upgrades. Can't their installer just overwrite the protected files and update whatever registry entries (or whatever) control this feature? Don't know since I haven't played with Win2k as yet....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
> Anyway, I think that the problem is people actually getting/using the patch.
There is a very simple, and elegant solution. Write a program that exploits the security flaw that patches the affected system, and then replicates itself. To be carefull it should have a self termination date, and maybe even maintain a list of addresses on a central server that it has been sent to, etc.
Of course there are complications to this, first and most importantly that it is probably illegal. Therefore the above thought is provided for humor and iorny purposes, and not an attempt to encourage anyone to break the law.
Oh, and IANAL.
W
Why doesn?t IE 5.5 eliminate the vulnerability for Windows 2000 users?
IE 5.5 cannot replace the affected component because of the System File Protection feature in Windows 2000.
Nice "feature", guys.
$ cat < /dev/mouse
Posted never by no-one
from the not-all-that-surprising dept.
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Not checking inputs before the buffer is copied into is a bad programming flaw, but only recently realized as being potentally hazardous. Thus, take all programmers that were in the workforce in 1990, and they would probably have missed adding the buffer checks, but now with buffer overflows a problem nearly every day, programmers in 2000 are much more conscience about it, but there is still legacy code that probably does this buried in code. Especially when the field itself is not thought of in a textual sense (a date field), these things tend to get overlooked in the general design of the program. However, this should only reinforce the use of a lint-like system after various compiles in order to find potental buffer overflows. Languages like C++ and Java provide some protection here assuming you use the typed Strings, but you can still create a buffer overflow without thinking about it.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
I'm very surprised it took so long for this bug to be discovered!
Fire and Meat. Yummy.
This happens all the time. If you find a security bug you usually give the vendor/author a chance to fix it in a timely manner before announcing it to the world.
Just as with any news source, there's going to be bias. It's just that most news sources don't have such obvious and entertaining bias as MSNBC.
Wah!
Our only hope is to make an antivirus email that uses the hole to install the patch and then forwards itself off.
Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.
MSK
From http://www.microsof t.com/technet/security/bulletin/fq00-043.asp:
:)
How can I tell if I'm vulnerable to this issue?
If any of the following apply to you, you are not affected by this vulnerability:
- You are running a default installation of Internet Explorer 5.01 Service Pack 1.
- You are running a default installation of Internet Explorer 5.5 on any system except Windows 2000.
- You are using Outlook and it's configured to use only MAPI
If none of the above apply to you, you are affected by the vulnerability.
--
So all you Linux users, beware.
Anyways, it's this kind of warped logic that caused the bug in the first place.
Breace
"Oops...I Did It Again"
by Bill Gates
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
I think I did it again
I made you believe you've got security
Oh baby
It might seem like a feature
But it doesn't mean that I'm serious
'Cause to lose all my reason
That is just so typically me
Oh baby, baby
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
You see my problem is this
I'm dreaming away
Wishing that bugs, they don't exist
I cry, watching bugtraq
Can't you see I'm a fool in so many ways
But to lose all my customers
That is just so typically me
Baby, oh
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
"All aboard"
"Bill, before you go, there's something I want you to have"
"Oh, it's beautiful, but wait a minute, isn't this...?"
"Yeah, yes it is"
"But I thought the old lady dropped it into the ocean in the end"
"Well Billy, I went down and got it for you"
"Oh, you shouldn't have"
Oops!...I did it again to your trust
Got lost in denial, oh baby
Oops!...You think that I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I played with your heart, got lost in the game
Oh baby, baby
Oops!...You think I'm in love
That I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm is not that innocent
Did anyone else catch that the name of the South American firm in the article was "USSR"? So first Hitler escapes to South America, and now the former USSR is posing as a security firm down there too?
lf.o
Do you have any idea what a buffer overflow actually is?
Basically, you fill a fixed-size array with enough data so that you overwrite other parts of the program, do some magic (which is somewhat explained here), and then get the program to execute some arbitrary code of your own writing. Developing said code (i.e. actually writing the exploit) generally takes time, and is limited to one software/os/platform/version combination.
This has *no* relation to how the code is initially written.
A program which reads one line of code from the user, saves it to a fixed sized buffer, and then prints it out is vulnerable to a buffer overflow.
Why is it that when I have moderator access there is nothing worth modding up? Then there is today, I do not have mod access and here is this hilarious post that is only +1 funny!!!
This one deserves +5!
this site is for people smart enough to use linux.
Maybe he wants to learn how to install and use Linux, but he has to spend so much time administering Windows clients that he can't get around to it?
Applaud him for sparing the time to at least get away from Outlook, for which all the exploits seem to be well known.
Time was, and still is, my problem; even after five years of experience with UNIX as a user, learning administering my first Linux box is still quite an uphill battle.
However, you'll be pleased to note that I now type "ls -l" accidentally and frequently at DOS command prompts.
Go easy on the Linux newbie, for together, we will all be Bill Gates' demise.
Fire and Meat. Yummy.
Do any of these security exploits happen in Exchange? Every time an Outlook hole is revealed, we Exchange users also get the patches broadcast to us, but I don't remember hearing anything ever said about Exchange -- only Outlook, which will run on my work machine only after they fire me for refusing to have anything to do with it. :o)
"How many light bulbs does it take to change a person?" --BMcC-->
"This is certainly a serious one," said Steve Lipner, manager of the Security Response Center at Microsoft. Lipner said the stand-alone Outlook patch might not be ready until Wednesday, but concerned Outlook users can protect themselves immediately by downloading and installing the newest version of Internet Explorer at Microsoft's download site. That software includes code that will stop the vulnerability.
So the way to stop the virus is to load IE5.5? Why? Did they already know about the virus for a while and do nothing to tell anyone else (ie. release a patch for the existing users while developing the future release)? Sound like a malicious plan to force users to upgrade to a new version, as long as the bug wasn't uncovered too soon.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
What!?!?
I'd rather find a security breach in a MS product and have them release a patch, then to find a breach in some free software and be told "Fix it yourself - that's the beauty of it."
Companies love the fact that they can hold MS responsible for their products. (Accountable to the market, if not the EULA).
WWJD -- What Would Jimi Do?
I am quite civilized, and I should be brought a beer immediately. -- Bruce Sterling
This bug is a standard buffer overflow vulnerability, an accident, and not a design bug like automatic or near automatic execution of executable mail content (sheesh), responsible for the previous mail worms and viruses. I do not want to be seen as defending Microsoft's practices, their ideals, or their bad program designs (e.g. aforementioned executable mail content). HOWEVER, a buffer overrun bug like this is not an inherent misfeature of Microsoft's design. It's a bug plain and simple, and furthermore one that has affected and continues to affect many, many Unix programs. This could have happened to "us", in other words. (If there were a buffer overrun problem in fetchmail, for example -- there isn't, but suppose there were.) We can and should rail at Microsoft for designing in weaknesses like that which made the ILOVEYOU fiasco possible. With a buffer overflow problem, I think that the "may he who is without sin cast the first stone" principle must apply. One of their anonymous programmers made a serious mistake. Same mistake has been made, over and over, in virtually every Unix system daemon since the Epoch. They get fixed (with an alacrity usually proportional to the consequences of an exploit) and that's that. And though I passionately believe in Open Source, please note that the fact that the source for most of those daemons has been examined by thousands and thousands of people, they never got fixed all at once. For example, -every- Red Hat Linux distribution in memory has fixed some buffer overruns and introduced others.... kiscica
(Nitpickers: yeah, I know, buffer[3] is really the last allocated space, meaning that the starting address of buffer[5] is actually 4 * sizeof(int) from the start of the array, and not adjacent to the end of the buffer. Children should be taught to count starting at zero.)
So, it is a vulerability specific to languages that don't check bounds on arrays. However, it is just as much the fault of the programmer. If you don't validate input, you shouldn't be surprised when things don't go as planned. In a Java program that wasn't given special bounds checking, the program would die on the exception, better than providing an exploit, but bad form nonetheless.
"Sweet creeping zombie Jesus!"
> that someone with a brain could
> actually fall for?
People "with a brain" wouldn't be using such a horribly insecure mail client in the first place. There's a reason you don't hear about exploits like this affecting users of other mail clients such as Netscape Messenger (for example).
This security hole could potentially become a nightmare, but only to those people who use Microsoft's inferior mail software. Microsoft has set back computer security by years. Take these old pieces of virus protection advice:
Microsoft needs to admit that Outlook is fatally flawed. Since this will never happen, it's up to people like you and me to educate and inform anyone and everyone. Companies that mandate the use of Outlook or Outlook Express (I used to work for such a company) especially need to be educated.
--
www.scorbett.ca
Journalistic integrity at NBC? I don't think so. Dateline NBC is almost as sensationalist as Extra or any of the other video editions of supermarket tabloids.
With the MSNBC partnership, I feel I can trust their reporting of Microsoft news about as well as I can trust the CBC's reporting of the state of the Canadian federal government.
Never leave the fox guarding the henhouse.
I'll stick with ABC. World News Tonight is great, Nightline is excellent, and they're in league with Disney, not with the devil.
Fire and Meat. Yummy.
Disney is the devil
Hahaha... Well, getting back to NBC for a second, I'm a Will & Grace fan. Sorry.
Fire and Meat. Yummy.
This annoys me:
... even if that means redundant email clients wasting space.
... this bundling/tying/integration crap must stop for exactly this freakin reason! It's like if one part of the system is insecure, it makes ALMOST ALL OTHER MS APPS vulnerable. Anyone with half a brain can see the implications of this sort of methodology to software development. So the question is, who has Microsoft's half brain?
A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components.
The *REASON* I did a non-default installed of IE 5.5 was so I could EXCLUDE Outlook Express because I use Outlook 2000. So basically MS's Internet software is so "integrated" that you can't have one be patched for security reasons without installing all of them
I could care less if Microsoft is a monopoly
blarg.
In an email from our IT division that I recieved recently, I read that SANS hopes to be using a "virus" email patch- a virus email that exploits the problem to quietly patch it.
Neat idea, using a virus to fix it and stop others, if it works...
Below is the email I recieved from our IT (via SANS):
>I am forwarding this note to you as a FLASH because the vulnerability
>it describes is probably the most dangerous programming error in Windows
>workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has
>made.
>
>You are vulnerable to total compromise simply by previewing or reading
>an email (without opening any attachments) if you have one of the
>affected operating systems and have the following installed:
>* Microsoft Access 97 or 2000
>* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes
> IE 5
>
>SANS Prize: It may be possible to fix this vulnerability automatically,
>via an email without asking every user to take action. The concept is
>similar to using a slightly modified version of a virus to provide
>immunity against infection. SANS is offering a $500 prize (and a few
>minutes of fame) to the first person who sends us a practical automated
>solution that companies can use, quickly, easily, and (relatively)
>painlessly to protect all vulnerable systems.
We don't need no Net Explorer We don't need no Thought control
This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.
There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.
There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Mike Mangino
mmangino@acm.org
Although that's an important security hole in its own right, it's not the one we're talking about in the article. The article involves a buffer overflow in the date field, not an oops when executing ActiveX objects that are databases.
Friends don't let friends misuse the subjunctive.
Win98 has an optional feature that will periodically contact Microsoft when you're connected to the internet to download a list of updates/patches, etc. Apparently no information is sent to Microsoft. All very similar to Helix Gnome.
Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).
...j
Newsflash: Some Companies Don't Use Outlook.
We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.
See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.
As for bugs; well, we're always in development :^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)
Anyway, I can walk the walk. So, let's talk the talk.
There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.
To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.
Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party .OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!
Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%
Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think
"Why was is so damn easy to do?"
Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.
What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"
It never, ever had to be that way...
Thanks for listening...
The W2K update button on my start menu informs me only that I should update to Media Player 7.
Hey!
People are still using IE 3.0!
Unfortunately, many updates are not worth doing for the majority of people. If IE 3.0 does what you want, you shouldn't have to make a 2-hour plus download just to stop a bug that shouldn't have existed in the first place.
Another problem with upgrading is what I call the Bullshit program' problem. On my Windows box, I use Office 97. I saved a word file and sent it to a friend. It was just under 1.5 MB. He uses Word 2000, and a while later, e-mailed me the file back, for reasons I won't go into. It had grown to 4Mb, and was in the Word 2000 format, which I couldn't open. I e-mailed him and asked what he had changed in the file, other than the format. He said: Nothing.
Many upgrades give the average user nothing more than features like OS integration and annoying talking paper clips. Which they don't want. These 'upgrades' regularly have a large download time and/or price tag.
I blame Microsoft. After all, this IS Slashdot.
Michael Tandy
...another insightless comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
I'll agree with that. Notes has a lot of good things going for it. But, having used the Notes client it just isn't as good as OutLook. The backend stuff is nice but the front end isn't.
Look at it this way instead... /.ers have to help maintain, has a HUGE vulnerability.
/., but maybe we want a "MS Security Issue" section started.
The most popular desktop operating system and office package in the world, the one that MANY
I'm glad to find this stuff on
-- IANAEG - I am not an elder god.
Specifically, perhaps it is time to fix the infrastructure -- in this case, Internet mail as a whole. Although it would be unfair to compare it to something as weak and outdated as QWK mail from the ol' BBS days, there are abundant weaknesses in the current model for Internet mail that allow nasty things like mail header security exploits. And spam. Imagine if spam was not just antisocial and/or illegal, but technically impossible?
How long can a date field be? For that matter, how long can any header field be? (No, I'm not asking for a technical answer based on the current system, I'm suggesting that you think about the meaning of the fields, and the maximum length necessary to impart that meaning.) Given that mail client software authors are demonstrably ignoring such length limitations, is it not time to enforce at the protocol level some basic validity and, ideally, permission from the recipient?
I don't have a blueprint to roll out for you. However, as long as we focus on the weaknesses of this or that client, server, company, etc., we are missing the boat.
No Laughing Allowed!
Other people are going to yell "monopoly", but I have a different take on it. I work at a small company, and on occasion I develop custom software for our clients. My bosses are really cool guys that understand the work I do, and if I tell them that I don't have 100% confidence in something I wrote, it doesn't leave the door. At MS, it seems that marketing is completely running the show and they have no clue what the nerds are doing. I can see things like fiscal years and competitor release dates causing MS managers to yank unfinished software away from the engineers. It's a good way to make lots of money and produce really aweful software.
-B
(rejected)
I wonder how many people submitted that. I put mine in about an hour after this TechWeb article came out.
It'd be cool to see some cut-away of the slashdot experience. Like, are the posters the ones who hit reject or accept? Is there an early team that does some filtering? Is one nay enough to reject an article, or do a few people look it over?
-----
Propoganda fuels this website.
So you are telling me that propaganda doesn't fuel pro-Microsoft sites or any other sites?
The biases of Slashdot are well known, and not a secret. Other sites often try to claim non-biased reporting, but in reality, everyone has their biases.
You could say the same about sendmail.
Per posts in NTBugTraq, the actual bug is within Internet Explorer, and is made visible in Outlook and Outlook Express due to calls to the faulty code.
The bug has been fixed in IE 5.01 SP1; so there already exists a solution to avoid the bug on a Win box. Also, on Win-9x, IE 5.5 also avoids the bug; but on W2K, IE 5.5 still carries this bug (go figure).
In my opinion, any bug fix from MS isn't going to accomplish much. The majority of systems which are reportedly vulverable are home systems where the users have failed to download the readilly available SW upgrades. If the users failed to download the upgrades, I doubt it's likely that they'll get around to downloading the bug fix either.
You have discovered the secret, grasshopper.
.You line up magazine reviews and trade shows months in advance, if the software doesn't ship on time, you miss this window, you end up losing a huge potential in sales - because of lack of hype. I've seen damn good products die on the vine due to missing the window; and I've also seen instances where the sales force of a large software company will only sell the best selling (largest bonus, easiest to sell) product, and ignore the rest, causing other products the company sells or introduces to die, all because nobody will stand up to the sales director and tell him to tell his people to get their asses in gear.
I have worked in software companies for 8 years, and I can tell you bar none, that 90% of quality problems are caused by a marketing-driven schedule and feature set.
Yes, it's unavoidable that sofware has to sell to finance it's own development, and selling on a schedule is a requirement of marketing
Other factors have been the easy ability for software companies to ship with massive defects to match a schedule, and put a patch on the web for downloads later - this was not nearly as common back when customers had to dial into a BBS for a patch (before widespread use of the web).
Basically, it's more of a competitive advantage to get a market presence (we're talking vapor here), than it is to ship a good stable product.
Who to blame?
The trade press. Whether the reviews are accurate or not, they still sell their rags. My company has a whole department of people whose job it is to "manage trade press relationships", that is, to make sure they get a favorable review. If we had a serious bug during an evaluation, our people fly out there and pucker up to the journalists, and no mention is made of the bug in the review.
This is life, in the software industry folks. It's only gotten worse.
And it will only get still worse.
if it ain't broke, then fix it 'till it is!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
these things are really really really difficult to find... I mean... how many of your QA people will sit around and write low-level code to include in every possible field to test for buffer overflows...
I dont know of any where i work that are capable of even thinking about that... granted MS may have the best minds for it, but really, truthfully...
BUFFER OVERFLOW EXPLOITS HAPPEN...
now ... they should have fixed it sooner... hell... they had it since JUNE 8th...
... hi bingo
WWJD -- What Would Jimi Do?
I am quite civilized, and I should be brought a beer immediately. -- Bruce Sterling
ah, but then again:
the cure recommended so far is for everyone to upgrade to IE5.5 as soon as possible
Now THAT'S marketing.
*rolls eyes* Do I even need to elaborate?
...it's a buffer overflow.
Outlook doesn't check the length of one of the date fields - a long string of data in that field will overflow a buffer. Once this has occurred, arbitrary code can be executed.
The fix is to install IE 5.01 SP1 on any affected Windows platform. Or you can install IE 5.5 - but not on Win2K.
More information is available in the posts to BugTraq and NTBugTraq, which is where I got the above information.
reverend lola
the titanium sheep
provider of steel wool
The interface.
Need I say more?
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
The email is stored on a server, your mail client retrieves it and then parses it before storing it in your inbox. According to the MSFT security release, Outlook doesn't check that all the fields are the correct size while parsing it...thus buffer overflow.
I thought by now, we'd be rid of buffer overflow bugs.
Unfortunately there's a fundamental disconnect in the corporate world between the security conscious admins and management. Mangagement wants things easy and standardized, and (for the most part) admins want things secure. These exploits can crop up every week and it won't do a thing to convince management that outlook is a bad choice.
Admins will continue to throw in layer after layer of mail pre-filtering software at the delivery level, when they should really just be able to get a secure MUA on their users' desktops.
--
I don't know about the rest of you, but I was rather tired of hearing the mass-media crying bloody murder against one or another teenager that happened to set free the newest and lamest VBA macro-virus.
At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.
You'd think the virtual memory system could just deny execute access to memory alloc'ed by C. I gave it a try using VirtualAlloc with PAGE_READWRITE (not execute permission). Windows still exec'd the code. Maybe a kernel hacker could tell me if this is a limitation of the intel VM or another one of Bill's stupid mistakes.
Ryan
And people do.. read the Unix Hater's Handbook.
---- ----
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
(the only purpose for this non-informative crapnews I can think of is: it must be a hint for a new conversation at the coffeemachine, when that nice blond from Marketing is at the coffeemachine at the same time as you do :)).
--
Never underestimate the relief of true separation of Religion and State.
I will never again bad mouth my Netscape 4.72 IMAP client.
/. community feels about Microsoft, don't you think that a company of that size (and with their software controlling so many critical sites around the globe> has a responsiblity to go overboard on quality assurance? We should be hearing horror stories from ex-employees about 48 hour testing binges and slave driver QA directors. That would make me much more comfortable than the consistant major flaws that keep appearing.
-- pause whilst I hug my browser --
So all Microsoft bashing aside, how do things like this get out the door? To me, it almost seems that they are purposely not doing any sort of testing at all. I know about the jokes that say they get free testing by releasing their alphas, but seriously! So many people around the world depend on their software, you would think that they would put it through hell and back, but products continually come out of Redmond with serious, serious flaws.
I mean, how long did it take someone to find a hole in IE 5.5? Like 3 days???
Putting aside all the joke and the "evil empire" comments and everything that the
Do you have Linux and a DotPal? Click here now!
I find these sorts of holes fascinating, especially in light of Microsoft's sales pitch of selling C3 secure systems. (Yes, this is the least secure you can get, and still get a rating, but the badge is still being used to promote the idea that Windows is secure.
One thought I had, after reading this news - if WINE could be made sufficiently stable & complete, it shouldn't be too difficult to write a virus which replaced MS' Windows with Linux, without the users even noticing. Do that, and Linux could subvert 98% of the desktops on the Internet within a matter of days.
(Wouldn't this be, well, illegal? Not if you put a shrink-wrap licence on the virus, which stated that running the virus constituted the user's agreement to the OS switch. If the licence failed to appear, and the virus ran without the user being able to detect it, well, that becomes a Microsoft issue, not a viral one.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
ZDNet Story
MSNBC Story
Information Week Story
CNN Story
SANS Story
Also : Microsoft security bulletin (irony)
Microsoft FAQ + Patch
Salocin.com
Quite so. I should have said: countless remote root exploits, all of which could be used to create worms.
Very, very busy.
I just do not have a site available that does such a good job dissecting it...
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I think you -better- read that bulletin again.
t in/MS00-043.asp
According this web page:
http://www.microsoft.com/technet/security/bulle
the bulletin specifically states that if you do a default installation of Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, this will automatically install and/or upgrade to Outlook Express 5.5. Microsoft has specifically stated that OE 5.5 is -not- vulnerable to the issue that USSR Labs discovered. It should be noted that if you are running Windows 2000, you may have to apply the patch (which is now available) or do a manual upgrade to OE 5.5.
Raymond in Mountain View, CA
This current exploit has nothing to do with flexibility. I bet if 95% of the world used Eudora, you'd be hearing more about it's buffer overflows.
This may be old news to some of you, but I just recently discovered this one. Had one of my users bring me his laptop with a variety of problems on it. Had the usual glitches that form up after a while on Win98, but one of them was especially interesting.
.ini files that looked to be starting up that was out of the ordinary.
.reg file. This site was able to tweak registry entries directly from the web!
.reg file to my local PC I was then able to trace back what all it had changed and get this thing off his system. I knew Windows had some security problems, but I had no idea it was THAT open to an attack.
.reg file you've got mirrored on a number of free web hosts. Heck, all I'd have to do at that point is delete the file association to .exe and .com files, which is just two lines of the registry, and I'd have your system rendered useless.
His Netscape kept loading up this GoHip web site as it's default home page. Even going into the preferences in NS would only change this until the next re-boot. Had me poking around all over his system trying to figure out how his default home page kept getting changed. I couldn't find anything in the registry or
I then popped on over to this GoHip web site to have a look. Right on their front page is a link that states something like "Make GoHip your default home page". The clever bit was that this was not a link to some how-to about preferences. It linked directly to a
Once I managed to download this
Now just imagine sending someone an E-Mail with an embedded meta tag that redirected you to some
Mind you, I strongly disagree with this monopoly case that is presently going on. The details of this I'll save for later. On the other hand, I would have no problems at all with Microsoft being held criminally liable for gross negligience. None of what I'm talking about here is a secret to Microsoft, and still they continue to put out a known faulty product. How long do you think folks would put up with flaws like this from Ford, Honda, or any other car maker?
The line must be drawn here. This far. No further.
And I think its time that MS admitted that. The program is too full of holes, too badly designed, to continue. It should be scrapped, period.
The likelyhood of MS actually admitting the above, let alone following through with my suggestion, is nil. But I think the fact that the hole has been a KNOWN exploit since June 11th and a patch was not made available even a MONTH later is very telling.
Truly, this hole longer than that.. wasnt there a whitepaper about 6 months ago from the authors behind BackOrifice detailing how this kind of exploit was possible?
Check out Magic Firesheep!
Link on securityfocus is here
Also, bugtraq archived here
Now, to avoid everyone calling me a karma whore, here's my insight on the whole thing:
USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.
Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.
That said, I'm as guilty as most of them.
This flaw is not relegated to Outlook only - any email client which uses the IE engine to display HTML content (Eudora is one such mail client) leaves the door open for this exploit
Two points: If you had read any of this, you would know that the problem is in the transport mechanism of Outlook (the components) - NOT the displaying of the text. Eudora uses its own system for that. Eudora CAN (in the later versions) use the MSIE engine to display message (for the extended HTML parsing), but it doesn't HAVE to do this, its a feature users can set as they please.
Novell's Groupwise has a neat little date field exploit. It doesn't crash or anything, but if you set the date to the distant past, say, the year of 1985, the message will seemingly "self destruct" after it was read and shuffle itself at the old of the mail spool. Its a cool trick if you want a message to disappear after someone reads it. In the spirit of Inspector Gadget (the cartoon, not the stupid movie,) include the quote, "This message will self destruct in 30 seconds."
Anyhow, for more fun, take a look at the source for msnbc's article. It is one HUGE mess of scripting for a short little article. What are they trying to hide in there? Easter eggs? Why all the features for just a damn story?
someone didn't read the whole thing. The major vulnerability is malformed date tags that outlook reads BEFORE the user can even get to them. insanely large numbers in that date field cause a buffer overflow. This is only a userland problem in the way that they are using outlook.
--onyx--
send flames > /dev/null
Only 'flamers' flame!
Does this look like fucking securityfocus.com? Get a clue /. Why don't you report all of the other vulnerabilities in UNIX/Linux OSs?
while it's obviously a troll, I'll respond.
A quick search for security brings us:
2.2.16 Kernel Released - Fixes Security Hole
Open-Source != Security; PGP Provides Cautionary Tale
Red Hat 'Piranha' Security Risk - And Fix
FreeBSD implicated in HotMail security problems
Looks like they do. Granted, there're more MS security holes posted. However, I would say that there are more MS security holes. The problem only arises when/if they are posting in a proportion (MS vs. Open Source) that is not close to the real proportion of significant problems.
-Rob Ewaschuk
Ouch!
This is the second time in a week i've been burned (had to do extra work) by security flaws found in Microsoft programs.
I've been thinking about the need for a standards organization, or certification authority, for some time now. The question is; how would you set up such an organization, and would you trust it?
An analogy: All of the major e-commerce sites on the web today buys their SSL certificate from one of the big CA:s, VeriSign for one, because that's a trusted entity.
Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT) My guess is yes. Microsoft, for example, would benefit (at least in large, mission critical installations) from having their source code audited and confirmed by a third party.
When we have open source, most problems are found early (many eyeballs make shallow bugs) but not all. Think of the Wuftpd exploit last month. Is there, perhaps, even a need for an open security auditing organization?
"However, I would say that there are more MS security holes"
;)
It seems to me that the biggest security risk would come from newly added features to a product. Perhaps MS add more new features to their products than people? They're not playing catch up like other people.
Of course, so might say that it is just because MS are incompetent when it comes to security
The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.
I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.
It is HERE
Why is this the first internet virus that someone with a brain could actually fall for? Why did it take this long? It seems to me that most virus writters have been bent on having fun without risking a lengthy jail sentence. As a result, we have nothing but these little cheap worms that still cause an incredible ammount of damage. Can you imagine the damage if this thing wormed? And yet, even if this bug actually gets exploited, I doubt it will be malicious. It will probably end up in the advertising method descibed in the article. Cheap thrill.
But at this point in time, one individual could probably bring down the entire internet and then some. Imagine what would happen if someone used this bug to load a CIH-type virus on every computer. Suddenly, the majority of the world's computers go out simultaneously. It'd be mass destruction - and virtually untracable. (Can you imagine what would have happened if someone did this on Jan 1?)
But I don't think any of this will ever happen. I'm sure there will always be a way, but there's no one out there crazy enough to actually do it. Virus writters want cheap thrills. Just becuase the hole is there, doesn't mean anyone will exploit it. We may never see the doomsday virus everyone's worried about for the last decade....
"I believe that a scientist looking at nonscientific problems is just as dumb as the next guy." -Richard Feynman
-rpl
This particular vulnerability is kind of amusing. UNIX types have been suffering with buffer overflows for a long time now that have done some nasty things, like giving someone remote root.
In any case, it's pretty lame of M$ to be seeing people fix all their buffer 'sploits on unix-centric applications and then not fix them in an obviously vulnerable location in their own code.
This is especially amusing since they just released that gigantic patch that will ask you before it executes content in an attachment or embedded in a document. They fixed that, but they missed the buffer overflow. All I have to say is HA HA HA. :)
No wait, I have more to say: Mozilla mail ownz j00!
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Gee, I wonder why MSNBC sat on this information for five weeks before reporting on it at all. Does anyone really think CNN would have gagged itself? Ok, maybe that's not the best example... Still, it does make me wonder.
I haven't yet seen a comment that points out a critical factor for this bug:
You need to use Outlook(Express) as your Internet mail client, and not in its "Corporate and Workgroup" mode.
This saves a lot of the hassle for office types running their own mail servers.
See the NTBUGTRAQ article for more details.
If you are running Internet Explorer 4.x, 5.0 and 5.01, the fastest solution to avoid this exploit is to immediately upgrade to at least Internet Explorer 5.01 Service Pack 1.
.OCX controls specific to IE can cause memory leak problems) but also incorporates Outlook Express 5.5, which is not vulnerable to the exploit described by USSR Labs.
.DLL files--but this is only for IE 4.x and IE 5.0/5.01 users.
IE 5.01 SP1 (which avoids the hassles that has plagued some IE 5.5 users) not only has a upgraded browser (which corrects a problem where certain
I believe there will be a fix available on the Windows Update web site that will correct this issue by upgradeing a number of
Raymond in Mountain View, CA
Wouldn't a better solution be to stop using Outlook completely?