Slashdot Mirror
Report Of New Outlook Exploit
viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field.
MS says they're going to
release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.
Posted never by no-one
from the not-all-that-surprising dept.
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Our only hope is to make an antivirus email that uses the hole to install the patch and then forwards itself off.
Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.
MSK
"Oops...I Did It Again"
by Bill Gates
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
I think I did it again
I made you believe you've got security
Oh baby
It might seem like a feature
But it doesn't mean that I'm serious
'Cause to lose all my reason
That is just so typically me
Oh baby, baby
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
You see my problem is this
I'm dreaming away
Wishing that bugs, they don't exist
I cry, watching bugtraq
Can't you see I'm a fool in so many ways
But to lose all my customers
That is just so typically me
Baby, oh
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
"All aboard"
"Bill, before you go, there's something I want you to have"
"Oh, it's beautiful, but wait a minute, isn't this...?"
"Yeah, yes it is"
"But I thought the old lady dropped it into the ocean in the end"
"Well Billy, I went down and got it for you"
"Oh, you shouldn't have"
Oops!...I did it again to your trust
Got lost in denial, oh baby
Oops!...You think that I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I played with your heart, got lost in the game
Oh baby, baby
Oops!...You think I'm in love
That I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm is not that innocent
This bug is a standard buffer overflow vulnerability, an accident, and not a design bug like automatic or near automatic execution of executable mail content (sheesh), responsible for the previous mail worms and viruses. I do not want to be seen as defending Microsoft's practices, their ideals, or their bad program designs (e.g. aforementioned executable mail content). HOWEVER, a buffer overrun bug like this is not an inherent misfeature of Microsoft's design. It's a bug plain and simple, and furthermore one that has affected and continues to affect many, many Unix programs. This could have happened to "us", in other words. (If there were a buffer overrun problem in fetchmail, for example -- there isn't, but suppose there were.) We can and should rail at Microsoft for designing in weaknesses like that which made the ILOVEYOU fiasco possible. With a buffer overflow problem, I think that the "may he who is without sin cast the first stone" principle must apply. One of their anonymous programmers made a serious mistake. Same mistake has been made, over and over, in virtually every Unix system daemon since the Epoch. They get fixed (with an alacrity usually proportional to the consequences of an exploit) and that's that. And though I passionately believe in Open Source, please note that the fact that the source for most of those daemons has been examined by thousands and thousands of people, they never got fixed all at once. For example, -every- Red Hat Linux distribution in memory has fixed some buffer overruns and introduced others.... kiscica
This annoys me:
... even if that means redundant email clients wasting space.
... this bundling/tying/integration crap must stop for exactly this freakin reason! It's like if one part of the system is insecure, it makes ALMOST ALL OTHER MS APPS vulnerable. Anyone with half a brain can see the implications of this sort of methodology to software development. So the question is, who has Microsoft's half brain?
A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components.
The *REASON* I did a non-default installed of IE 5.5 was so I could EXCLUDE Outlook Express because I use Outlook 2000. So basically MS's Internet software is so "integrated" that you can't have one be patched for security reasons without installing all of them
I could care less if Microsoft is a monopoly
blarg.
This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.
There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.
There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Mike Mangino
mmangino@acm.org
Win98 has an optional feature that will periodically contact Microsoft when you're connected to the internet to download a list of updates/patches, etc. Apparently no information is sent to Microsoft. All very similar to Helix Gnome.
Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).
...j
Newsflash: Some Companies Don't Use Outlook.
We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.
See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.
As for bugs; well, we're always in development :^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)
Anyway, I can walk the walk. So, let's talk the talk.
There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.
To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.
Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party .OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!
Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%
Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think
"Why was is so damn easy to do?"
Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.
What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"
It never, ever had to be that way...
Thanks for listening...
The W2K update button on my start menu informs me only that I should update to Media Player 7.
This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
WWJD -- What Would Jimi Do?
I am quite civilized, and I should be brought a beer immediately. -- Bruce Sterling
ah, but then again:
the cure recommended so far is for everyone to upgrade to IE5.5 as soon as possible
Now THAT'S marketing.
*rolls eyes* Do I even need to elaborate?
...it's a buffer overflow.
Outlook doesn't check the length of one of the date fields - a long string of data in that field will overflow a buffer. Once this has occurred, arbitrary code can be executed.
The fix is to install IE 5.01 SP1 on any affected Windows platform. Or you can install IE 5.5 - but not on Win2K.
More information is available in the posts to BugTraq and NTBugTraq, which is where I got the above information.
reverend lola
the titanium sheep
provider of steel wool
The interface.
Need I say more?
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
The email is stored on a server, your mail client retrieves it and then parses it before storing it in your inbox. According to the MSFT security release, Outlook doesn't check that all the fields are the correct size while parsing it...thus buffer overflow.
I thought by now, we'd be rid of buffer overflow bugs.
Unfortunately there's a fundamental disconnect in the corporate world between the security conscious admins and management. Mangagement wants things easy and standardized, and (for the most part) admins want things secure. These exploits can crop up every week and it won't do a thing to convince management that outlook is a bad choice.
Admins will continue to throw in layer after layer of mail pre-filtering software at the delivery level, when they should really just be able to get a secure MUA on their users' desktops.
--
I don't know about the rest of you, but I was rather tired of hearing the mass-media crying bloody murder against one or another teenager that happened to set free the newest and lamest VBA macro-virus.
At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.
ZDNet Story
MSNBC Story
Information Week Story
CNN Story
SANS Story
Also : Microsoft security bulletin (irony)
Microsoft FAQ + Patch
Salocin.com
This current exploit has nothing to do with flexibility. I bet if 95% of the world used Eudora, you'd be hearing more about it's buffer overflows.
Link on securityfocus is here
Also, bugtraq archived here
Now, to avoid everyone calling me a karma whore, here's my insight on the whole thing:
USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.
Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.
That said, I'm as guilty as most of them.
The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.
I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.