Slashdot Mirror
Report Of New Outlook Exploit
viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field.
MS says they're going to
release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.
Posted never by no-one
from the not-all-that-surprising dept.
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
"Oops...I Did It Again"
by Bill Gates
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
I think I did it again
I made you believe you've got security
Oh baby
It might seem like a feature
But it doesn't mean that I'm serious
'Cause to lose all my reason
That is just so typically me
Oh baby, baby
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
You see my problem is this
I'm dreaming away
Wishing that bugs, they don't exist
I cry, watching bugtraq
Can't you see I'm a fool in so many ways
But to lose all my customers
That is just so typically me
Baby, oh
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
"All aboard"
"Bill, before you go, there's something I want you to have"
"Oh, it's beautiful, but wait a minute, isn't this...?"
"Yeah, yes it is"
"But I thought the old lady dropped it into the ocean in the end"
"Well Billy, I went down and got it for you"
"Oh, you shouldn't have"
Oops!...I did it again to your trust
Got lost in denial, oh baby
Oops!...You think that I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I played with your heart, got lost in the game
Oh baby, baby
Oops!...You think I'm in love
That I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm is not that innocent
This bug is a standard buffer overflow vulnerability, an accident, and not a design bug like automatic or near automatic execution of executable mail content (sheesh), responsible for the previous mail worms and viruses. I do not want to be seen as defending Microsoft's practices, their ideals, or their bad program designs (e.g. aforementioned executable mail content). HOWEVER, a buffer overrun bug like this is not an inherent misfeature of Microsoft's design. It's a bug plain and simple, and furthermore one that has affected and continues to affect many, many Unix programs. This could have happened to "us", in other words. (If there were a buffer overrun problem in fetchmail, for example -- there isn't, but suppose there were.) We can and should rail at Microsoft for designing in weaknesses like that which made the ILOVEYOU fiasco possible. With a buffer overflow problem, I think that the "may he who is without sin cast the first stone" principle must apply. One of their anonymous programmers made a serious mistake. Same mistake has been made, over and over, in virtually every Unix system daemon since the Epoch. They get fixed (with an alacrity usually proportional to the consequences of an exploit) and that's that. And though I passionately believe in Open Source, please note that the fact that the source for most of those daemons has been examined by thousands and thousands of people, they never got fixed all at once. For example, -every- Red Hat Linux distribution in memory has fixed some buffer overruns and introduced others.... kiscica
Win98 has an optional feature that will periodically contact Microsoft when you're connected to the internet to download a list of updates/patches, etc. Apparently no information is sent to Microsoft. All very similar to Helix Gnome.
Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).
...j
Newsflash: Some Companies Don't Use Outlook.
We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.
See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.
As for bugs; well, we're always in development :^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)
Anyway, I can walk the walk. So, let's talk the talk.
There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.
To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.
Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party .OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!
Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%
Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think
"Why was is so damn easy to do?"
Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.
What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"
It never, ever had to be that way...
Thanks for listening...
The W2K update button on my start menu informs me only that I should update to Media Player 7.
This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
...it's a buffer overflow.
Outlook doesn't check the length of one of the date fields - a long string of data in that field will overflow a buffer. Once this has occurred, arbitrary code can be executed.
The fix is to install IE 5.01 SP1 on any affected Windows platform. Or you can install IE 5.5 - but not on Win2K.
More information is available in the posts to BugTraq and NTBugTraq, which is where I got the above information.
reverend lola
the titanium sheep
provider of steel wool
The email is stored on a server, your mail client retrieves it and then parses it before storing it in your inbox. According to the MSFT security release, Outlook doesn't check that all the fields are the correct size while parsing it...thus buffer overflow.
I thought by now, we'd be rid of buffer overflow bugs.
I don't know about the rest of you, but I was rather tired of hearing the mass-media crying bloody murder against one or another teenager that happened to set free the newest and lamest VBA macro-virus.
At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.
Link on securityfocus is here
Also, bugtraq archived here
Now, to avoid everyone calling me a karma whore, here's my insight on the whole thing:
USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.
Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.
That said, I'm as guilty as most of them.
The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.
I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.