Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Goal, Security Through Obscurity?

Posted by ryuzaki0 on from the its-been-working-great-so-far dept.

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.

14 of 374 comments (clear)

  1. Re:Patches by Balinares · · Score: 3, Informative

    One word: Debian.
    Put security.debian.org in your sources.list conf file, and then the standard 'apt-get dist-upgrade' procedure will simply, automagically plug those naaaaasty holes. Debian might not be the best distro for everything, but it's great security-wise for a reason.

    --

    -- B.
    This sig does in fact not have the property it claims not to have.
  2. Re:WTF???? by Merlin42 · · Score: 5, Informative

    This is an overstatement. This bug can be triggered from a web page that references the MSN Chat ActiveX Control, so if at some time in the past you installed the control then you are vulnerable even if you use trillian. The advisory states that the chat control is not installed by default with any other software so you are probably safe. Of course a better course of action for trillian users would be to verify that the control is not installed and uninstall it if it is installed.

    This leads to a couple questions I do not personally know the answer to:
    Is there a way to uninstall ActiveX controls?!?
    Can I get a list of the ActiveX controls installed on my machine??!?

    --
    Thoughts on tech, Software Engineering, and stuff
  3. Read the article by Mordaximus · · Score: 4, Informative
    IF you spent the time to read the article, instead of looking for sentences that outrage you, you might realise that the vulnerability affects the MSN Chat OCX.

    In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."

    In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.

    The author is right, completely right. Try reading next time.

  4. Re:Why? by Anonymous Coward · · Score: 1, Informative

    The only people who will benefit from liability laws on software are the lawyers.

    I for one would be afraid to release a stick of code - there's (almost) always -some- way to break any non-trivial system.

    Software costs would skyrocket, and programmers would have to get to know (and love) their own lawyers.

    A mess. Big mess. Bad for Microsoft, yes. Bad for everyone else who programs too.

  5. Allchin: States Plan Would Hurt Windows Security by burgburgburg · · Score: 3, Informative
    The antitrust remedy proposed by a number of states would weaken the security of Microsoft's operating systems according to Jim Allchin, Microsoft's senior vice president for Windows. He warned that too much disclosure of technical information in the wrong areas would benefit hackers and create more opportunity for virus attacks.

    "The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.

    Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.

    From Tuesday, news.com http://news.com.com/2100-1001-900905.html

  6. Re:WTF???? by Software · · Score: 4, Informative
    Is there a way to uninstall ActiveX controls?!? Can I get a list of the ActiveX controls installed on my machine??!?
    I believe that c:\winnt\Downloaded Program Files is a fairly comprehensive list of the ActiveX controls downloaded to your machine. You can delete them from the same folder. However, ActiveX controls can also be installed by Setup programs, etc. You have to run the uninstall program and hope for the best, or do some Registry fiddling.
  7. MS certainly does have a concept of ROOT ! by Ashurbanipal · · Score: 3, Informative

    On DOS boxen (including, of course, all the non-VMS derived Windows releases, which boot COMMAND.COM and are thus DOS based) all local users are root superusers.

    Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.

    On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"

    One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!

    Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.

    --Charlie

  8. truth by huckda · · Score: 1, Informative

    In my meager 3 years as a network admin/sysadmin
    I've been root'd 3 times on Redhat systems, 0 on NT/Windows...

    but the viral infections on the windows machines have caused a greater about of woe than the 3 root hacks on Linux.

    Then again at the time I didn't know diddly about network/e-mail security...*shrugs* maybe I just got lucky.

    --
    "Just Smile and Nod." --Huck
  9. Security Focus - Microsoft Anti-Disclosure Plan by Seth+Finkelstein · · Score: 5, Informative
    For some more technical coverage of Microsoft's views, take a look at

    Microsoft Reveals Anti-Disclosure Plan

    (emphasis in original)

    Five computer security firms join Microsoft to set an official standard for limiting disclosure of software security holes

    By Kevin Poulsen, Nov 9 2001 3:04AM

    MOUNTAIN VIEW, Calif.--Microsoft and five major computer security companies rounded up the three-day Trusted Computing Forum on Thursday by formally announcing a coalition against full disclosure of computer vulnerability information, ending a week of intense speculation, and immediately sparking controversy.

    ...

    A chief objective of the group is to discourage 'full disclosure,' the common practice of revealing complete details about security holes, even if publication might aide attackers in exploiting them.
    'If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment.'
    -- Marc Maiffret, eEye Digital Security

    Sig: What Happened To The Censorware Project (censorware.org)

  10. Re:Linux by Anonymous Coward · · Score: 1, Informative

    The interfaces are consistant

    Maybe your company's interfaces are consistent, but Linux, as a whole, hardly has consistent user interfaces. I don't see how any OS that "boasts" about 30 different GUI toolkits can possibly offer a consistent user interface experience (unless one limits onesself to KDE or GNOME).

    When these boxes had win2k on them, it was not uncommon for them to crash upwards of 2-3 times per day.

    Then obviously there was something frightfully wrong with your computer manufacturer or you had a grossly incompetent system administrator. I've been running Win 2000 for many months now, for days straight between shutdowns, and I've only had it crash once. I've also heard similar stories of Win 2000 and XP stability from most of the people I know who use them.

  11. ActiveX removal by Sheetrock · · Score: 2, Informative
    Programs exist to do this sort of thing, but given that ActiveX controls seem to require a GUID (globally-unique identifier) to operate you could try to track these down in the registry and remove them. You of course run a good risk of breaking things this way...

    I'm not running Windows, so I don't remember where it stashes the GUIDs for lookup. HKEY_LOCAL_MACHINE\Software\Classes might be a place to start, or you could wade through all the links an "ActiveX registry" search on Google will get you in order to find something more adequate.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  12. Re:not so crazy? by thelexx · · Score: 5, Informative

    "For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."

    From the SecurityFocus vulnerability db:

    IIS since 5.0 - 56 entries
    Apache since 1.3.17 - 7 entries

    Your argument is flawed at best, outright FUD at worst.

    LEXX

    --
    "Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
  13. Every crash is probably another exploitable hole by tz · · Score: 5, Informative

    And Microsoft still crashes a lot.

    You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...

    Here is the specific difference between closed and open models.

    If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].

    If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.

    Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.

    Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.

    Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.

  14. Re:yet another ROOT hole in MS Code? by Col.+Panic · · Score: 3, Informative

    Processes on Windows NT run in "Rings". From the MSDN knowledge base:

    The core of a Win32 operating system runs at Ring 0 (kernel or supervisor mode), which is the highest privilege level.