Slashdot Mirror
Serious IIS Hole; Minor X Bug
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.
Join the Free Software Foundation
and
The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash. But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.
Sig is taking a break!
It can hardly be just to compare the two software bugs where one is a web server and one a internet browser. That's like comparing getting rid of pollution to getting rid of bad breath.
And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.
I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.
Bottom line: propaganda sucks.
The author says that it took Microsoft two months to fix a big flaw in IIS, while it took open source only three days to fix a little flaw in Mozilla.
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?
OK, is anyone else sick of the inane way in which we compliment ourselves continuously?
Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?
What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?
If you think we can laugh at others, check those market share figures. We have a lot of work to do.
The Bugzilla report (http://bugzilla.mozilla.org/show_bug.cgi?id=15033 9) that the Register article links to has a couple of comments from Solaris users who say that the "malicious" page crashed their X server too. I don't know if Sun's X server and XFree86 are derived from a common code base, but this would suggest that the bug is (a) old and (b) widespread.
(The reason the Bugzilla link isn't a proper href is that I tried to check it just now, and Bugzilla said links from Slashdot aren't allowed. Make of that what you will!)
Just another wannabe fantasy novelist...
You can use the ulimit command to set an upper limit on the memory available to any process started by the shell under which it is issued.
Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.
ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.
It's official. Most of you are morons.
Not wanting to be pedantic but the duration of time it takes to fix a bug isn't exactly a great indicator of anything (except maybe, how long it took to fix it).
It's a bit like assuming that a program with 5000 lines is obviously worse than one with 7500 lines.
We know nothing about the internals of IIS and the two bugs are not even remotely related. You simply can't compare the two and come out with anything meaningful.
Avantslash - View Slashdot cleanly on your mobile phone.
I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.
The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.
For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.
I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.
The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.
I think it's too late though to call the monsters back in and even worse:
It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
The exploit asks for a font that's utterly ridiculous - a 166666667 size font, give or take a few 6's. Mozilla tries to get X to display such a font. X dutifilly attempts to draw at that size, which requires a tremendous amount of memory, eventually bringing the whole machine down. You could get the same result by putting a malloc or fork call in a while(1) loop.
I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.
They already did. It's obviously a trivial fix - no fonts larger than 1,000 (or whatever). I'm suprised it took that long.
<font size=<?php
if (stristr(HTTP_USER_AGENT,'mozilla')){
echo '16666666666';
} else {
echo '12';
}
?> >
Welcome to the new MSN.COM website, powered by the
(sorry about the previous post... previewed ok, but didn't post correct without extrans...)
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
I've also found that the screen calibration thingy on the fonts preferences (select 'Other..' under 'Display Resolution') makes a big difference too.
It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...
first time i heard someone bitch about the fonts in vi :)
It strikes me that there might be some quite serious money in these "agreements with Microsoft". In a post dotcom world, it's a pretty plausible business plan:
* Find holes in MS software.
* Publicise them frantically.
* Come to "an agreement".
* Kachingggggg!
Dave
I write a blog now, you should be afraid.
Checkout the bugzila item here
Also, this is _not_ a DOS attack. What it does is make X consume all available memory and swap. And it can be triggered remotely by running mozilla, and browsing a webpage with absurdly large fonts. But it is by no means a DOS attack, because no-one is actively attacking you, making you "Deny Service" to other users.
When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.
This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:
What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.
Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.
It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.
If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.
This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.
That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
"I may not have morals, but I have standards."
I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.
However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).
This is your sig. There are thousands more, but this one is yours.
It is minor in comparison to a hole that allows a remote attacker to have administrative access on your machine. And this is why the comparision is flawed in the first place.
Apparently it's an X bug which can crash the GIMP and others as well -- only reason mozilla's special is that you can exploit it remotely.
Ctl-Alt-Backspace if you get hit with it, and reboot your X-server. If you want a bit more protection, run XFS font server separately (rather than letting X handle fonts) then only the font server will crash.
As for "time to fix", well XFree86 has been out for a while now, so presumably it was vulnerable all along.
You can also put something similar in the system-wide login/profile file, so that *all* processes started by *all* users inherit a set of default limits.
Failing that (and I agree that it would be hard to come up with a sensible limit), I believe that you can enable kernel-level process accounting, whereby such things are enforced strictly by the kernel on a cumulative basis - ie each user gets an allocation of CPU time and memory. How they use that is up to them, but once they exhaust it, they can't have any more. I may be wrong, though - that may just be for logging their usage, for "charge-per-use" schemes.
In any case, the best that the memory manager could possibly do is reserve some percentage of the available memory for root, as is done with hard drive space. Of course, as X runs as root, (and has to in order to access the hardware, iirc) that wouldn't help. I'm not really very well versed with the internals of the Linux kernel, but I suspect that the memory manager "just" manages requests for memory, without regard to whether those requests are sensible. There's only so much a system can do to protect itself from malicious or badly written code that is running on it.
Cheers,
Tim
It's official. Most of you are morons.
No.
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.
What I am getting tired of is the the people who whine that slashdot is not Ars Technica or kuro5hin, both excellent web places with a different focus than slahsdot.
What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed. They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version..HTR is a flawed protocol and should be avoided. No sane developer will use .HTR pages in his site on an IIS machine, since the .HTR parser is crappier than crap since day one with buffer overruns all over the place. Most sysadmins have .HTR disabled anyway, since it's of no use. When there is a bug in that parser, thus _NOT IN IIS!_ but in an extension (like mod_perl to apache), and that parser is not used by a lot of people, would you put a lot of developers on that bug? No.
Never underestimate the relief of true separation of Religion and State.
Most applications will attemnpt to allocate sufficient memory to handle the task the user assign to it, and depend on the system to refuse the request if there are not enough memory. They then handle the refusal with warying amount of grace. It should not crash the OS, unless the OS itself is broken.
For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.
If people don't apply patches, fixes, updates and security recommendations, then Microsoft could have released a fix in 2 seconds, and it still won't do any good.
Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".
Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.
As for the HTR, anybody that does a "typical" install (i.e. just selecting default options) of a Web server has larger problems than their OS.
"Da ist ein Technölüst in mein Unterpanten!"
I don't think the killer app exists anymore. A Killer app, is an application which forces you to buy the computer and operating system in order to run it.
Windows original killer app was Excel. It wasn't as good as 1-2-3, but it didn't have the memory issues which 1-2-3 had in the DOS environment. After that, why bother with WordPerfect, when you already have that Windows machine to run Excel, and MS Word will run better in your environment.
Now when the "average user" wants a computer, they don't even have an application in mind. They have a list of things they want to do. Certainly you've heard this conversation before:
user: "I need a computer"
tech: "what do you need a computer for"
user: "my son/daughter needs it for school"
tech: "what are they taking?"
user: "computer engineering"
tech: "shouldn't they be researching this themselves?"
user: "They don't really know all that much about computers. They got really good marks in programming though"
tech: (shudder) "well then just about anything will do fine. A low-end PC with Windows will be compatible with all the popular document formats out there, and will run MS Office and IE without any problems."
user: "What about a Mac?"
tech: "They're good, they have a strong following, but it won't be what they're using at the school, and their friends won't be able to help them with technical problems. Despite what anyone says they're more expensive too, but the hardware is technically superior."
user: "oh, I also want them to be able to play a few games too..."
tech: "the faster and more expensive the better, but the low end PC would be good for most games."
When the cheapest computer is "what everyone else is using", people will buy the cheapest computer. The killer app isn't what a computer can do anymore, it is what a computer can't do. Why buy anything other than a Windows PC when a Windows PC is the cheapest and does everything?
(Of course if the student were going into some multimedia program and asked this question to a faculty member, they would probably buy a Mac... because in that field, it is "what everyone else is using".. they might not though... mistakenly thinking that a low end PC whcih can run all the necessary software will perform as well as a low end Mac.)
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
Hmm...the flaw itself is in XFree, and it's handling of huge fonts. Presumably the only reason a web browser is such a problem is because of the potential to attempt display of a *lot* of text at once (I would assume opening a long document in Star/Openoffice with gigantic fonts would produce the same effect, although I haven't tested it myself...). Therefore, while it's a "nice" thing that Mozilla throws a limit in there to prevent one vector of attack, it's merely throwing a band-aid over the real problem, which should be fixed in XFree.
1. Write open-source software
2. Find holes in MS software, publicize them frantically, and come to "an agreement"
3. Profit!
Your machine "locks" exactly because XFree86 (or other X implementation) is killed by the kernel for consuming too much memory (the "infamous" OOMKiller). Try: and you'll see your machine locking exactly like in the DoS described.
The reason it happens is that XFree86 is controling all video hardware (registers, memory...) and when you force it to die, it can't set the hardware back to the default/previous (console) values.
You still can log remotely and reboot your machine, of course, but forget about keyboard, mouse and video.
--
sig
Hardly. Hasn't everyone at some point telnetted to a *nix machine to kill and restart a hung X11 process?
The mozilla bug was known for some time by everyone on irc.mozilla.org #mozilla that tried my little url test link several weeks back. I gave warning before posting it but you know people. =)
...
g i?id=149014
Basicly it's not just CSS it's also mixtures of center and header tags that are NOT escaped. I ran into the bug on a poorly done eBay user home page with code like:
The bug is Mozilla (gecko) doesn't parse this very well, and causes the font to scale larger and larger. This in turn allocates more and more main memory until your poor box runs out.
From our tests on #mozilla:
My linux 2.4.16/gdm/XFree 4.x box only crashed X.
A BSD user with experimental video drivers had his machine reboot.
Several other linux users ( 2.4 ) only had X crash.
One linux user with > 1GB of RAM had no effect b/c his session was too short to fill all that. =)
In short this was reported and being worked on before Mozilla 1.0 was even out.
Here's the bug report kindly filed by #mozilla:
http://bugzilla.mozilla.org/show_bug.c
How come nobody is posting a quick source patch? WTF? Isn't that one of the great things about open source?
You have all the code. It shouldn't be too hard to find the few places that you need to cap font size.
Where's all the programmers?
Let's not stir that bag of worms...
[Not that it's clear that the IIS bug is really a remote access bug (see above where it's explained as a DOS bug) but there have been plenty of remote access IIS bugs (see Code Red).]
The X bug only crashes your machine if you browse to a malicious web site. The malicious person can't do anything to your machine if they can't induce you to go to their web site, and the effect on your machine of visiting the web site is immediately obvious (X and possibly your whole box crashes) so you can learn not to visit that web site again. The malicious user doesn't really gain anything other than the jollies of knowing they crashed some machine.
A remote access bug allows someone to take over your machine surreptitiously, which is much, much worse than just crashing your machine. It means your machine's data can be inspected and changed without your knowledge, and also that your machine can be used as a staging point for other illegal activities. Particularly if your data is sensitive, this provides a great deal more incentive to a malicious user.
This is a fabulous example of something that still sucks mightily about X, and shows no signs of being fixed. Ok, how a real font system would render a 500 foot tall 'A':
send the 'A' glyph, along with whatever hinting it needs for 'insanely, off the scale big' (i.e. probably the hint for the biggest glyph it defines, like 72 pt). The renderer takes the 'A' and converts it into a series of strokes. The strokes are then rendered into the clipped region, resulting in pretty instantaneous drawing. The font manager decides wisely that this rendered glyph, being "pretty big", shouldn't get cached as a bitmap the next time you want to draw it.
Here's how X does it:
Request the font for the 'A' glyph, scaled to 500 feet tall. Construct an uncompressed 1bpp bitmap of the letter A to give to X to blindly blit onto the screen. Die a miserable thrashing death.
I've finally had it: until slashdot gets article moderation, I am not coming back.