Serious IIS Hole; Minor X Bug

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

DOS Mozilla users???

[Xpilot]

Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?

Only affects HTR - a rarely used feature

[byolinux]

This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.

Re:Only affects HTR - a rarely used feature

[erlando]

But you are forgetting the vast amount of users running IIS without knowing it by way of having installed Win2K with indexing services and what not.

The majority of Code Red attacks came (and is still coming) from private users that have never even heard of a Microsoft Security Bulletin, the URLScan tool or the Lockdown Tool.

Sadly these type of users are still in the majority.

Re:Only affects HTR - a rarely used feature

[edrugtrader]

"this really affects those [microsoft] sysadmins who don't bother to lock their server down"...

...right... so EVERYONE is affected... hardly a major bug at all.

Incorrect !

[dnaumov]

This article is incorrect. That bug is an XFRee bug and not a Mozilla bug. It's not fixed, although it's possible that it's been worked around in Mozilla. Read the text itself, I think it says:

X-windows, with or without the font server (XFS) running can be crashed remotely via Mozilla when fonts are set to an unnaturally large size with CSS (Cascading Style Sheets), Tom Vogt of Lemuira.org has reported.

and

"An X bug allows all available memory to be consumed, which causes the system to freeze. The behavior can be duplicated with applications like the Gimp, we're told, but these aren't remotely exploitable. But with Mozilla, a pest can easily set up a malicious Web site which will crash unsuspecting Tuxers' boxen and cause any unsaved data in open apps to go away.

Re:Incorrect !

[Phil+Gregory]

As pointed out in several posts to Bugtraq, yes, the actual bug is in X (probably in libXfont) but Mozilla is a program that retrieves untrusted data across a network and, as such, has a responsibility to reject or sanitize data that could cause problems. The old Internet maxim is, "Be liberal in what you accept and conservative in what you send," but that doesn't mean you shouldn't also do some sanity checking.

--Phil (Ardent Bugtraq follower.)

What rubbish

[johnburton]

The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash. But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.

Re:What rubbish

[krmt]

I agree that the X bug is very serious (and I'm particularly worried about it because Debian doesn't even have the newest XFree86 revision in it, so where am I going to get the patch for this) but there is a difference in terms of the problem.

This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.

As for the IIS bug, I'll just quote the Wired article...

Microsoft acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of websites, steal information and use vulnerable computers to attack others online.

This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.

No way of camparing the two bugs

It can hardly be just to compare the two software bugs where one is a web server and one a internet browser. That's like comparing getting rid of pollution to getting rid of bad breath.

And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.

I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.

Bottom line: propaganda sucks.

Flawed logic

[rufusdufus]

The author says that it took Microsoft two months to fix a big flaw in IIS, while it took open source only three days to fix a little flaw in Mozilla.
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?

Re:Flawed logic

[uglyduckling]

MS has armies of well paid programmers who know the software inside out, is in the middle/end of an apparently unilateral security review, and has taken two months to patch a hole in their flagship web server product.

Mozilla has - well perhaps a relatively small army of programmers, many of whom are voluntary, and managed to patch a bug that is really only a pain in three days.

Yes - you can't quantatively compare the two and say that Mozilla is x percent more efficient/reliable/whatever than MS, but you can make a qualitative comparison and ask why MS took an order of magnitude longer time to respond. Even if we give MS the benefit of the doubt and assume that the IIS hole is much harder to patch than the Moz hole, MS should have and could have thrown much more resources at the problem to make sure it got fixed within a week - but they didn't.

Re:Flawed logic

[dregs]

The core point is how long did it take to test the fix, Many, Many Mozilla fixes cause regressions elsewhere.

In General (i.e. not these particular problems)

I'd bet the MS had the fix inside three days as well, it then took (At a guess)

2 weeks for internal regression testing
4 weeks for external large scale customer testing and feedback
2 weeks to get the documentation, patches and everything out for wide scale deployment.

All in all thats pretty fast.

With Mozilla I'd say

3 days to fix
1 day to apply fix
3 - 5 days to get a testers to try the nightly build
numerous days of people complaining about fix
1 day * 3 as patch is removed
1 day as patch is reaplied

etc
you get the idea
(I have used Mozilla for the last 12 months on a daly basis, so don't think this is a Mozilla b

Re:Flawed logic

[gotan]

I don't believe that MS does so much testing for their patches. I heared enough about MS patches not fixing the bug/hole it's supposed to, causing new problems, or not play well with some applications (i.e. causing them to crash). How can that happen if MS did all that testing you describe? Also i really wonder why it should take two weeks to put a patch on a webserver and write a brief documentation about it, especially since they've enough time to put together documentation while doing internal testing (they need that anyway for customer testing).

And while some (unsure about the percentage) mozilla fixes cause regression, they often hit the nail on the head with the first patch. In that ideal case the bug is squished within 3 days. Even if your "schedule" for mozilla fixes were correct, the mozilla developpers can do four iterations of that in the six weeks time it takes MS to issue their first patch. Then you assume that usually MS get's the fix right the first time, but if they don't and find regression after one week of internal testing they have to iterate too until they get it right and it'd be about as fast as an iteration in the mozilla case. If they catch it in the first week of "customer testing" they need 3.5 weeks for a cycle.

The advantage of the mozilla strategy is, that as soon as the patch is ready, anyone can test it (and at least the big linux distributions probably do so), and if there is a problem with a patch, information gets back to the developpers much earlier.

Sick and tired of this self congratulation

[matusa]

OK, is anyone else sick of the inane way in which we compliment ourselves continuously?

Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?

What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?

If you think we can laugh at others, check those market share figures. We have a lot of work to do.

Re:Serious Linux Flaw?

[Tim+C]

You can use the ulimit command to set an upper limit on the memory available to any process started by the shell under which it is issued.

Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.

ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.

Re:This goes to show...

[CaptainZapp]

The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes [...]

I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.

The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.

For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.

I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.

The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.

I think it's too late though to call the monsters back in and even worse:

It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.

New MSN.com homepage code

[SeanTobin]

<font size=<?php
if (stristr(HTTP_USER_AGENT,'mozilla')){
echo '16666666666';
} else {
echo '12';
}
?> >
Welcome to the new MSN.COM website, powered by the .NET framework....

(sorry about the previous post... previewed ok, but didn't post correct without extrans...)

Re:I already view large fonts.

[uglyduckling]

If you look in the 'fonts' preferences, there's now an option for minimum font size. It's a great way to deal with ridiculously small fonts without making everything else look chubby.

I've also found that the screen calibration thingy on the fonts preferences (select 'Other..' under 'Display Resolution') makes a big difference too.

Re:Status Quo

[GypC]

It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...

Serious money in this.

[WasterDave]

It strikes me that there might be some quite serious money in these "agreements with Microsoft". In a post dotcom world, it's a pretty plausible business plan:

* Find holes in MS software.
* Publicise them frantically.
* Come to "an agreement".
* Kachingggggg!

Dave

This is _not_ a bug in mozilla

[theridersofrohan]

This is a bug in XFree86 and/or (depending on what you are using) XFS. The error doesn't happen under windows... And apparently, it can be triggered under linux by other programs as well (gimp) if you set the font size absurdly high.

Checkout the bugzila item here

Also, this is _not_ a DOS attack. What it does is make X consume all available memory and swap. And it can be triggered remotely by running mozilla, and browsing a webpage with absurdly large fonts. But it is by no means a DOS attack, because no-one is actively attacking you, making you "Deny Service" to other users.

I know that feeling

[CaptainZapp]

Clients keep looking at us as if we're weird outter-space creatures everytime we mention unix-based hosting and programming.

When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.

This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:

What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.

Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.

It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.

If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.

The Killer App

[krmt]

My question is, what's open-source's killer app?

Freedom.

That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.

This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.

That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.

Three days? Rather a bit longer....

[Erik+Hensema]

I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.

However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).

Re:Three days? Rather a bit longer....

[Erik+Hensema]

Found it: bug 120238 is the bug I remembered, it was filed 2002-01-16 and still stands unresolved (IOW it has beem ignored). Worse still, bug 90547 also reports a crash due to large fonts. It was reported around 2001-07-12, which is 11 months ago.

Re:Status Quo

[peddrenth]

Apparently it's an X bug which can crash the GIMP and others as well -- only reason mozilla's special is that you can exploit it remotely.

Ctl-Alt-Backspace if you get hit with it, and reboot your X-server. If you want a bit more protection, run XFS font server separately (rather than letting X handle fonts) then only the font server will crash.

As for "time to fix", well XFree86 has been out for a while now, so presumably it was vulnerable all along.

Re:Status Quo

[Fruit]

No.

As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.

Not me.

[Per+Abrahamsen]

Slashdot is and has always been an advocacy site, and has never prentended to be anything else.

It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.

What I am getting tired of is the the people who whine that slashdot is not Ars Technica or kuro5hin, both excellent web places with a different focus than slahsdot.

What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation?

What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed.

or the fact that fonts still look like ass?

They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version.

.HTR leaks are not a priority.

[Otis_INF]

.HTR is a flawed protocol and should be avoided. No sane developer will use .HTR pages in his site on an IIS machine, since the .HTR parser is crappier than crap since day one with buffer overruns all over the place. Most sysadmins have .HTR disabled anyway, since it's of no use. When there is a bug in that parser, thus _NOT IN IIS!_ but in an extension (like mod_perl to apache), and that parser is not used by a lot of people, would you put a lot of developers on that bug? No.

It is not really an X11 bug

[Per+Abrahamsen]

Most applications will attemnpt to allocate sufficient memory to handle the task the user assign to it, and depend on the system to refuse the request if there are not enough memory. They then handle the refusal with warying amount of grace. It should not crash the OS, unless the OS itself is broken.

For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.

Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.

Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.

Um, then why does it matter?

[Sycle]

If people don't apply patches, fixes, updates and security recommendations, then Microsoft could have released a fix in 2 seconds, and it still won't do any good.

Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".

Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.

Depends on the OEM

[TechnoLust]

If you are talking about the IIS feature in Win2k, this is only installed by default on CERTAIN OEMs. For example, Dell desktops with Win2k preinstalled do NOT have IIS installed. In cases where it is preinstalled, that's the OEMs fault, not MS. If RedHat or Susie had an option to install a trojan and some users were dumb enough to do it, would you blame them? Or the stupid users? If you blamed the users, would you then say all Linux users were idiots because some of them did a terrible install job? Then why does it work that way for Windows users? I just don't understand the double standard. I use Windows and Mandrake Linux, and both have their strengths and weaknesses.

As for the HTR, anybody that does a "typical" install (i.e. just selecting default options) of a Web server has larger problems than their OS.

Re:Status Quo

[Genom]

As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.

Hmm...the flaw itself is in XFree, and it's handling of huge fonts. Presumably the only reason a web browser is such a problem is because of the potential to attempt display of a *lot* of text at once (I would assume opening a long document in Star/Openoffice with gigantic fonts would produce the same effect, although I haven't tested it myself...). Therefore, while it's a "nice" thing that Mozilla throws a limit in there to prevent one vector of attack, it's merely throwing a band-aid over the real problem, which should be fixed in XFree.

Open Source business plan finally complete

[DeadMeat+(TM)]

You've done it!

1. Write open-source software
2. Find holes in MS software, publicize them frantically, and come to "an agreement"
3. Profit!

Re:It is really an X11 bug

[CaseyB]

X11 is a special app, because if it dies the screen dies and you can't interact with the system although the system might be functioning fine.

Hardly. Hasn't everyone at some point telnetted to a *nix machine to kill and restart a hung X11 process?

Here's what I can't figure out

[JMZero]

How come nobody is posting a quick source patch? WTF? Isn't that one of the great things about open source?

You have all the code. It shouldn't be too hard to find the few places that you need to cap font size.

Where's all the programmers?