Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
Don't say "it'll never happen," cause anything is possible.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".
...
The article is just stupid
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
I think BugTraq was irresponsible posting working code for the exploit, but I also think the point is academic.
After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.
I'm too lazy to think of anything to put here.
Comment removed based on user account deletion
is insecure.
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
Join the elite! Post at score:2! Ghostwheel is online.
If I don't know what the malicious code is, how am I supposed to avoid it?
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
$8.95/mo web hosting
I'd say it's really no better or worse then, say, Slashdot posting links to warez.
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
"Provided by the management for your protection."
...you are the one irresponsible.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
It has proven time and time again that MS does not care about fixing their bugs or securing their users. Their only concern is furthering their illegal monopoly position by abusing the political system of america.
That leaves us with each other as our ONLY protection. Personally, I WANT to know if users in my network are able to accidentally destory their computers, and I NEED to know how the problem occurs so I can help avoid it. As I already stated, if we can not help each other get past the problems, then malicious programmers will have already won, thats just the MS world. Trusted computing is between users, not with the vendor in these dark times.
It's not that simple I think. True that active content is overused, but it can really be helpful when you don't want to roundtrip to the server just to calc some numbers, and twiddling settings is annoying for the user, if they choose to turn it off and on. It would be better if the thing was secure. The problem IE has in particular is they try to "zone" thing, local zone, trusted zone, internet zone, secure zone, etc. They do this so that you can have stuff in the local zone executre programs or virtually do anything on the system. And that's the problem, by trying to make javascript in to a generic scripting language, they've opened up the local zone to anyone that can break through the zone barrier.
Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.
Free Online Woodworking Resources Directory
Neither this incident nor the wired story adds anything new to the debate.
It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.
Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.
If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.
This isn't even a particularly good example to use, since the exploit was already public.
There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
--
E_NOSIG
I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
The article is stupid and wrong.
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
I agree. Javascript is very useful as a web scripting language, but a horrible idea as an OS scripting language. There is no reason to blame JS, just Microsoft's allowing it to roam outside the webpage. In fact, i would suggest that the problem is never Javascript, but ActiveX accessed from Javascript. ActiveX is the hole into the local system, Javascript is just the controlling language.
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
vk.
Allow me to introduce you to my friend. His name's Bob, but many call him Smiley. Here's a digital photo I took of him:
;^D
I append this digital photo to the end of all messages in which I'm using humour for effect. One look at Bob's face and you'll understand why. If you now reread my comment all the way to the end, the meaning should become clear.
Hope that helps.
Curmudgeon Gamer: Not happy
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."
Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.
Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."
-- If god wanted me to have a sig, he'd have given me a sense of humor.
It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
I'm on PJ's "enemies" list! Are you?
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Like Digital Freedoms? Then donate to EFF before they're gone.
Now if only someone could break into update.microsoft.com and put the exploit there...
(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)
Assorted stuff I do sometimes: Lemuria.org
<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>
It's just unfortunate that this is the sad reality.
I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
I am a GNU hippy, I avoid using Windows on the desktop except when necessary, but I have to disagree.
Insecure features like:
- RPC
- LPD
- WUFTPd
- Telnet
- Sendmail
- BIND(? BIND for christs sake?)
- X listening remotely
All running by default?I like music
What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Download and install Mozilla.
Yes, Mozilla has had its share of security flaws, but they generally get fixed faster, too.
That's really unfair. What you say makes sense when applied to the slashdot population, but what about my mom? What about your dentist? Most people who use computers aren't IT professionals who can dedicate an hour every day to reading several security-related websites and downloading and installing software patches, and they shouldn't have to be.
if i'm a grammar nazi, you're an illiteracy nazi.
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express.
Crap. The simplest and most appropriate technical defense is to switch to another browser. Even Windows users have a choice of browser.
When channel x news sneeks a weapon through airport security and alerts the airport. Then a month later does the same thing, should they alert the public to make them aware of the danger?
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Friends don't help friends install M$ junk.
"And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them."
Really?
Show me the security bulletin on Redhat's website for the issues found in KDE last August.
The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.
If it only works if run from computers in the 'local computer' zone, then no, it's not a security hole, it's operation by design.
That's like saying 'there's a huge security hole in the UNIX 'rm' command, which allows the root user to delete entire filesystems!'
Vintage computer games and RPG books available. Email me if you're interested.
I disagree. First off script kiddies don't really do very much. If they do ever write code, it's a tiny little program to do one or two things.
I don't think that any of them are going to write a super virus because that would take a lot of work. They may get a kick out of reformatting someone's box but the aren't going to code for months to be able to do so.
What I would worry about is someone writing a hacking application. It would have a database of most know root exploits for the last 20 years. You could pick your target IP address and it would use programs like nmap to try and figure out as much as possible about the target(s) and then it would start trying all know exploits for that system.
A program like this would actually be worth a serious black-hat hacker's time. Especially if it was written in a way the made it easy to update the database when new exploits were found. It could have a nice GUI and everything.
Luckily, someone white-hat would take the same program and extend it so that the database includes way to fix all the vulnerabilities. Sysadmins could run it on their own networks.
Life is too short to proofread.
I doubt you were trying to be funny about this. All I can tell you is this: Go find the exploit code and try it. When you're done filling your pants, go find a Mozilla based browser you like and stick with that.
Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.
If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code.
Yeah, and reading Mein Kampf will make me a nazi.
Reading about guns will make an assassin.
Reading Kama Sutra will make me a Don Juan.
Reading Juan Manuel Fangio's biography will make me a F1 racer.
But not reading any of these will make me dumb.
Difficult choice, isn't?
Buy a Nintendo DS Lite
In fact, it's very easy to rob a car, and the ones blamed are the thiefs, not Ford. Also, that's why you have insurance, I don't see Ford putting a lot of efforts in anti-theft technology.
With computers, it's a little different. You can't get insurance and the equivalent of "robbing a million cars in a day" is easy as writing a good worm. So Microsoft has to be more carefull, we are trusting our data and business to them, and they should show more caring for the customers.
We demand security, LESS features, ADDED security. At some point, people asked features, now they ask security. The ones asking for more features should know of that trade-off. They do not often link features with code harder to secure.
unfinished: (adj.)
I agree that the fundamental problem isn't that a "local" computer can do things like execute any arbitray command with arguments. (Well, to a point-- why a web browser needs to do this is another question.) However, these cross-zone exploits are so old and offer such a massive potential for misuse there's no excuse for waiting this long for a fix.
In short, yes, the right solution is exactly what Microsoft said. So do it!
As I suggested in the July thread on the acquisition topic, Symantec scooped up SecurityFocus as a means to put the brakes on the full disclosure movement.
This exploit is so severe it will no doubt cause the clueless masses to clamor in fear and demonize the full disclosure movement. It would not surprise me in the least if lobbyists for the likes of Microsoft leverage this news event to spin the next pro-Microsoft bill through the legislature.
By this time, the "top dogs" from the old SecurityFocus have no doubt been kerneled and firewalled by Symantec Jr. Exec's filtering their communication traffic both in and out, and managing their task lists. As soon as these guys realize their upcoming irrelevance in the brave new world that is now SecurityFocus, they will be presented with a choice: to a) burn through all the cash Symantec just handed them in litigation to regain control of the firm or b) pursue other interests, as long as none of those interests compete with Symantec, well at least for the next five years.
What a terrible brain drain for the security community.
I do not wish to minimize the efforts and contributions made by the founders of bugtraq...They were an essential catalyst to the full disclosure movement. Still, it is the community that brings life to the movement. IMO, it is time for the community to respond to this situation by establishing a new forum for full disclosure that is outside the influence of corporate interests.
I regret I have only my insight to contribute.
What about people who pay for net access? A lot of those people don't use the auto update because they are on slow connections and it is costing them a lot of money to be on the net.
A lot of people still pay per minute to be connected to the Internet and using the auto update tool over a 56K modem can take quite a few minutes. Plus, if you have to reload for any reason, you have to go through the whole process again. The autoupdate solution doesn't give you the files with instructions, so you have to run up the phone bill twice.
CERIAS' Gene Spafford says overpowered, complex, general purpose machines that can do way more than people need are a big part of the problem.
Read the rest of this interview in which he discusses how increased, unnecesssary complexity combined with a lack of users' understanding of security vulnerabilities and issues, and manufacturers' lack of interest in building in security can make systems more vulnerable to attacks.