Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
Yes I'd be pissed off, and I would be mad that they posted an exploit.
However I'd also be quite upset at my vendor for letting this happen.
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
If I don't know what the malicious code is, how am I supposed to avoid it?
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
$8.95/mo web hosting
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
"Provided by the management for your protection."
Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).
Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.
I appear to have a blog. Odd.
It's not that simple I think. True that active content is overused, but it can really be helpful when you don't want to roundtrip to the server just to calc some numbers, and twiddling settings is annoying for the user, if they choose to turn it off and on. It would be better if the thing was secure. The problem IE has in particular is they try to "zone" thing, local zone, trusted zone, internet zone, secure zone, etc. They do this so that you can have stuff in the local zone executre programs or virtually do anything on the system. And that's the problem, by trying to make javascript in to a generic scripting language, they've opened up the local zone to anyone that can break through the zone barrier.
Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.
Free Online Woodworking Resources Directory
There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
--
E_NOSIG
I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
The article is stupid and wrong.
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
I agree. Javascript is very useful as a web scripting language, but a horrible idea as an OS scripting language. There is no reason to blame JS, just Microsoft's allowing it to roam outside the webpage. In fact, i would suggest that the problem is never Javascript, but ActiveX accessed from Javascript. ActiveX is the hole into the local system, Javascript is just the controlling language.
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Only people who need that information should be allowed to it.
Of course. That is why from now on we have instituted a simple procedure that must be followed any time you want to buy a book or read one in a library.
Just submit to the nearest government office the Request For Information Access form (RFIA-1984) together with all the necessary documentation proving that you need the information. In due time the form will be returned to you, stamped "approved" or "rejected". If it has been approved, take this form to your book dealer or library and you will be granted access.
Please be aware that having multiple requests rejected can adversly affect your future.
Have a pleasant day.
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
vk.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
But it's not like that at all. It's more like I lock my front door. I ask my super "am I secure?" and the super replies "yes, absolutely."
Then I learn there's a fire escape. I say "The fire escape was unlocked." and the super replies "oh, yes, it was unlocked." So I lock the fire escape.
Then I find a closet door isn't a closet at all, but leads directly to the next apartment. I lock that. Suddenly, a section of all turns out to have a door that's been wallpapered over. Under the rug there's a trapdoor leading to the apartment below me. Hidden behind the fridge is a dumbwaiter. The entire fireplace rotates ala Indy Jones. I cry in exasperation to my super, who just says "well, aside from all those holes, your apartment is secure."
-- If god wanted me to have a sig, he'd have given me a sense of humor.
It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
No, and here's why; if I have working code that roots my box, I can start looking for ways to prevent it from running. Know yourself. Know your enemy. The easiest way to beat something is to study it.
Now, that isn't an option in the case of IE, but I don't run it anyway. Still, there is at least some value in being shown how to exploit a vulnerability; it proves that it is real. I could send out an email tomorrow saying "Mozilla has a huge security bug that allows arbitrary execution of malicious VBScript," but unless I show you how, most (technical) people will assume I am blowing smoke. If I put up some code that demonstrates it, though, most (technical) people will say "crap, better 1. stop using Mozilla, or 2. get to hacking out a fix."
Thomas Galvin
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
I'm on PJ's "enemies" list! Are you?
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Like Digital Freedoms? Then donate to EFF before they're gone.
I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express.
Crap. The simplest and most appropriate technical defense is to switch to another browser. Even Windows users have a choice of browser.
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Friends don't help friends install M$ junk.
I doubt you were trying to be funny about this. All I can tell you is this: Go find the exploit code and try it. When you're done filling your pants, go find a Mozilla based browser you like and stick with that.
Yup, it's that bad. It's getting to the point where I only use IE for intranet applications. What's the point in being the best browser when it's not safe to use?!
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!