Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
Had BugTraq not posted this code then what proof would they have to take to Micro$oft. After all, the people that want to utilize that code are going to be able to find it anyway. In my opinion this merely makes Micro$oft responsible for their product and hopefully will lead to the quicker introduction of a patch. Or, God forbid, it could entice people to use a different web browser.
Memories become legend, Legend fades to myth, and even myth is forgotten by the time that age comes again.-Robert Jordan
Until a large percentage of the public gets screwed royally by a security hole, people are not going to take notice and start auditing their code as they should.
As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).
-sirket
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
However I'd also be quite upset at my vendor for letting this happen.
That's getting down to a different point. Did the vendor know of the bug and ignore it, or was it something that wasn't considered? Even Linux has security bugs. Its naive to think that any program is 100% secure.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
Certainly, making sure someone is aware of an issue with their software should be paramount before telling others. Alas, big corporations often just don't care, which is a disgrace.
However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.
Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?
Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.
Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.
Think of the users. Please.
This argument that because 100% security isn't possible, we should just give up on the whole idea is specious. Companies are responsible for doing their best to provide a product that's not full of holes. Their moral liability is determined by what constitutes a good-faith effort to that end. Their legal liability depends on the legal fiction you clicked "I agree" for.
My deviantArt site
people who want to do malicious things to your computer will find a way, whether or not the exact code is posted to popular web sites. Software companies have the responsibility to publish fixes to bugs, especially in a timely fashion. Microsoft tends to delays patches to their programs.
Malicious code is out there for the taking from any number of sources. It's not a case of finding and identifying malicious code anymore. It's about letting the most people know about it. If they erred it was by not spreading the word broadly enough.
"Consensus" in science is _always_ a political construct.
Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.
That's a very good point. It encourages a somewhat radical interpretation: that the best way to get MS off their ass is to basically actively encourage all the script kiddies to use every exploit out there as much as possible until it's fixed. Sowing the seeds of dissent is a very worthwhile endeavor.
My deviantArt site
is why on my computer, IE doesn't even have permission to get through ZoneAlarm
Technoli
Just imagine what would happen if someone combined this hack with the blackops IP techniques discussed in prev /. article... could someone effectively wipe ALL the drives and servers running windows on the net?... do you think people would come down on MS then???
I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
For a minute I was worried that google searching wouldn't be safe anymore because there was a real threat of something erasing my hard drive. Then I realized, hey, it's an IE security hole, I can still run Moz in Win and wait until a fix.
The GeekNights podcast is going strong. Listen!
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Do domain names matter?
Someone said MS has known about this for weeks and still there is no fix. MS should have released a fix for this immediately.
Perhaps by giving so much information, MS will get off its lazy rear. There is no excuse for MS not having a fix for this released by end of business today. Anything less is simply inexcusable.
Yes, there is a LOT of work involved here. They need to indentify the problem, find a solution, implement the fix, test the fix, and then release the fix. (with several iterations of implement/test) However, they really should have had people working around the clock on this starting the very minute they found out about it.
"It's irresponsible to post a working exploit prior to notifying the code maintainer"
Bah! I wonder how many exploits are known out there which have been reported to Microsoft, and the average Joe doesn't know about. I bet these exploits are known among hacker groups, still, with relative ease. I betch you would be pissed off knowing that Microsoft doesn't fix many of their security problems. That's why everyone needs to know, that way, we can pressure Microsoft into doing SOMETHING.
Security through obscurity is not.
Better a loud mass of script kiddies than a quiet Bad Guy stockpiling credit card numbers and exploring the innards of various Defense Department systems, no?
Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.
Differing perspectives on security, I suppose.
Just because you can find the code "everywhere else on the web" does not mean you should share the code yourself. I find something like this akin to leaving porn magazines in your yard because the neighborhood kids will find them in the trash bin (or surfing the net - sic) anyway.
It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.
I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
In germany Heise.de even published an exploit:
C't Browsercheck
You can test your IE and report the results to your boss.
See also:
Sandblad at Securityfocus
The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
In Soviet Russia, Trojan exploits YOU!
What if we changed the scenario a little bit. Imagine that 50% of the world is using Mozilla on Linux (or even that there is a large body of non-technical using Open Source Software). Say that a bug was revealed that allowed a website to maliciously delete data from a user's Linux/Mozilla installation. In the Open Source world, this bug would probably be patched very quickly, probably more quickly than MS would. However, keep in mind that you average non-technical user is not going to be checking for frequent patches. When someone (who should be more responsible) releases code to exploit that hole, you have potential average users who may be losing very valuable data. Are these users getting what they deserve? The point is that no one should be helping the script kiddies screw up other people's machines. If you believe in that then you're not a productive part of the technology community.
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.
On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.
Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?
If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?
As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
Have EVDO, will travel.
Ok, so Microsoft illegally uses their market power to drive competition out of the marketplace.
Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.
Do both suck for the end user? Yes. But they're also both Microsoft's fault.
Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.
Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
paintball
No problem, just visit the IT department of any company near you that is using windos for their corporate LAN.
I'm a Unix admin, but I've often worked closely with the NT admins. I know that a considerable part of their day (which for the company means: salaries) is spent on all kinds of busywork that essentially compresses to damage control.
Assorted stuff I do sometimes: Lemuria.org
Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.
And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Why exactly, does the world feel entitled to control the results of research it did not pay for, and had nothing to do with? To wit, why would I, as a security researcher (see my web page for some examples) give away for free the results of my research to Microsoft, Sun, IBM, or any other company, when doing that research cost me significant time and money? The era of software vendors getting research for free is over. Now, they get it when everyone else gets it - whenever I have the spare time and energy to explain it in small words, or whenever they pay me money to do so, whichever comes first. I think you'll see more and more small consulting companies and independant researchers moving towards this policy. We don't need the "fame" from having a one line attribution in a vendor's advisory, and we have more lucrative things to do than explain every little aspect of our research to an ungrateful and frankly hostile vendor's "security response" staff.
But this begs the question: Can MSFT be held responsible (in spite of the EULA) in a situation like this where a user "removed IE" (remember the US DOJ ruling, they have to provide the option) and didn't use Outlook or Outlook express, if they were to get infected? I only use Mozilla for email and browsing, but it occurred to me that IE is so "entrenched" in the core Windows code that even if it's its removed do they remove the dangerous parts or just the UI? Mozilla is my default browser, yet when I click on a link from Y! messenger, it spawns IE.
Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?
Wouldn't negligence in this regard supercede the EULA and make MSFT liable?
Any legal beagles out there have any insight? (IANAL)
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
I actually posted a similar question to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
I do security
Does this not sound pretty absurd? That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."
Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
Yeah, Internet Exploiter is just so awful that it can justify deleting millions of people's hard drives causing thousands of hours of downtime. Nice. I love Slashdot with its, "ohh, it's M$, it's just so awful, oh noo!!" attitude. It's a solid browser that rarely gives me any problems. It's patched fairly regularly, so what's the problem?
Wake up you retard.
Already awake; using Mozilla exclusively.
MS addicted office drones and the like dont take security seriously enough. Everyone (except maybe you) knows this. This is why those pathetic worms spread a quickly as shit through a goose, week after week.
If one million people all got wiped out by one exploit, it would forever change the worlds prespective about MS products. Certainly, all the people who have been warned for years would suddenly take the concept of switching from Outlook / IE much more seriously.
Mass mailing worms are too easy to clean out with AV software. Everyone thinks that they are a minor issue at best....completly wiping a hard drive.
That is something utterly different.
It would be the ultimate wake up call. It would make a difference. Think about it; what if someone planted this on every link at the front page of CNN.com?
Use your inmagination.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
True. This URL was the first mentioned on Bugtraq when this exploit was announced.
http://wwx.dino-soft.org/auto.html
(scrambled for your protection, as always: change wwx to www)
I tried it on two Windows 2000 machines.
One is patched up to date, the other is somewhat out of date. Both have SP3, though.
Results: The exploit failed on both machines.
When clicking on the link, four things pop up, each popping up on top of the previous:
So, I don't know the exact conditions that are needed to trigger this bug, but machines are not 100% vulnerable at this point.
Dr. Demento On The 'Net!
I agree with you, but I also think they should link users to free programs to help them get started protecting their machines. Instead of just pointing out the flaw in their systems, tell them a handfull of programs they could use and cost of purchase for such programs. It would at least make the article seem helpful instead of just revealing the security flaw.
When all else fails, piss on it. At least you will feel better in some kind of way.
No more clogging of the Apache error logs looking for default.ida, default.ida will now exist with a javascript. Of course I'm not mean enough to delete their harddrive but they might wonder why they left open a command window saying their computer is infected with Code Red.
I fail to see how this is controversial in the least. It is just another bug found in a piece of software full of bugs. The guy reporting it gave Microsoft a full month before he went public, that should have been more than enough time to build a patch.
As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.
In fact, there were a few machines for which we did not have root password and we used the exploit to patch the machine (closing the hole behind us).
Having a very visible exploit definitely helps NOT only the vendor, but the reluctant administrator!
Quality only comes through the finding (exploiting) of bugs. Covering up problems is not the answer. Ignoring problems for which there are no known exploits is also not the answer.
Well, here goes 2 mod points I spent on this thread...
We've tested this on 4 boxes here. I actually took another variant of this script (the one that wrote a file to your C:\ folder and opened minesweeper) and modified it to run CHKDSK, and put it on my work webserver. The results:
My desktop XP w/ IE6: blammo. It's exactly as they say it is. Brown trousers time.
Co-workers Win2k w/ IE6: no effect. Much as you describe above
WinNT box with IE5.5: blammo. More brown trousers time.
Win98 box with IE5.5: no effect.
While it doesn't seem to work on 100% of machines (Win##'s are immune?) it does seem to work on others.
The script is just 30 lines long, and that's including spacing and comments. Even if MS came out with a quick patch, the amount of damage you could do to 50% of the PC/IE systems out there could be pretty staggering.
Let's hope nobody hacks CNN and replaces their frontpage tonight.