Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
Until a large percentage of the public gets screwed royally by a security hole, people are not going to take notice and start auditing their code as they should.
As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).
-sirket
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
That's a very good point. It encourages a somewhat radical interpretation: that the best way to get MS off their ass is to basically actively encourage all the script kiddies to use every exploit out there as much as possible until it's fixed. Sowing the seeds of dissent is a very worthwhile endeavor.
My deviantArt site
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Do domain names matter?
Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.
Differing perspectives on security, I suppose.
The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
In Soviet Russia, Trojan exploits YOU!
What if we changed the scenario a little bit. Imagine that 50% of the world is using Mozilla on Linux (or even that there is a large body of non-technical using Open Source Software). Say that a bug was revealed that allowed a website to maliciously delete data from a user's Linux/Mozilla installation. In the Open Source world, this bug would probably be patched very quickly, probably more quickly than MS would. However, keep in mind that you average non-technical user is not going to be checking for frequent patches. When someone (who should be more responsible) releases code to exploit that hole, you have potential average users who may be losing very valuable data. Are these users getting what they deserve? The point is that no one should be helping the script kiddies screw up other people's machines. If you believe in that then you're not a productive part of the technology community.
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.
On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.
Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?
If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?
As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
Have EVDO, will travel.
Since it's free and extraordinarily easy, why not? Most distros have single click or single commandline (often both) commands to update, with all security upgrades occuring, and offering new features.
And it's that second part that makes me think people *will* be upgrading. Unlike many commercial software packages (and all of Microsoft's software), where you have to pay for the next version with the next features, it's free and automatic to upgrade and get more features. Your CD burning software suddenly supports VCDs, your KWord suddenly has mailmerge wizards, and... oh, that hole in SSH was fixed as well. People don't care about the latter, but they care about the features, and that pushes the bug fixes and security fixes along.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
But this begs the question: Can MSFT be held responsible (in spite of the EULA) in a situation like this where a user "removed IE" (remember the US DOJ ruling, they have to provide the option) and didn't use Outlook or Outlook express, if they were to get infected? I only use Mozilla for email and browsing, but it occurred to me that IE is so "entrenched" in the core Windows code that even if it's its removed do they remove the dangerous parts or just the UI? Mozilla is my default browser, yet when I click on a link from Y! messenger, it spawns IE.
Basically, my question is this: Can Microsoft be held accountable for negligence if I removed IE and still got wiped out by this thing because they didn't remove all of IE, as per the Court's ruling (on making it an optional component)?
Wouldn't negligence in this regard supercede the EULA and make MSFT liable?
Any legal beagles out there have any insight? (IANAL)
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
I actually posted a similar question to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
I do security
Does this not sound pretty absurd? That's like saying, "the police in my town are lazy and aren't cracking down on crime. That's why we need to start committing crimes left and right and encouraging others to do the same until the cops are motivated enough."
Ummm, you do realize that in the meantime, you are committing crimes and screwing up innocent people's lives right? You do realize that it isn't the laziness of MS that *actually* does harm, but the fact that it allows malicious people to do bad things? Doing the malicious thing itself or helping people directly to do that is a heck of a lot worse than anything MS might be doing.
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.