Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
Don't say "it'll never happen," cause anything is possible.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
thats freakin crazyness.....hmmm wheres that mozilla download site again...
The Wired talks more about bugtrack's handling of the whole thing...
Dude; since when did Lain start writing technical articles?
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
Thanks for not posting a link to that page.
http://dtum.livejournal.com
What may be MORE irresponsible is /. posting a link to Wired posting a link to the exploit for all the l33t script kiddies here.
No, wait... there's no script kiddies here. Only hax0rz with K-rad XP boxen.
-- El Sacarino tiene gusto de la chocha
I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.
Hence why I as a matter of course disable them.
How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
www.eFax.com are spammers
Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".
...
The article is just stupid
http://www.onid.orst.edu/~boyechky/open.html
I would rather have my hard drive formatted. -S
We Apprentice Developers and Designers
Had BugTraq not posted this code then what proof would they have to take to Micro$oft. After all, the people that want to utilize that code are going to be able to find it anyway. In my opinion this merely makes Micro$oft responsible for their product and hopefully will lead to the quicker introduction of a patch. Or, God forbid, it could entice people to use a different web browser.
Memories become legend, Legend fades to myth, and even myth is forgotten by the time that age comes again.-Robert Jordan
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
I think BugTraq was irresponsible posting working code for the exploit, but I also think the point is academic.
After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.
I'm too lazy to think of anything to put here.
"The new information enabled me to add to some rudimentary precautions I'd taken previously based on earlier information," said Gary Flynn, a security engineer at James Madison University. "But, of course, it also made it easier for others to take advantage of the situation."
That's very nice for the well informed, but unfortunately,
{people who take rudimentary precautions} is tons smaller than {people who have no idea, and who might get hacked}
I don't see how having the code broadcast to the entire world so that people could make very basic (but non-default) IE settings changes was worth the trade-off of having all the people who don't know enough to take these precautions (read everybody who doesn't follow bug or exploit lists) potentially get hacked.
Comment removed based on user account deletion
Posting as Anon since I don't need the Karma:
n ee ring/issues/ie.shtml#opt
----------
Serious Internet Explorer Defect
This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830
SUMMARY
A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.
Simple, working exploit software was recently published to a public mailing list.
There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.
It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.
The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:
1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:
Click the Tools menu item and select Options
Click the Security tab
In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:
In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:
These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.
2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.
3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.
ADDITIONAL SECURITY MEASURES AND INFORMATION
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.
Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":
http://www.jmu.edu/computing/info-security/engi
Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.
The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.
A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
is insecure.
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
Join the elite! Post at score:2! Ghostwheel is online.
The information was already out there.
Would you rather let the "bad guys" have it and not know about it?
The argument against supressing such information just never holds up, because it is the public dissemination of such information that cajoles companies such as Microsoft to publish security fixes.
Even so, Microsoft is still too slow to address security flaws and does an exceedingly poor job of communicating them to the public.
If I don't know what the malicious code is, how am I supposed to avoid it?
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
$8.95/mo web hosting
"Since November"? Today is November 19. The statement "since November" does not give any information, except that MS was informed at most 18 days ago.
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
I know some people will probably moderate me down for this, but I don't care.
Like the title says: I am not surprised. Microsoft probably has the poorest security track record of any software publisher out there.
Maybe Bugtraq has not been very serious in its handling of this security hole, but, honestly using Microsoft operating systems or applications without a ton of additionnal security software (antivirus, firewalls, etc) is asking for trouble.
In my opinion, Bugtraq is not responsible: Microsoft is. If you use Microsoft products, do as I do: do not use IE (I use Opera or Mozilla), do not allow any application to have access to the Internet without authorization (I use Zone Alarm), do not use Outlook for email (I use Pegasus Mail) and install and update an antivirus program religiously (I actually use two).
Two, out of my 4 personal machines at my home, use either Linux or OpenBSD. One is a Windows 98 machine. The last is being rebuilt and will become a NetBSD workstation. And there is a reason for it: Microsoft security (or rather lack of).
Now, flame all you want. =)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
"Provided by the management for your protection."
BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
Certainly, making sure someone is aware of an issue with their software should be paramount before telling others. Alas, big corporations often just don't care, which is a disgrace.
However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.
Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?
Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.
Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.
Think of the users. Please.
Basically this is the same as another exploit posted to the list earlier, but with a new command. And for that matter, jelmer has been posting a new IE local zone exploit like every week... Any of them could have been used to make something like this, it's just no one has tried to do a format. True the jelmer posts didn't include the "run a program with arguments" thing that was posted this week, but they did show how to read/write arbitrary files and execute them. So batch file somewhere and here comes a HD format.
So the only reason we haven't seen this I think is because like always, virus creators want their program to spread, and the quickest way to stop the spread is to kill your host, so instead we get mass mailers, trojans, etc. It was going to happen eventually.
Free Online Woodworking Resources Directory
Maye now they'll stop A. forcing us to use IE and B. giving us Root XP userIDs. I keep kvetching about this but maybe a major hole like this will get their attention. . .
You are not the customer.
I don't think it was irresponsible for the bug to be posted and described in the manner it was. The more clues you give out, the more likely someone will figure it out, and exploit it. It's not like they were writing a proggy for the scriptkiddies.
Better to be out with the whole thing, and put pressure on MicroSoft to fix it, than to be cryptic about it.
Another day, another mack-truck sized hole in an MS product. People sound surprised by this... =P
Julie Moult is an idiot.
...you are the one irresponsible.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
people who want to do malicious things to your computer will find a way, whether or not the exact code is posted to popular web sites. Software companies have the responsibility to publish fixes to bugs, especially in a timely fashion. Microsoft tends to delays patches to their programs.
Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE!
Curmudgeon Gamer: Not happy
Malicious code is out there for the taking from any number of sources. It's not a case of finding and identifying malicious code anymore. It's about letting the most people know about it. If they erred it was by not spreading the word broadly enough.
"Consensus" in science is _always_ a political construct.
Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.
is why on my computer, IE doesn't even have permission to get through ZoneAlarm
Technoli
Just imagine what would happen if someone combined this hack with the blackops IP techniques discussed in prev /. article... could someone effectively wipe ALL the drives and servers running windows on the net?... do you think people would come down on MS then???
I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
They need to hire on Britney. "Oops, I Did It Again"
seems like the fun just never stops in MS land.
I just tried using the exploit code on my Mac OS X box running Internet Explorer and it didn't work. My hard disk was not formatted. I am disappointed. Why is Microsoft treating Mac users different than Windows users? Its not often that Mac OS X users get to use those nice 'Recovery CDs' that get shipped with Macs. We pay top dollar for our computers, we might as get to use everything that comes with them. Thanks a lot Microsoft! Just for leaving me out, I'm switching to Mozilla where are all the security problems and bugs are cross platform!
Strange women lying in ponds distributing swords is no basis for a system of government.
From the article:
"To disclose or not disclose -- it's a question that's been under heavy discussion in the computer security industry over the past year."
I think it's fair to say this debate has been raging for at least as long as Microsoft has been in existence.
My
Limekiller
I...uh...want to see if they are...are as numerically diverse as mine! Yeah..that's it!
Neither this incident nor the wired story adds anything new to the debate.
It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.
Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.
If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.
This isn't even a particularly good example to use, since the exploit was already public.
Lets see.. this exploit combined with a bind exploit equals a huge nuber of "windows updates".
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Do domain names matter?
Is this security hole a feature or a bug.
As long as MS keeps insisting that these gaping security holes are a required feature, it is their fault.
They made a mechanism for running arbitrary code on my computer, and apparently didn't take any reasonable means to ensure the security of that mechanism, it is their fault, they should fix it.
Sure, I can always reach my box at 127.0.0.1
Strange women lying in ponds distributing swords is no basis for a system of government.
In the words of a good friend of mine.. and he probably stole them somewhere else - security through obscurity isn't.
/ Per
Here's some more info... click this link it's ok.. you can trust it... go on.. you know you want to.
Nothing to fear. Just a link.
And possibly -1 RTFE (Exploit).
The advisory quoted only points out how it is possible to combine already well-known OTHER exploits into a way to run commands with parameters in the local context.
Also, last time I checked, you could not format a hard drive just by typing "Format C:". You also have to type "yes" two or three times, quote the volume label back to the FORMAT program, and a couple of other safeguards. Saying that "Web sides format your harddrive" is sensationalism. Yes, they can run programs on your hard disk. (We've seen these kinds of sploits before. They're bad, yes, but not new.) But can it format your hard drive? Not so.
It should also be noted that the exploit paper points out that the author has discovered another way to achieve the same effect, but that details will not be disclosed until the vendor (MS) has patched the problem.
I don't think it is irresponsible (at least not of the magnitude suggested) to quote others' works and say that the vulnerabilities still exist.
There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
--
E_NOSIG
Someone said MS has known about this for weeks and still there is no fix. MS should have released a fix for this immediately.
Perhaps by giving so much information, MS will get off its lazy rear. There is no excuse for MS not having a fix for this released by end of business today. Anything less is simply inexcusable.
Yes, there is a LOT of work involved here. They need to indentify the problem, find a solution, implement the fix, test the fix, and then release the fix. (with several iterations of implement/test) However, they really should have had people working around the clock on this starting the very minute they found out about it.
Screw virus'..this is perfect...send your victim an email with a link to your exploited page, and boom! And to think this is all possible thanks to M$!
New M$ motto: we fuck up so you have to!
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Hey Slashdot, you could have become famous if you'd included the controversial html embedded in the post ;-)
I believe posters are recognized by their sig. So I made one.
Check This Out!
I don't think anyone really has to go freak out quite yet. On an average day I don't visit a whole lot of unknown and untrustworthy websites. The chances of the odd one actually putting the malicious code to use is small. If you see a link the one above - DONT GO TO IT!
Microsoft:"We trust you not to tell anyone about our security holes if you find them"
To hide an exploit doesnt remove it. Damnit, it was there from the first day the software was realesed! Just because script kiddies havent found it doesnt mean its not in the wild. And when someone find out WHERE there is a hole you will have pretty much people poking into that hole to find out how to use it. The vendor must be quicker than the kiddies. Today it seems that no exploit is fixed until somebody scream "blody murder" and releases an exploit.
I think it is because MS wants to keep their official exploit numbers at a minimum. If its not official they just shut up and hopes that no one will discover it.
Dont shoot the messenger.
HTTP/1.1 400
The article is stupid and wrong.
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
Microsoft is sending some of their people here tonight to give a talk about how cool they are and how fun it would be to work for them (recruitment meeting). I think I'll mention this exploit to them and see what their response is.
The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"
There are only 10 kinds of people in this world... those who understand binary and those who don't
Bugtraq is worth its weight in gold. I am responsible for a bunch of systems. If there is an exploit out there for software I am running I want it to be publicly posted for two reasons.
1. Public posting of exploits puts pressure on vendors/maintainers to fix the problem. It has been demonstrated time and time again that vendors are more worried about making money that supplying secure software. If there is not a clear publically demonstrated threat they are not going to make the updates I need to secure my systems
2. One I want to see it so I can evaluate if my systems are at risk. I am responsible for my network. If the buck stops with me only trust when I can verify. This allows me to sleep well at night.
Clearly, the code and descriptions for the bug are Windows-only. The question is, does a similar bug (vulnerability to cross-channel scripting attacks) exist in the Mac version? No mention of this on the forums. I would guess not, but I'm using Chimera until the bug is fixed just in case.
PS. To all those people who think MS are evil and that I should be stoned for using Internet Explorer at all: remember that although it lacks tabbed browsing and popup-blocking, Explorer is in most ways superior to Mo and especially to Chimera. The most important difference is that IE runs faster, considering that I'm seeing typing lag as I write this post in Chimera. It's only a couple tenths of a second, but still quite annoying and totally unexcusable on a 700MHz machine. Also remember that IE mac is much better than IE windows for some reason (I've heard Office X is also much better than Office XP, but never tried either).
I hereby place the above post in the public domain.
Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!
Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!
Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!
See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!
Use Trojaned@Home(TM)!
Ha! You already are(TM)!
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Found the code, made a web page and verified the exploit with ie5 win200...
Tried it on WINE using CrossOver Office.
and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.
All i got was HTML help and a script error. No files written to my "C:" and no exploit.
*sigh* Guess WINE still needs some work.
Is this some new security list in the style of Bugtraq, or yet another example of the submitter/slashdot staff not bothering to actually check the facts and spellcheck their stories before being submitted?
...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
vk.
Not the whole full-disclosure discussion again. The topic has been discussed to death on pretty much every security-related mailing list, newsgroup, whatever for the past years.
And frankly, if you surf with IE, which has known security holes that have been unpatched for well over a year, you simply deserve whatever you get.
Assorted stuff I do sometimes: Lemuria.org
You can get a patch here.
Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.
Differing perspectives on security, I suppose.
Right, because script kiddies don't hang out on IRC and get this stuff before Bugtraq. Also, the sky is not blue and there is no porn on the internet.
The most sensible thing I've ever read about this kind of question is crptogram article last year by Bruce Schneier.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Just because you can find the code "everywhere else on the web" does not mean you should share the code yourself. I find something like this akin to leaving porn magazines in your yard because the neighborhood kids will find them in the trash bin (or surfing the net - sic) anyway.
It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.
I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
In germany Heise.de even published an exploit:
C't Browsercheck
You can test your IE and report the results to your boss.
See also:
Sandblad at Securityfocus
Allow me to introduce you to my friend. His name's Bob, but many call him Smiley. Here's a digital photo I took of him:
;^D
I append this digital photo to the end of all messages in which I'm using humour for effect. One look at Bob's face and you'll understand why. If you now reread my comment all the way to the end, the meaning should become clear.
Hope that helps.
Curmudgeon Gamer: Not happy
The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
In Soviet Russia, Trojan exploits YOU!
People who use IE obviously *like* living dangerously. If they didn't, they wouldn't be using IE, would they?
Oh, wait, you think that they don't *know*? Pshaw! They're like the people who choose to drive SUVs like a sports-car -- they may _say_ that they don't know, but either they do, and are lying, or they don't, and are stupid. Either way, the responsibility likes with the user.
There are enough people out there pointing out that IE and Outlook are broke and dangerous that there's no reasonable way anyone can think they they aren't. Except if they put their fingers in their ears and go "LalalalalaIamnotlisteninglalalalala" whenever the subject comes up.
The IE users who get hit by this exploit should suck it up and take responsibility for their risky actions. And have a good backup system in place, of course.
Would the publication of this sploit violate the law in any way? Look at it this way: If you can use the sploit to format a hard drive, you can use it to D/L possibly copyrighted material off the victim computer, right? And as we all know, the RIAA and MPAA have it in big for technologies that can violate copyright. Wasn't that the whole premise of the DeCSS per^H^Hrosecution?
This is not my sandwich.
It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
Then a true virus would update a Windows '95/'98 machine with updated drivers.
As a side note, you could try usinginstead. It will have the same effect. In this case, not formatting your hard drive.
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
I'm on PJ's "enemies" list! Are you?
I copied the code, saved it as a.html, put it up on a webserver and opened it with IE 6. All that happened was the help file started.
I remember a similar vulnerability from a couple months ago (it too was based on the windows help file), and I patched against that, so maybe that patch stopped this one? I don't normally use IE, but maybe I flipped something to turn off some of the scripting.
Anybody else not have a problem?
Ok, so Microsoft illegally uses their market power to drive competition out of the marketplace.
Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.
Do both suck for the end user? Yes. But they're also both Microsoft's fault.
Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.
Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
paintball
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
A large problem is that web applications tend to require javascripting in order to function. Sure, I have a bit of javascripting in mine, but this sort of exploit is the reason why I make sure the app degrades gracefully. You really, really need to check and validate passed vars and such on the server side anyway. So - first make it work without javascripting, and then enhance it using javascripting.
Life for security conscious admins would be much easier if we all abided by this principle.
Stop the brainwash
This is just a copy of Andreas Sandblads advisory, with a new command.
http://wwx.dino-soft.org/auto.html
note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Like Digital Freedoms? Then donate to EFF before they're gone.
And there is no hard and fast answer to this question. In this case however, we see a serious vulnerability. At the very least, Microsoft should have been allowed a couple working days to verify the problem, post an acknowledgement, and at least a temporary work-around --even if that work-around cripples their product in some way.
After a couple weeks with a bug this severe, they really ought to have posted a patch of some sort. The fear that the "script kiddies might take this snippet of code and run with it" is almost irrelevant. It's the professional spies and organized crime groups we ought to be scared of.
This script was inevitable. Why blame the messenger?
Nearly fifty percent of all graduates come from the bottom half of the class!
Of coarse they are "investigating the issue", I am sure they are "investigating the issue", I am sure that they are "investigating" every "issue" that has ever been submitted... When someone asks about that issue.
Even if they are actually investigating it, are they really WORKING on it (read large team of experienced programmers familiar with the code), or are they just working on it (a single pimple faced intern coming up with ideas that his manager shoots down without consideration)?
It has been shown that massive attention is the only way to get action from the Redmond Giant, so... the messenger should not be shot.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Now if only someone could break into update.microsoft.com and put the exploit there...
(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)
Assorted stuff I do sometimes: Lemuria.org
If you read Sandblad's actual BugTraq posting you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:
Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
Mozilla doesn't tend to work as well for browsing becase...wait for it...many web pages are specifically written for the rendering bugs in IE.
Yup, it's true. IE doesn't just have security bugs, it's also got rendering problems. Of course, so does everyone else. I can go to a dozen different pages on our intranet and find where they've coded specifically around IE bugs to the extent of making the page unusable on any of the 3 browsers I've got loaded, one of which includes IE for the Mac.
My machine is up to date with patches. It also runs a real-time antivirus scanner at all times. To break the windows-iexplorer-outlook trio, I use mozilla and mozilla mail. The whole thing is behind a debian woody NAT machine which has no incoming ports open, and the smb shares that the NAT offers is periodically scanned for viruses by a linux port of an antivirus program. The windows 98 machine runs its own firewall program (tinyfirewall), not to close ports, but to prevent rogue programs from phoning home.
Under such a situation, I expect a reasonable level of security. Nothing more, nothing less. I'm still going to set up an email-virus scanner (for my own knowledge), and I know that there are ways around my security (most of them require ignorance on my part though), but I feel safe.
<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>
It's just unfortunate that this is the sad reality.
Why exactly, does the world feel entitled to control the results of research it did not pay for, and had nothing to do with? To wit, why would I, as a security researcher (see my web page for some examples) give away for free the results of my research to Microsoft, Sun, IBM, or any other company, when doing that research cost me significant time and money? The era of software vendors getting research for free is over. Now, they get it when everyone else gets it - whenever I have the spare time and energy to explain it in small words, or whenever they pay me money to do so, whichever comes first. I think you'll see more and more small consulting companies and independant researchers moving towards this policy. We don't need the "fame" from having a one line attribution in a vendor's advisory, and we have more lucrative things to do than explain every little aspect of our research to an ungrateful and frankly hostile vendor's "security response" staff.
That's excellent! Bravo! A very concise and appealing way of describing the problem, and MS's way of dealing with it.
Under the rug there's a trapdoor leading to the apartment below me.
Give up, it's hopeless. Believe me, I tried. Even if you board up all the doors, someone'll still find a way to sneak in through the kitchen window you left ajar and clean out all the treasures in you trophy case. You just can't win.
Where does the hypocrisy end, Taco?
I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
Comment removed based on user account deletion
Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.
And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
I actually posted a similar question to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:
/ 20 02-09-30/2002-10-06/0
/autotest" at the MS-DOS C:\ prompt.
.pif file ("Format.pif") with the Command Line set to:
/autotest"
.bat file ("Format.bat") with a single command:
/autotest"
.pif or .bat file to the targetted web
http://online.securityfocus.com/archive/1/28213
Bits of note include:
"The key is the Format command's "/autotest" flag, which I believe was
put into place early on in MS-DOS's history to assist in batch
processing, and was probably dropped from the documentation some time
back (it's not in my DOS 5.0 manual as far as I can tell -- although
that's not too far in the past). It can be tested for by entering:
"Format a:
The automated format via web page can be accomplished as follows (with
the example shown demonstrating how to create a link on a web page which
will automatically format Drive A):
1) Either:
Create a
"C:\WINDOWS\COMMAND\FORMAT.COM a:
And Working Line set to:
"C:\WINDOWS\COMMAND"
Or:
Create a
"format a:
(Should the user wish to format another disk, the a: may be
replaced with c:, d:, e:, etc.)
2) Link to the file on a web page as follows:
Click Me
Or:
Click Me
According to the method chosen for implementation in step 1. These
links may be placed beneath graphics or text, as would be found on a
regular web page.
3) Upload the html document and
server directory and wait for an unwary user to click the link and
'Open'.
Spooky, eh?
These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
I do security
And to be honest, I'd be much more scared about something likethan I would about having my hard disk formatted.
(Didja know there's a one-step command-line FTP in Windows? Very useful for this kind of activity.)
Download and install Mozilla.
Yes, Mozilla has had its share of security flaws, but they generally get fixed faster, too.
So I figured that I could avoid this by just deleting the key in my registry for IE help so that the OCX would never load and the exploit wouldn't work. I did that and it solved the problem! But wait... Windows is now trying to "help" me by putting that registry key back the way it was! Thank you so much Windows for saving me from myself and reopening the door to my harddrive. What would I do without you?
After reading the proof-of-concept script at http://online.securityfocus.com/archive/1/298748, I now know at least to avoid blind links.
Also, I've come up with this possible solution:
In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:
javascript:void(location.replace=null)
then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)
This works with annoying exit pop-up ads too:
javascript:void(window.onunload=null);
You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).
Major inspiration from this cnet builder page.
$8.95/mo web hosting
security hole in IE that allows malicious web pages to reformat a hard drive
Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?
If you are right, this changes the extire scope of this article. If MS said uhuh, then let them have it.
Why, o why must the sky fall when I've learned to fly?
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Friends don't help friends install M$ junk.
umm... I think the cracker community has thier own system of karma, in the form of reputations. The guy who fixes the exploits for the kiddies gets massive ammounts of karma. There are plenty of smart people willing to fix the exploits for the kiddes, if nothing else, it raises the "noise floor" for hunting down the skilled crackers. Posting broken exploits isn't security though obscurity, it's security though denial.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
Even if that were true, it would not have worked. How long does it take someone to fix the trivial error and post it back? Months? I think not.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies.
Here you are right, and M$ plays right into it. The whole closed software world encourages people to not understand what's going on inside their computer, and makes it impossible to secure even if you do have the skills and time. Worse, with M$'s planned obsolecense practices we all know that the average M$ box is built and rebuilt all the time from ancient "unpatched" CDs. Just ask this obviously self moderated loudmouth for example. So there you have it, a world full of broken and unfixable machines all serving a single company's bottom line at the expense of their owners and the rest of the world.
Friends don't help friends install M$ junk.
"And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them."
Really?
Show me the security bulletin on Redhat's website for the issues found in KDE last August.
The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.
Honestly, never was so much fuss made about a pointless feature that should be just be disabled and forgetten about.
Jon.
Note also that it's been 6 weeks since he contacted Microsoft and basically got a one-fingered salute. This is similar enough to other problems with IE in the past that it's not too far fetched to assume the black hats already know aboout it. Microsoft needed the only kind of wake up call they respond to -- a public relations stink.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Exactly what constitutes a security hole?
The current issue, to me, appears to not be so much a bug as it is leaving the back door unlocked. The article describes how the user can disable scripting, etc. Once you do that, it's no longer a problem. Once you lock the back door, the bad guys can't get in.
Security ultimately lies in the hands of the end user, whose responsibility it is to to know what each of the options are and what the impacts are of them. If checking a box makes your system more secure, then that's the user's responsibility, not the vendor's. The vendor has a responsibility to inform the user of the impact of various security settings, and to define a set of default settings that result in a secure system. If there is a vulnerability that can't be resolved by a checkbox, then it becomes the vendor's responsibility to issue a bug fix.
As a layman, I don't see it as anything that Microsoft can resolve, except a "patch" that changes the security settings. If it is indeed a flaw, then it should be exploitable with the appropriate security settings enabled. (I don't have a deep understanding of scripting in IE, so perhaps there is a flaw that I'm not seeing.)
I see a responsibility of users to inform other users of security lapses and inform them of an appropriate course of action. That is what the article mentioned in the parent post does. There is also a responsibilty to not disparage the software vendor unless it is a legitimate bug, that bug results (or could result) in a compromised system, AND the vendor refuses to acknowledge it or issue a patch for it in a timely manner. It is irresponsible to provide the public with details or code describing specifically how to exploit the flaw.
Give me my freedom, and I'll take care of my own security, thank you.
My point is, the cracker community doesn't need bugtraq to even find these exploits. If you follow my reasoning (that possibly 95% of hacks are script kiddies who just run pre-compiled apps), by not providing these working exploits on a popular security site you could decrease attacks dramatically.
Think gun safey. I'm not saying you can't have a gun. I'm not saying you can't use a gun. I'm saying I'm not going to give you a gun that's loaded, with the safety off.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Actually, I meant IE for Mac, not for Windows (Note that I said IE Mac is better than IE Windows). Remember that in choosing a browser, I mainly care about features that I actually use.
Although it's nice, I don't care too much about popup blocking, I usually can close them before they go under or start spawning. Of course, it may help that I don't spend my days at porno sites, where this could be a bigger issue. Tabbed browsing is also cool, but only marginally more efficient than lots of stacked windows. Standards support is not much of an issue, as most pages are written and tested for MSIE's faulty implementation of the standards anyway. On Mac, IE has much better plugin support than Mozilla, and more importantly, integrates better with Aqua so as to perform faster (for stuff like window resizes) and looks better. Furthermore, if you want to talk standards compilance, IE conforms better to Apple's interface guidelines than Mozilla by quite a bit.
Then there's Chimera, which is sort of the Mac equivalent of Phoenix. The main advantages of Chimera (over Mozilla) are that it loads faster and runs faster/with less memory, and that the features of Mozilla that it preserves happen to coincide with the ones I use (tabbed browsing and popup blocking). Its interface is a bit nicer. Furthermore, it is a Cocoa app, which means better system intergration and that I can use Cocoa gestures. I am writing this post from Chimera. But it still runs slow, violates various interface guidelines (eg keeping related interface elements in the same font, size, style), crashes more often than explorer, and lacks many of the features that I do use (selection-completion, for example). It also has poor plugin support. Chimera is only version 0.6, so we can expect this to improve later, and it is already the second-best Mac browser I've tried.
I've only tried Opera briefly, but the free version seems no better than Chimera. It doesnt block banners, just replaces them with its own. It runs slower than Chimera, is buggy, and is a Carbon app (not Cocoa). It seems to have lots of features, but I started by turning most of them off anyway. And it's adware, which is annoying.
Overall, although there are several features I'd like to see in Explorer, but it is the best that is available for what I do on the web. After that, Chimera is the best, and should get better.
I hereby place the above post in the public domain.
Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.
If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
IE bugs can format a hdd now. What's next? A bug that will literally kill you in your chair.
:)
Actually, that might make msgboard moderation a lot easier. Die, troll!
Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code.
Yeah, and reading Mein Kampf will make me a nazi.
Reading about guns will make an assassin.
Reading Kama Sutra will make me a Don Juan.
Reading Juan Manuel Fangio's biography will make me a F1 racer.
But not reading any of these will make me dumb.
Difficult choice, isn't?
Buy a Nintendo DS Lite
First of all, stay away from MS products.. Check!
Second, don't visit unknown links... Check!
Third, Disable pop-ups, block what can be blocked in the browser. Check!
Fourth, upgrade your OS with the latest patches and fixes, (Gentoo here, emerge -u world)... Check!
Fifth, implement a nazi firewall... Check!
Looks good so far, have never had an attack or lost data due to a security hole. I can sleep in peace.
If you mod me down, I *will* introduce you to my sister!
now lets give everyone working guns so we can force smeone to come out with a fix for this exploit
No more clogging of the Apache error logs looking for default.ida, default.ida will now exist with a javascript. Of course I'm not mean enough to delete their harddrive but they might wonder why they left open a command window saying their computer is infected with Code Red.
I fail to see how this is controversial in the least. It is just another bug found in a piece of software full of bugs. The guy reporting it gave Microsoft a full month before he went public, that should have been more than enough time to build a patch.
As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.
The suggested payload should have been something that broke IE. Those vulnerable would have done themselves a favor, and the network admins would get a good excuse to spread an alternative like mozilla or opera.
Stop the brainwash
In fact, there were a few machines for which we did not have root password and we used the exploit to patch the machine (closing the hole behind us).
Having a very visible exploit definitely helps NOT only the vendor, but the reluctant administrator!
Quality only comes through the finding (exploiting) of bugs. Covering up problems is not the answer. Ignoring problems for which there are no known exploits is also not the answer.
So does Windows XP, and look at all the good press that's gotten Microsoft.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And how, exactly, do you know when you're running "trusted code"? For years, security experts recited the mantra that you couldn't get an e-mail virus just from reading your mail, and you had to actually run an attachment to get infected. Then MS screwed up with the scripting in things like Outlook (Express), and suddenly all the non-techies in the world, trusting their techie colleagues about the virus thing, are getting caught. Whose fault is this? I sure as hell don't want or expect to run any code automatically just because it's part of an e-mail I'm reading, but MS left me no choice if I use that product, and of course many have no choice about that, either.
No, I think bitching about scripting and APIs that let code run on my box when I neither want nor expect it to is quite justified, thanks very much.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The fix is located here and here. I've already "patched"...
That seems way over the odds to me. I've spent the last couple of weeks fixing several bugs in a product within about 24-48 hours, when all that was at stake was a business deadline. When I couldn't find the bug myself, I called on other members of the team to help out, but in all cases, we had a satisfactory solution well inside a week, and usually the same day.
Security flaws are usually caused by careless errors that could easily be prevented. They can often be fixed in a few minutes once identified, and tested shortly afterwards. Companies who provide widely used critical software like operating systems or communications tools really shouldn't have a problem getting things turned around within 24 hours. If they do, either their code is so screwed up that it's totally unsuitable for use in a potentially vulnerable environment (granted, Microsoft have actually made exactly this claim about several versions of Windows in recent months) or they seriously need to reconsider how they run their response to security vulnerabilities that are reported.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
As I suggested in the July thread on the acquisition topic, Symantec scooped up SecurityFocus as a means to put the brakes on the full disclosure movement.
This exploit is so severe it will no doubt cause the clueless masses to clamor in fear and demonize the full disclosure movement. It would not surprise me in the least if lobbyists for the likes of Microsoft leverage this news event to spin the next pro-Microsoft bill through the legislature.
By this time, the "top dogs" from the old SecurityFocus have no doubt been kerneled and firewalled by Symantec Jr. Exec's filtering their communication traffic both in and out, and managing their task lists. As soon as these guys realize their upcoming irrelevance in the brave new world that is now SecurityFocus, they will be presented with a choice: to a) burn through all the cash Symantec just handed them in litigation to regain control of the firm or b) pursue other interests, as long as none of those interests compete with Symantec, well at least for the next five years.
What a terrible brain drain for the security community.
I do not wish to minimize the efforts and contributions made by the founders of bugtraq...They were an essential catalyst to the full disclosure movement. Still, it is the community that brings life to the movement. IMO, it is time for the community to respond to this situation by establishing a new forum for full disclosure that is outside the influence of corporate interests.
I regret I have only my insight to contribute.
Why is my browser even capable of formating a hard disk?
It isn't. This exploit is a trick that uses a scripting language to execute a system call. It could be used to execute anything, any executable that is on the hard drive. So, as an example, the format command could be executed by the shell. There are also a lot of other possibilities, including the construction of a virus/worm/trojan that uses the exploit to install and reproduce. But to answer your question: no, the browser itself cannot do system level stuff like this. In most modern OS components of varying levels are accessible across application borders, that nothing new or special.
It seems posting malicious code is alot of like providing links to pre-release code for a certain up coming game. (read: Doom III article)
That's utter crap and you know it. There was never any pre-release code nor the pre-release game of Doom 3 here on slashdot. All CmdrTaco did was posting links to SCREENSHOTS, man! And of course exploit code was not posted or linked to in this article, either (may have been submitted by readers in comments, but what the hell).
What about people who pay for net access? A lot of those people don't use the auto update because they are on slow connections and it is costing them a lot of money to be on the net.
A lot of people still pay per minute to be connected to the Internet and using the auto update tool over a 56K modem can take quite a few minutes. Plus, if you have to reload for any reason, you have to go through the whole process again. The autoupdate solution doesn't give you the files with instructions, so you have to run up the phone bill twice.
Wow, given this kind of 'sploit, it would be pretty easy giving yourself a heart-attack from laughing on your last day on the job. Just modify the company's intranet login page to perform this exploit (using somebody else's account of course) and be sure nobody sees you having giggling like a lunatic. Charge a consulting fee if they beg-plead-demand that you come back and help.
Every new form of media has it's own Requirimento
No problem. MS do indeed have many shady practices regarding upgrades, and I'll be right behind you in the queue to bash them for it. It's just that they finally put in something potentially useful in this particular case. ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Comment removed based on user account deletion
This sort of reminds me of the issues related to on-line cheating in games such as Quake, Counter-Strike, etc. When you find an exploit, should you keep quiet, or should you tell everyone about it?
Well, I found a few exploits in the early versions CS (0.3, I think), and, "responsibly", I sent a message to its authors, detailing the problem and proposing a couple of solutions. I never even got a reply. A new version was released, and the exploit was still there. So I posted some (incomplete) information on the CS user forums. A new version was eventually released, and the exploits were still there. Eventually, websites started to post instructions on how to exploit those holes in the code, and cheating became generalised. Still it wasn't fixed. It wasn't until "cheat packs" (complete with InstallShield) became widely distributed that the CS team actually decided to work on the problem.
CS was free, though.
Microsoft has absolutely ludicrous profit margins, and that money comes from their clients. I think those clients are entitled to expect reasonably secure software and (failing that), at least a quick response to the problems. This problem has been known for some time and MS still hasn't fixed it. Something this serious needs to be dealt with quickly. If Microsoft won't do it, then the users should at least be given a chance to, by switching to a different browser, either temporarily or permanently.
You don't have to use IE. There are alternatives. The alternatives are free and they're available to anyone who uses IE.
But the only way to warn those users it through the media. And the media won't give this problem due coverage unless they understand how serious it is. And they won't understand how serious it is unless there are real exploits. And it should be made pretty clear to the media that this problem affects MSIE, not "computers" or "the internet".
The point is not to "punish Microsoft" (or IE users). The point is to make people realise that they are not safe while also showing them that they can be safe. Or at least a lot safer.
RMN
~~~
This should be the goal of the Linux evangelists; that easy to install and enough of a Windows workalike that ordinary users don't notice/care when someone does that.
--
Benjamin Coates
this is the new goatse link:t ml
http://www.apple.com/switch/stories/gautamgodse.h
The best part is that he's impressed with iPhoto. It looks like iPhoto made one hell of a gaping impression.
THERE IS NO DATA. THERE IS O
My point was that in the 20 some years the PC has been around, using one has become harder, not easier. We don't exist to serve the computer, it exists to serve us; we shouldn't have to spend hours configuring a system or debugging an installation. When it comes down to it, I shouldn't have to go searching for drivers, recompiling kernels, finagling with registries, etc... I should be able to turn on the machine and start using it.
So you had a good experience with RedHat. So have I. But how many more have given up after realizing that they lacked the expertise to partition their hard drive, or botched an installation because they installed the bootloader in the wrong place, or had incompatible hardware, etc...
Linux is not the solution, it's the problem. Windows is not the solution, either - it's the question (Where do I want to crash today...). The solution will be found when programmers come out of their collective holes and recognize that their users are not the computer experts that they are. The solution will come when computer scientists are able to differentiate between the way an OS could be designed, and the way it should be designed. As much as I like free software, I hate to say that I haven't seen anything original or creative come from it - most free software projects are simply copying an existing proprietary program. What needs to happen is that the open source community needs to step up to the plate and produce an OS that is easy to install and easy to use. And simple.
The society for a thought-free internet welcomes you.
CERIAS' Gene Spafford says overpowered, complex, general purpose machines that can do way more than people need are a big part of the problem.
Read the rest of this interview in which he discusses how increased, unnecesssary complexity combined with a lack of users' understanding of security vulnerabilities and issues, and manufacturers' lack of interest in building in security can make systems more vulnerable to attacks.
Dude; That post should have a spoiler warning!
After 30 years working with computers, and 20 years in Software QA, I can give you a very good reason why NOT to immediately apply all software updates immediately. It is virtually impossible (read that incredibly difficult and expensive) to write perfect software -- I've yet to see any personally. In my experience, it's all too painfully common for one bug fix to cause yet another bug to appear whether it's by breaking something that used to work or by revealing a previously hidden bug.
I've worked at companies that ran through a whole gamut of acceptance tests before they upgraded users' systems to a new release of anything. Their business depended on having a known platform for their users. Think of training, help desk, and the like.
I'm NOT saying users should not upgrade, only that there is a good reason for some users to not immediately install every new fix that comes down the pipe.
I have heard this reasoning many times before and people are overreacting.
... i had never thought of that before!!! "
... it is amazing how we keep having this argument over and over again.
Did the journalists gave the terrorists the idea to crash planes in the WTC? No they didnt. Did they give them the idea to hold a musical theatre hostage? Nope.
Lets face it terrorists are much better at being terrorists than journalists are. It would be stupid to believe that Osama is watching CNN and says "small pox
I guess Bugtraq is a bit different because there are a bunch of script kiddies out there that may actually get their info from bugtraq. But still if it is on Bugtraq all the good hackers already know about it.
Security trough obscurity is no security at all. Considering how all the places that require serious security, like banks etc., have believed in that principle for a while now
Here's yet another one published, and here's David Ahmad's response in light of these recenty discussions.
What I don't understand in this whole mess: when I hear "execute arbitrary code", I know something's horribly broken. Why is it worse if someone exemplifies "arbitray code" with "format a: /autotest" (in the ZDnet forum, reposted to BugTraq here) instead of
"winmine" (as in Sandblad's original advisory)? The important bit is "arbitrary code", no?
I think the argument that open source implies better security is overrated. While it is possible for anyone to check the source code, almost no-one actually has the technical expertise, time and inclination to do so. Everyone else just trusts that other people will do so, which makes them every bit as vulnerable as those who installed a closed source system in the first place. The same goes for creating and distributing a patch: even in the Linux world, a high proportion of the development work in this area is actually done by the big distro vendors, not by the OSS community as a whole.
Compare and contrast with a closed source product from a good company. As others have noted elsewhere in this thread, Apple has turned out security fixes within nine hours from being notified of a vulnerability in the past. I'm betting you can't make that claim of many Linux patches.
Please don't equate Microsoft with closed source and Linux with open source. If you do, your comparisons will always be fundamentally flawed. I agree that security through obscurity is not the way forward, but just disclosing something (when that something is millions of lines of source code) is not, in itself, enough to provide security either.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Does anyone have any evidence of virus protection companies directly or indirectly writing viruses? That's a curious question, not an indiginant and defensive question.
I don't make the rules. I just make fun of them.
Also, the sky is not blue and there is no porn on the internet.
I don't know about that sky thing, but I've found tons of porn on the internet.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
A nice maty POWER4 chip may very well outperform an FPGA, as long as you keep the modulus size small enough. If you're going to make the delay only a month or two, a 768-bit modulus should be fine. Iin this case, The modulus is 12 registers wide. That's 108 multiplications that need to be done. There are also a bunch of additions. A POWER4 has a big cache and can do several integer multiplies per clock cycle. There may very well be some optimizations as well.
In any case, a "break" in the system means that people have your exploit faster. However, this makes things no worse than full disclosure, which I belive to be the current best approach. On the other hand, if you were really worried, you could also lie about the puzzle. The vendor wouldn't know you had lied until reports of bogus decryption keys started comming in.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I thought it was an honest question... Ah well!