Slashdot Mirror
Controversy Surrounds Huge IE Hole
Suchetha wrote in with a Wired News bit talking about
security hole
in IE that allows malicious web pages to reformat a hard drive. The Wired
talks
more about bugtrack's handling of the whole thing, and how it essentially posted working
code for the exploit. Was it irresponsible or not?
If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.
The Wired talks more about bugtrack's handling of the whole thing...
Dude; since when did Lain start writing technical articles?
It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.
In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.
The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..
Thanks for not posting a link to that page.
http://dtum.livejournal.com
What may be MORE irresponsible is /. posting a link to Wired posting a link to the exploit for all the l33t script kiddies here.
No, wait... there's no script kiddies here. Only hax0rz with K-rad XP boxen.
-- El Sacarino tiene gusto de la chocha
I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.
Hence why I as a matter of course disable them.
How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?
www.eFax.com are spammers
Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".
...
The article is just stupid
Yes I'd be pissed off, and I would be mad that they posted an exploit.
However I'd also be quite upset at my vendor for letting this happen.
Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."
The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
Posting as Anon since I don't need the Karma:
n ee ring/issues/ie.shtml#opt
----------
Serious Internet Explorer Defect
This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830
SUMMARY
A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.
Simple, working exploit software was recently published to a public mailing list.
There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.
It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.
The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:
1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:
Click the Tools menu item and select Options
Click the Security tab
In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:
In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:
These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.
2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.
3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.
ADDITIONAL SECURITY MEASURES AND INFORMATION
There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.
Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":
http://www.jmu.edu/computing/info-security/engi
Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.
The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.
A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.
If I don't know what the malicious code is, how am I supposed to avoid it?
Informed security is way better than uninformed security.
Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.
$8.95/mo web hosting
a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)
Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.
As far as I'm concerned, the interests of the software users should be the primary concern.
"Provided by the management for your protection."
BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).
On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.
It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.
Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.
In short, BugTraq good, security good, black hats bad.
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
Basically this is the same as another exploit posted to the list earlier, but with a new command. And for that matter, jelmer has been posting a new IE local zone exploit like every week... Any of them could have been used to make something like this, it's just no one has tried to do a format. True the jelmer posts didn't include the "run a program with arguments" thing that was posted this week, but they did show how to read/write arbitrary files and execute them. So batch file somewhere and here comes a HD format.
So the only reason we haven't seen this I think is because like always, virus creators want their program to spread, and the quickest way to stop the spread is to kill your host, so instead we get mass mailers, trojans, etc. It was going to happen eventually.
Free Online Woodworking Resources Directory
This argument that because 100% security isn't possible, we should just give up on the whole idea is specious. Companies are responsible for doing their best to provide a product that's not full of holes. Their moral liability is determined by what constitutes a good-faith effort to that end. Their legal liability depends on the legal fiction you clicked "I agree" for.
My deviantArt site
Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE!
Curmudgeon Gamer: Not happy
Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.
Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).
Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.
I appear to have a blog. Odd.
is why on my computer, IE doesn't even have permission to get through ZoneAlarm
Technoli
I just tried using the exploit code on my Mac OS X box running Internet Explorer and it didn't work. My hard disk was not formatted. I am disappointed. Why is Microsoft treating Mac users different than Windows users? Its not often that Mac OS X users get to use those nice 'Recovery CDs' that get shipped with Macs. We pay top dollar for our computers, we might as get to use everything that comes with them. Thanks a lot Microsoft! Just for leaving me out, I'm switching to Mozilla where are all the security problems and bugs are cross platform!
Strange women lying in ponds distributing swords is no basis for a system of government.
I...uh...want to see if they are...are as numerically diverse as mine! Yeah..that's it!
Neither this incident nor the wired story adds anything new to the debate.
It's really gotten quite tiresome. Neither side of the "full-disclosure" flame war will ever convince the other, so I imagine it will continue forever.
Keep in mind that bugtraq was specifically created to be a full-disclosure list. It's a central element of their charter. The moderator is therefore highly motivated not to block something on the grounds that it reveals too much information.
If you think that's irresponsible, there's no need to vent about it here. You can read hundreds of megabytes of archived debate on the subject. I'm quite sure whatever argument you want to present will be in there somewhere.
This isn't even a particularly good example to use, since the exploit was already public.
So if you're using a Windows box, I've got to assume one of three things is happening:
And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them. You can have the reasonable expectation that running any of those OSes let you worry about security a lot less than running a Windoze variant.
If you had a nice apartment in the middle of New York, and you constantly left the front door unlocked, and then one day somebody walked in stole your stereo, I'd feel bad for you. But, you know, not too bad.
Do domain names matter?
ssh into your box, su to root, then fsck your harddrive
I wouldn't be so pissed as long as the attacker did this often. It's such a hassle to wait for my system to do a monthly e2fsck when the partitions have readched their maximal mount count.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Here's some more info... click this link it's ok.. you can trust it... go on.. you know you want to.
Nothing to fear. Just a link.
And possibly -1 RTFE (Exploit).
The advisory quoted only points out how it is possible to combine already well-known OTHER exploits into a way to run commands with parameters in the local context.
Also, last time I checked, you could not format a hard drive just by typing "Format C:". You also have to type "yes" two or three times, quote the volume label back to the FORMAT program, and a couple of other safeguards. Saying that "Web sides format your harddrive" is sensationalism. Yes, they can run programs on your hard disk. (We've seen these kinds of sploits before. They're bad, yes, but not new.) But can it format your hard drive? Not so.
It should also be noted that the exploit paper points out that the author has discovered another way to achieve the same effect, but that details will not be disclosed until the vendor (MS) has patched the problem.
I don't think it is irresponsible (at least not of the magnitude suggested) to quote others' works and say that the vulnerabilities still exist.
There was already working code posted that exploited the vulnerability but did not format your drive. There was no need to add that payload to the exploit. It's like handing out a vaccine that you have modified to have worse side effects than the original disease.
--
E_NOSIG
I'm not sure about the details of the current case, but there is a very good reason for publishing full technical details about an exploit before patches come out. That is that it may be possible in many circumstances for aware and knowledgeable system administrators to prevent the exploit from affecting machines within their control either at a central point, like a firewall or proxy, or by disabling software features until a patch is available.
For example a web proxy might be able to scan for the presence of the malicious code in question, but if that code is not available to the sysadmins, then how can they make appropriate filters? Also being aware of the ways in which these exploits work could allow sysadmins to make more general security policy decisions in terms of what users / processes are allowed to access what areas, etc. I'm not saying that it could be done in this case, but could in many others.
This could save a company a lot of time and money, and is therefore a good thing. It is not true to say that only the party responsible for producing a patch needs to see the actual code for security reasons.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
The article is stupid and wrong.
The sploit paper says that MS was contacted about the combined exploit October 4, which is not in November, and that they have closed the issue with a "will not be patched because XYZ" statement, which is not to be investigating the issue.
Two critical wrongs in fact out of two possible. I just felt a sudden urge to trust the rest of the article so much more...
Microsoft is sending some of their people here tonight to give a talk about how cool they are and how fun it would be to work for them (recruitment meeting). I think I'll mention this exploit to them and see what their response is.
The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"
There are only 10 kinds of people in this world... those who understand binary and those who don't
Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!
Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!
Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!
See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!
Use Trojaned@Home(TM)!
Ha! You already are(TM)!
While I agree with you in principal, and I'm sure we share the bond of 360k floppies with zipped copies of viruses, I have to disagree with the details.
I remember a time when the source code for some vulnerabilities was disclosed, but with errors. If you didn't know how to fix the error, you couldn't use the vulnerability. This way, it was kept OUT of the hands of script kiddies, but put INTO the hands of those with a clue on how to fix the problem.
I'd be willing to bet 95% of the break-ins on the internet are plain old script kiddies. IMHO, there isn't any more port scanning going on, there isn't any more social engineering of the average joe's desktop pc. That sort of work is left to the 'expert' black hats, trying to get into the 'treasure chest'. The rest are lamers just running what they found.
IMHO, if BugTraq is going to post vulns, they need to be non-working, and the user has to have the knowledge to fix them. Especially on closed platforms, it does less good release exploits for code you can't fix, because you're not fixing the problem, you're just working around it.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Only people who need that information should be allowed to it.
Of course. That is why from now on we have instituted a simple procedure that must be followed any time you want to buy a book or read one in a library.
Just submit to the nearest government office the Request For Information Access form (RFIA-1984) together with all the necessary documentation proving that you need the information. In due time the form will be returned to you, stamped "approved" or "rejected". If it has been approved, take this form to your book dealer or library and you will be granted access.
Please be aware that having multiple requests rejected can adversly affect your future.
Have a pleasant day.
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Found the code, made a web page and verified the exploit with ie5 win200...
Tried it on WINE using CrossOver Office.
and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.
All i got was HTML help and a script error. No files written to my "C:" and no exploit.
*sigh* Guess WINE still needs some work.
...which a friend and I posted to bugtraq. It turned out to be a previously undiscovered variant of the semisoft virus, which we'd dubbed "net.666" for a few reasons (just so you can check my story).
We made a web site that showed how to clean an infected system and had downloadable infected files for virus researchers. At the request of some of the researchers, we took off the files and gave an email address for researcher requests instead.
Surprisingly, we got emails from script kiddies (some posing as researchers, some not) trying to get copies of the virus.
But, by the end of that week, there were separate executables from a few companies implementing our cleaning methods, and the next round of signatures could detect it.
I think it would have been a better idea for these guys to just post the solutions and keep the exploit code itself as secret as possible. MS will prettymuch HAVE to deal with this one. It's the kind of exploit you hear about in hoax emails, but I don't think it's going to make their lives much easier knowing that this exploit is so widely available, not to mention the people who get hit by it.
vk.
vk.
Not the whole full-disclosure discussion again. The topic has been discussed to death on pretty much every security-related mailing list, newsgroup, whatever for the past years.
And frankly, if you surf with IE, which has known security holes that have been unpatched for well over a year, you simply deserve whatever you get.
Assorted stuff I do sometimes: Lemuria.org
You can get a patch here.
Under Mac OSX 10.1, Internet Explorer 5.1.2 runs as root or as some kind of su and has access to the entire system and basically doesn't care if you have directories ath you would rather protect. Mozilla respects FS protections. Under MacOSX the Java JDK documentation is hidden away in the the Frameworks/Java... directories where a non admin user has no access. To browse these I usually make a link in my browser to the index.html file and carry on from there. I discovered that IE lets you in everywhere it can go while Moz doesn't.
Differing perspectives on security, I suppose.
Right, because script kiddies don't hang out on IRC and get this stuff before Bugtraq. Also, the sky is not blue and there is no porn on the internet.
The most sensible thing I've ever read about this kind of question is crptogram article last year by Bruce Schneier.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Just because you can find the code "everywhere else on the web" does not mean you should share the code yourself. I find something like this akin to leaving porn magazines in your yard because the neighborhood kids will find them in the trash bin (or surfing the net - sic) anyway.
It's like "I know how to hang a person - here, let me give you a demonstration." Does sharing the code that can cause the problem allow you to protect yourself against it? Probably not; unless you are out there building tools to protect us - that's right US, including the very experience tech people here - against such attacks.
I don't like the idea of non-disclosure. I want to know if there is a potential that something bad could happen to me or my clients; and that I should start working on or be on the lookout for preventative measures. That's why we have vulnerability lists. In that same hand I believe that Too Much Information is not polite - to the users and the vendor. Here's how you make the gun; oh and here are some bullets. It is almost criminal in its intent - considering the mindset of many today it *is* criminal in its intent - regardless of target.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
The exploit doesn't scare me as much as it adds more fuel to the SuperVirus theory I've been worried about for awile.
I believe that it's only a matter of time before someone creates a "SuperVirus", A Virus with all previously successful exploits, and unleases it on the world.
With the recent outbreaks of klez, code red, nimda, kak, sircam, and other viruses that do minor damage and proliferate fast through multiple exploits its only a matter of time until a script kiddie gets it into his head to combine them all and make a virus that infects everything, spreads though multiple existing holes, and does a massive amount of damage via either DDOS, Format after a set time, or Both.
In Soviet Russia, Trojan exploits YOU!
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
On one hand, I agree. This can be viewed as attempt by Symantec to increase market share / profits by exploiting someone else's mistakes, and can certainly be viewed as inapropriate, a conflict of interest etc.
On the other hand, though... we have a software company with a not-so-stellar track record regarding security in their browsers and/or email clients, not to mention other avenues like operating systems. Moreover, a company that apparently refuses to learn from their mistakes, frequently brushes vulnerability reports aside as "unimportant", "insignificant", and essentially creates a market for companies like Symantec.
Business practices / exploit-with-no-patch-disclosing aside, what's wrong with Symantec developing security / antivirus software while exploring the operating system their software was made for and finding / reporting bugs?
If there was a certain home builder who notoriously installed windows (pun not intended) that could easily be opened from outside by anyone (e.g. a thief), and if I came up with a way to secure such windows (like, custom made-to-fit window bars that go perfectly with your house), why wouldn't you want me to 1) manufacture and advertise my security device, and 2) advertise the fact that the builder refuses to fix / replace the windows with a better model? Would you prefer that your home were insecure and you not know about it? Or would you rather know that there's an easy way into your home that anyone can access with a $5 tool? Wouldn't you rather be protected?
As I said, aside from the way that Symantec approached this particular problem, I don't necessarily think there's a whole lot of a conflict of interest here.
Have EVDO, will travel.
It seems like every couple weeks there is an article on /. to the effect of "BIG HOLE IN IE/XP/[MS APP HERE] DISCOVERED. THE END IS NEAR! REPENT, MS USERS" etc etc...ZZZZZZZzzzzzzzzZZZZZZZ -_-
There are only so many times you can read a headline like that before the "cry wolf" factor starts to kick in. All these "bugtraq" alerts are academic...theoretical...What I want to see is a headline that reads Merrill Lynch crippled by XP flaw. Plans to sue MS for millions $$$ damages or somesuch. Or at least a story of an actual user whose life was ruined by an actual MS security hole. Something tangible...Now THAT would be interesting!
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?
No, and here's why; if I have working code that roots my box, I can start looking for ways to prevent it from running. Know yourself. Know your enemy. The easiest way to beat something is to study it.
Now, that isn't an option in the case of IE, but I don't run it anyway. Still, there is at least some value in being shown how to exploit a vulnerability; it proves that it is real. I could send out an email tomorrow saying "Mozilla has a huge security bug that allows arbitrary execution of malicious VBScript," but unless I show you how, most (technical) people will assume I am blowing smoke. If I put up some code that demonstrates it, though, most (technical) people will say "crap, better 1. stop using Mozilla, or 2. get to hacking out a fix."
Thomas Galvin
What new ground is broken here?
None.
The simple fact remains that Micro$oft produces products that are riddled with the most egregious of security lapses, and that Micro$oft has an unrivaled history of dragging it's feet/passing the buck, even when billg is hit over the head repeatedly with the fact that his minions have unleashed yet another f*ckup on the unsuspecting public.
So, it's possible to contrive html that, when viewed on a remote web site, reformats the local hard drive of the box IE is running on?
Are you kidding me?
billg and every single idiot who was anywhere close to being involved with this f*ckup should be sued for every last penny they have.
As for full disclosure, let 'er rip.
It's the only way Micro$oft will ever be held in the least bit accountable for their crap.
t_t_b
I'm on PJ's "enemies" list! Are you?
MS has only had a week or two with the knowledge of this bug (article mentions that MS learned in November aka this month some time). For such a huge exploit, I'd suspect it'll take a week to pinpoint the code error, a week to fix the code, and two to four weeks of testing it.
That's about a month/month-and-a-half. Don't you think they deserve a good solid two months before posting the exploit?
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Ok, so Microsoft illegally uses their market power to drive competition out of the marketplace.
Anti-microsoft zealots post the code to take advantage of an IE security hole, allowing malicious coders to erase Microsoft from the marketplace.
Do both suck for the end user? Yes. But they're also both Microsoft's fault.
Let's face it, this is a case where it is 100% ok to blame Microsoft for having a crappy product. If Ford screwed up and made a car that anyone could unlock and start by doing something special to it, allowing the car to be easily stolen by anyone, you wouldn't blame the guy who posted how to do it on the Internet, you'd blame the Ford engineers who screwed up the design in the first place and the people who let that mistake out of the factory.
Microsoft screwed up, Microsoft customers get screwed over, Microsoft's fault.
paintball
If you were confronted by someone who had just lost a bunch of important data because of this exploit, do you really think they'd be impressed if you said "But I was trying to make a very important point to Microsoft!".
Instead of that, you should say "By not fixing the bug, Microsoft was trying to make a very important point to you!"
Then they will at least be angry at the right entity.
This is just a copy of Andreas Sandblads advisory, with a new command.
http://wwx.dino-soft.org/auto.html
note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
It seems that what's really irresponsible is not what Bugtraq did, but running IE to begin with. It's history of security flaws and exploits along with Microsoft's foot-dragging responses make it utterly irresponsible to run such software.
That said, no one is immune from security exploits. The argument for posting it to Bugtraq seems mainly to be that this motivates the vendor to move quickly now that their customers know about the exploit and now that nefarious types have easier access to it. (Don't fool yourself into thinking the most malicious types didn't usually already acquire it by other means.)
But if what we really want to do is motivate vendors to patch things quickly, it should be the first rule of Bugtraq that no exploit is posted until the vendor is informed. Most linux security exploits are resolved within about 48 hours, while it is true that Microsoft often takes weeks or months. Given our competing interests in both informing the vendor privately and getting information to the public, we should balance these in a reasonable way. One such solution might be that Bugtraq adopt a rule that after a vendor is informed, they have 48-72 hours after which time it will be posted.
For both the responsible vendors and the free software community this approach would balance our interests in minimizing exploits while a solution is actively pursued while also acknowledging the benefits of full public disclosure.
In the case of smaller vendors than MS who might not have the resources for such a quick bug-fix, an appeal process could be instituted wherein the vendor may contact Bugtraq during the initial grace period and request an extension. Guidelines based on the resources of the vendor and the seriousness of the bug could be used to determine whether another 48-72 hours should be granted.
BWCarver
Like Digital Freedoms? Then donate to EFF before they're gone.
Now if only someone could break into update.microsoft.com and put the exploit there...
(The windos update program uses IE. Good design decision to use your most insecure piece of code for security updates, isn't it?)
Assorted stuff I do sometimes: Lemuria.org
If you read Sandblad's actual BugTraq posting you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:
Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.
<humor> Now, if someone were to say that there weren't any holes in IE, that would be controversial. this is just "business as usual - where have your files gone today?". </humor>
It's just unfortunate that this is the sad reality.
Under the rug there's a trapdoor leading to the apartment below me.
Give up, it's hopeless. Believe me, I tried. Even if you board up all the doors, someone'll still find a way to sneak in through the kitchen window you left ajar and clean out all the treasures in you trophy case. You just can't win.
I'm assuming that you have no issue with Bugtraq's posting of the initial advisory from Andreas Sandblad on the 6th. Now, the code that was posted on the 14th (over a week later) that is causing all this ruckus was cut-and-pasted from a discussion going on on ZDNet forums. In other words, those that would do harm already had the code.
I'll grant you that posting it to Bugtraq probably doesn't add all that much information for the "good guys" (except that the javascript in the "format a:" version is simpler to read), but it has the added benefit of getting someone like Wired to make a big stink out of the whole affair. The publicity is important as a way of getting the bug fixed. Security bugs are viewed by Microsoft (and anyone in the consumer software industry) as PR problems - posting this to Bugtraq doesn't make the bug any worse for users of Microsoft's systems (since the kiddies already have it), but does make it much worse for Microsoft. It's much harder to spin away a bug when live, functioning exploit code is staring you in the face.
Are you kidding? If someone wants to fsck my drive for me, that's fine with me. It'll cut down on my boot time.
There is no sig, there is only Zuul.
Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.
And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.
I actually posted a similar question to "Ask Slashdot" about a year ago. It didn't get accepted, but basically it said the following:
[snip] This brings up the question of whether or not the benefits of disclosing the information out weigh the problems. While attackers can exploit the holes, it pushes companies to release a patch as soon as possible. Personally I'm all for disclosing the full information. But that got me thinking about another example of security disclosure. After September 11 it was impossible to escape "news reports" speculating on the next terrorist attack and their next weapon. They mentioned that small pox would be a good weapon and went on to detail why. They said we have no cure and we're not prepared for it and basically said that if they used that against us we'd be powerless to stop it. I also saw reports on the least secure airports and how people sneak weapons through security and so on. I was angry when I saw this information being broadcast for anyone, including terrorists, to see. They could easily use this information to plan another attack. The reporters were doing the terrorist's research for them. In theory, these are the same debates. Should vulnerable information be disclosed in order to better prepare for or fix the security hole? I'd be curious what other people think. Can you support full disclosure of security holes in software, but not support full disclosure of certain national security threats without being a hypocrite?
RomikQ asks:
Do you find information on how to build a nuclear device in your library?
I do! Its in a section called 'physics'. Another section called 'history' details the Manhatten project. Still another section called 'chemistry' gives me more knowledge on how to refine it. (The chemistry section is helpful for building explosives as well.) Yet another section called 'metalurgy and metalworking' helps me with the manufacturing skills.
Since you say 'nuclear device', I believe a nuclear pile or dirty bomb would fit in that definition, and the knowledge to build one of those is found in any local library. A true fission bomb needs some information that is not available at the library, but the library gives me one heck of a headstart on a project. For a vehicle bomb with conventional explosives, the library gives more then enough knowledge.
Ignore the anarchist cookbook, its full of half truths and downright lies. Go to the local university and grab copies of all their science textboks, its a lot more dangerous.
Just my $.02
Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:
/ 20 02-09-30/2002-10-06/0
/autotest" at the MS-DOS C:\ prompt.
.pif file ("Format.pif") with the Command Line set to:
/autotest"
.bat file ("Format.bat") with a single command:
/autotest"
.pif or .bat file to the targetted web
http://online.securityfocus.com/archive/1/28213
Bits of note include:
"The key is the Format command's "/autotest" flag, which I believe was
put into place early on in MS-DOS's history to assist in batch
processing, and was probably dropped from the documentation some time
back (it's not in my DOS 5.0 manual as far as I can tell -- although
that's not too far in the past). It can be tested for by entering:
"Format a:
The automated format via web page can be accomplished as follows (with
the example shown demonstrating how to create a link on a web page which
will automatically format Drive A):
1) Either:
Create a
"C:\WINDOWS\COMMAND\FORMAT.COM a:
And Working Line set to:
"C:\WINDOWS\COMMAND"
Or:
Create a
"format a:
(Should the user wish to format another disk, the a: may be
replaced with c:, d:, e:, etc.)
2) Link to the file on a web page as follows:
Click Me
Or:
Click Me
According to the method chosen for implementation in step 1. These
links may be placed beneath graphics or text, as would be found on a
regular web page.
3) Upload the html document and
server directory and wait for an unwary user to click the link and
'Open'.
Spooky, eh?
These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "
What would really worry me is if someone cracked into a high traffic sight and added this code. The havoc it would cause would be interesting. ie. slashdot or cnn.com tainted with such code.
Does anyone remember the time when Yahoo finally found that someone had edited the text on their frontpage. White on white text that could be highlighted. I don't know the details, but I knew about it long before yahoo discovered this.
It *can* happen, but now companies are definately more security cautious.
Fortunately, I use mozilla, I made the full time switch and lived with the minor bugs the day Gator mysteriously installed itself on my system while browsing with ie. (there was a previous story on the incident with that exploit).
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
An example can be seen in the game everquest. There was an exploit that allowed characters to crash portions of the world with almost no effort. It was left in for months because it was mainly contained on one server. It had been /bugged and reported to the maintainers of the game multiple times w/o response.
Finally, a player from the server became fed up and posted exactly how to exploit it on multiple message boards where it would be widely seen. Within days it was being used on ALL servers with regularity. It was patched in the next patch less than a week later.
Companies deal with jobs related to their importance which is not only the serverity but the population effected, (if anyone has watched fightclub when he's speaking about his job you get the idea). By spreading the knowledge the importance is increased. And the bugtraq is the best place to spread it as it will get out to as many people responsible for security as possible.
I do security
And to be honest, I'd be much more scared about something likethan I would about having my hard disk formatted.
(Didja know there's a one-step command-line FTP in Windows? Very useful for this kind of activity.)
Download and install Mozilla.
Yes, Mozilla has had its share of security flaws, but they generally get fixed faster, too.
Not that it affects me. I'm MS free.
If at first you don't succeed, skydiving is not for you
So I figured that I could avoid this by just deleting the key in my registry for IE help so that the OCX would never load and the exploit wouldn't work. I did that and it solved the problem! But wait... Windows is now trying to "help" me by putting that registry key back the way it was! Thank you so much Windows for saving me from myself and reopening the door to my harddrive. What would I do without you?
After reading the proof-of-concept script at http://online.securityfocus.com/archive/1/298748, I now know at least to avoid blind links.
Also, I've come up with this possible solution:
In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:
javascript:void(location.replace=null)
then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)
This works with annoying exit pop-up ads too:
javascript:void(window.onunload=null);
You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).
Major inspiration from this cnet builder page.
$8.95/mo web hosting
security hole in IE that allows malicious web pages to reformat a hard drive
Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?
This way the vendor knows the clock is ticking, and ance you've published the puzzle and the encrypted exploit no ammount of legal manuvering can put the cat back in the bag, so to speak. Basically, it allows you to put pressure on the vendor while still being responsible and giving the vendor a month (for instance) head start. You can put decent bounds on how long it will take the fastest consumer machines to solve the puzzle. There's currently a puzzle running that's supposed to get completed shortly before the MIT Laboratory for Computer Science's 70th b-day, for instance.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
If you don't prove it, they will deny it. The ability to erase everything is the threat that all root exploits pose. It's about time the popular press understood the implications. God knows, M$ spends enough money denying the ability and on Astro turfing where people who suggest such things belong to the tin foil hat camp.
I hope this blows all the way up to and beyond CNN. I'm tired of people looking at me like I'm crosseyed when I tell them that IE is full of holes that alow others to look at your files and erase them. M$ can'nt buy the entire mass media forever.
Friends don't help friends install M$ junk.
umm... I think the cracker community has thier own system of karma, in the form of reputations. The guy who fixes the exploits for the kiddies gets massive ammounts of karma. There are plenty of smart people willing to fix the exploits for the kiddes, if nothing else, it raises the "noise floor" for hunting down the skilled crackers. Posting broken exploits isn't security though obscurity, it's security though denial.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?
What's irresponsible is living in a fantasy world and thinking that Bugtraq are the only ones capable of exploiting a bug like that. Just because you don't talk about it and shh shh it doesn't make the bug disappear and unexploitable. Shit man just like any exploit someone is gonna write code to exploit it if it's in their interest or for fun or just because they are pure evil. With something like this; shit as soon as the exploit was posted I'm sure there were people writing code to exploit the shit.
"And, yes, it would be different if this were Linux, or BSD, or even MacOS. All those operating systems come with companies or communities who take security seriously, and they respect their users enough to not foist insecure features on them."
Really?
Show me the security bulletin on Redhat's website for the issues found in KDE last August.
The sad fact is the Linux support community is even worse than Microsoft. They don't even acknowledge problems even after they've been patched by the development team. Maybe it's just a lack of communication mechanisms, but whatever it is it is bizarre.
Then switch to ext3 and tune2fs those counts away (disable them by setting them to 0). No more waiting. Oh, and upgrading from ext2 to ext3 is painless.
Then it doesn't matter at all what Bugtraq does. However, you think this means they shouldn't publish exploits. Your logic is all backwards.
If it doesn't matter what BugTraq publishes, then BugTraq should publish exploits ported to as many programming languages and platforms as pssible, for educational enlightenment.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code.
Yeah, and reading Mein Kampf will make me a nazi.
Reading about guns will make an assassin.
Reading Kama Sutra will make me a Don Juan.
Reading Juan Manuel Fangio's biography will make me a F1 racer.
But not reading any of these will make me dumb.
Difficult choice, isn't?
Buy a Nintendo DS Lite
Your case seems awfully hypothetical. Let's go with something more concrete. Your web site, Marotti.com, is vulnerable to this exploit and has been for weeks. All someone who doesn't like you would have to do is just download the exploit and request the appropriate URL, and all your passwords would be overwritten. I mean ANYBODY who reads packetstorm could have done this to you for weeks.
Don't be silly. Full disclosure is part of the process.
If guns kill people, then CmdrTaco's keyboard misspells words.
I fail to see how this is controversial in the least. It is just another bug found in a piece of software full of bugs. The guy reporting it gave Microsoft a full month before he went public, that should have been more than enough time to build a patch.
As for the exploit itself, whats wrong with the code he wrote? If it scares the PHB's into actually demanding a more secure IE from MS then all the better.