Another Critical Microsoft Hole

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Microsoft ActiveX Controls?

[og_sh0x]

Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"

This bodes well

[evilpenguin]

Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.

More Bias

[OpCode42]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

*flame retardent jacket on*

That is all.

Re:More Bias

[Seahawk]

Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

Re:More Bias

[keyne9]

Well, in my household, I will generally only update the secondary computers every month, give or take. More critical patches, I'll update immediately. I do not really consider these updates as bashing, per se, but rather a boon for me.

I seem to remember a poll that indicated that a significant portion of the /. crowd used or otherwise had installed Windows on at least one machine. I can't see how this woudl be totally irrelevant.

I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.

Re:More Bias

[platypus]

Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".

This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.

Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.

Re:More Bias

[platypus]

This begs the question why they did implement this trust "feature" in the first place.

Re:More Bias

[Blkdeath]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Yes, Slashdot announced a recent KDE vulnerability, and security holes affecting a popular open-source RAW TCP stream library as well as recent BIND 4 and 8 security vulnerabilities, and the trojan'ing of a Sendmail distribution, not to mention the privacy leak in the poster-boy browser for OSS - Mozilla, and how could we forget the Linux Worm that created an "attack network"?

Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).

The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.

Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.

a solution...? I reckon.

[girl_geek_antinomy]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Am I the only one who finds this uproariously funny...?

Micro$oft wants us not to trust it. Not that this will be a problem in many cases, but... Maybe if we applied this more generally the world would be a nicer and safer place?

Question

[zero-one]

Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?

Re:Question

[pVoid]

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.

Re:Question

> Why can't Mozilla run in a process with reduced privaliges?

It can.

> Why does Mozilla need the privalages of the current user on Linux when all it does is browse the web?

It doesn't.

This is big

[ceswiedler]

Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?

Re:This is big

[deanpole]

Removing Microsoft from the list is absurd. Microsoft should enhance the signature checking
code to also check an internal list of revoked
hashes.

Re:why?

Slashdot reports on pretty much anything security related. Besides this is not a little problem it's something that is pretty damn serious if you ask me.

So what..

[ybmug]

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Re:Typical slashdot crap

[compwizrd]

From the article:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft.

Windows Update

[Peer]

The real pain is that people that have used Windows Update often will have checked "Always trust content from Microsoft", otherwise they will have RSI by now from clicking Yes.

why the kill bit does not work.

[leuk_he]

According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?

The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


Conclusion:
-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps

Hey... linus refused to change the behaviour of kill -9 -1 also

Re:why the kill bit does not work.

Wow, thanks Microsoft. You could fix a major vulnerability and result in some minor inconvenience breaking stupid websites that require ActiveX or you can allow any rogue website to run arbitrary code on your customers' systems. Way to go!

Re:why the kill bit does not work.

[de_rus]

Also according to the MSTECH bulletin: Will Microsoft eventually set the Kill Bit on this control?

Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.

So.. Microsoft is developing technology that can/will deactivate controls a user has explicitly downloaded and trusted.
And -as it implies- replace it with a new one without the user knowing.

That's just great! It'll be a source for completely new virusses when (not if) this 'new technology' gets cracked.

WTF ?

[FauxPasIII]

How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...

Re:WTF ?

[dbarclay10]

They did. The reason why they refuse to revoke this control is that many sites hard-code the object ID, thus they would stop working.

While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.

Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.

Re:WTF ?

[Chazmyrr]

Q: why would you hard code the objectID of an MDAC component?

A: because your code has been tested against and works with that version. because you haven't completed testing against newer versions. because the newer version behaves differently and would require a significant rewrite that hasn't been completed. some or all the above. take your pick.

Why don't people use something else?

[Mr_Silver]

See this comment followed by my response.

People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

Re:Typical slashdot crap

[evilpenguin]

The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.

To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.

Does no one realize its a TROJAN PR MOVE

[peculiarmethod]

Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

pm

While it's fun to pile on his Majesty Satanic...

[smittyoneeach]

I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...

Feeding this to port 25...

[KjetilK]

Oh well....

From MS02-065:

After emptying the Trusted Publishers list, if I do see a warning saying that a web site or an HTML mail wants to download a control, how can I decide whether to let it proceed?

The best criterion to use is whether you trust the web site or the sender of the HTML mail. If you don't trust the web site offering the control, cancel the download.

So, who want to bet that the e-mails we will soon see circulating will have something like:

From: billg@microsoft.com
Subject: You can safely trust me

<html><body> Please read this e-mail carefully and make sure you download the provided control.

Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...

Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)

Not true...

[Ford+Fulkerson]

...you could run it on Solaris too.

Re:why?

[gosand]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.

2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?

Preaching to the Choir

[DeadSea]

I have seen several posts in the last few days questioning why the Slashdot editors are posting a particular story. The complaint usually runs along the lines, "Everybody on slashdot already knows this, post it somewhere that will do some good."

The folks that are out there converting people to free software are the people that read slashdot. Keeping the slashdot crowd informed of the latest security holes in Windows, Microsoft's most recent snafu, and the best new open source project allows Slashdot readers to spead the word more effectivly. New information and new arguments are key.

why remove *ALL* certificates?

[oktaya]

"The simplest way is to make sure you have no trusted publishers, including Microsoft."

So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?

It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?

Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?

Oh, if we can't run anything we want on your system, nobody else should either. pfft.

oktay

Re:Sound Advice

[Violet+Null]

"shouldn't be trusted" != "lies all the time"

Re:why?

[pwtrash]

This is not just a security breach. In their tech bulletin, MS advises users to completely eliminate downloadable ActiveX controls. If you recall, ActiveX was their strategy for dynamic web content. In other words, their suggested solution for dealing with this problem is to completely refute their own strategy. True, they have .NET as a replacement, but it is not quite cooked nor is it accepted publicly.

Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.

However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.

Re:I found it ammusing...

[Sycraft-fu]

Ummm, IE doesn't run in root mode. IE runs as whoever you are logged in as. If that's an administrator, well then it has near root powers (root would actually be more analogus to the Local System account) including things like formatting the harddrive. However if you user does not have permissions to do things like htat, neither does IE.

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

Re:Use separate certificates for each control?

[zbuffered]

I say they revoke the certificate anyway, and re-issue the other controls with new certificates. Inconvenient? Yes. But it would fix the problem, and that's job #1 for them. If, as others have said, heads are rolling over this one, I think revoking the certificate is the least they could do.

More design flaws

[SgtChaireBourne]

Actually, the bias seems to be pro-Microsoft. If any other project had the same severity and quantity of compromises as MSIE, it would be history.

What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.

Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.

Re:Sound Advice

[dead+sun]

Trusted publishers list? That thing's empty. I don't trust anybody to decide what should be on my system besides me.

Re:So What's The Real Answer?

[jlanthripp]

How do I get a rich feature set to the web without running anything local (the most secure way)?

Depending on how you define "rich feature set" I would suggest PHP or perl or some other server-parsed scripting language. PHP in particular, when combined with MySQL, makes a *great* web development combination. Java code can be fairly secure to run, but it's run locally.

Re:I found it ammusing...

[Waffle+Iron]

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.

Re:FWIW: .NET may help this...

[0x0d0a]

allow only internal ActiveX publishers

Does anyone have any reason to allow ActiveX at all? It seems to pretty consistently be a low-benefit recipe for trouble...

Re:Want some cheese with that whine?

[JWW]

I've read that critique of Dilbert before and it is utter crap.

I've also read "The Dilbert Principle" by Scott Adams as well. It is an insightful and honest book about business.

What the author criticizing Dilbert does is say that by stating and exaggerating some of the bad things business does, he is condoning them. What a load of crap.

As for Microsoft, there are actions that they have taken that I do not like. But I have to use Microsoft products at work and have to know a lot about them. It doesn't mean that I can't also totally disagree with their licensing schemes. And while it may not seem like a big deal to you, my decision at work is whether to let users run Active X controls or not. There are big implications here, this story is absolutely not trivial and Microsoft made a major screw up in allowing this security hole to exist in this particular product in the first place.

Re:why?

[Archie+Steel]

It's not about anger, it's about vigilance and fairness. I may run Linux, but - like many here I imagine - I'm also the de facto Windows Support guy for family members and non-technical friends. So I want/need to stay informed of severe Microsoft vulnerabilities.

To tell you the truth, it's been a while since I've no longer needed stories such as these to convince me that Linux is more secure than Windows...there's no "anger" left (I don't thing there ever was - outrage and disdain, yes, but no anger), just a desire to be informed so that I can better protect my windows-using loved ones...

Re:Typical slashdot crap

[evilpenguin]

I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?

So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.

Re:I found it amusing...

[marauder404]

Reasonable for a home computer is to do nothing, actually. I'll probably get railed for saying this, but for most people, security isn't really that big of a deal. They pick shitty passwords, leave tons of security holes open, don't bother patching, and don't even know what they're doing is unsafe.

Granted, this vulnerability is considered critical, but few people will ever encounter it. Someone has to hit upon one of these malicious sites with IE after having trusted Microsoft by default and must have MDAC 2.7 (comes with Windows XP, I believe). The chances of this are very low.

You asked what you would do for your mother's PC and I would say do nothing. My dad browses all the time, but he pretty much sticks to the same big-name sites, reads the news, keeps up on a few messageboards, and sends email. I'm not going to give him a confusing list of things to worry about -- I'd be calling him every day for things to watch out for, trojans to be wary of, and websites to avoid. Most people won't encounter the problem, so I'm fairly comfortable with not having to panic about it and call everyone I know.

Re:Why MS bugs so publicised?...

[foniksonik]

Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).

1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit

Then later when you can rest assured that the investors or collectors are happy...

5. Fix bugs

And if you're a monopoly...

6. Release bug-free "Upgrade" and charge more money.

Re:I don't understand...

[Fizzlewhiff]

XP isn't vulnerable because XP uses a newer MDAC and you can't install an older MDAC on XP. Non XP users can download the newer MDAC and I'll refer you to the rest of the thread for the issues with that. I seriously doubt this is a conspiracy. If you are looking for conspiracies, try looking at why trojans occasionally slip into OSS releases.

Re:Hey great

[mangu]

Just because it says "Signed by Microsoft" on the pop up at the cracks site, are you going to go ahead and click Yes?

Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.

Think Ahead to Palladium

[serutan]

Watcha gonna do when something like this happens, and the airtight MS security system is burned into your hardware?

Comforting thought, huh?

Good Gods NO!

have you not noticed that virtually _all_ of the Mac exploits ever published involve IE and/or Outlook?

I refuse to put Office X on my system, and only use IE to verify why a poorly coded page won't display in Mozilla or OmniWeb

Re:Don't trust Linux either...

[derF024]

Kind of a silly statement, since they're comparing every piece of software that runs on a linux platform to only microsoft applications. what would happen if you compared the "Linux security flaws" to flaws in every single piece of software that ever ran on Windows..

in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.

a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:

1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.