Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Critical Microsoft Hole

Posted by michael on from the your-daily-dose dept.

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

12 of 597 comments (clear)

  1. Re:why? by NecroPuppy · · Score: 5, Interesting

    Because there are still quite a few of us
    who still use Windows...

    I've got half a dozen software packages that
    are currently only available for Windows or
    Mac, and as I don't like Macs, I'm stuck
    with Windows for the time being.

    This kind of story is "News for Nerds", and
    as such, is, IMO, much more valid a story than
    most that get posted here.

    And as far as the Open Source comment; yes,
    Open Source systems have bugs. However, I
    don't know of a single one that will have a
    website pop-up ask you to download a major
    security hole under the name of trusted
    computing.

    Do you?

    --
    I like you, Stuart. You're not like everyone else, here, at Slashdot.
  2. I found it ammusing... by oconnorcjo · · Score: 5, Interesting

    but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.

    --
    I miss the Karma Whores.
  3. Use separate certificates for each control? by virtcert · · Score: 5, Interesting

    According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

    Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

    It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...

  4. MS buffer overrun theory by bfrog · · Score: 4, Interesting

    Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:

    The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.
    What do you think?

  5. Re:So what.. by richie2000 · · Score: 5, Interesting
    If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

    Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?

    I don't think so.

    --
    Money for nothing, pix for free
  6. I don't understand... by awptic · · Score: 4, Interesting

    If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...

  7. Re:More Bias by SirSlud · · Score: 4, Interesting

    The day my bug-ridden OSS software starts silently self-installing across the web because my box was automagically set up to 'trust' the 1s and 0s, I'll stop making fun of MS.

    Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe) .. you can't honestly think that the Linux crowd is the only group of users that enjoy crass, glib jabs at the competition now, can you?

    So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.

    --
    "Old man yells at systemd"
  8. I realize most /.ers use IE, but... by autopr0n · · Score: 5, Interesting

    Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.

    --
    autopr0n is like, down and stuff.
  9. Don't trust Linux either... by Cpt_Corelli · · Score: 4, Interesting

    Aberdeen Research Group has this to say about open source and Linux security:

    Open Source and Linux: 2002 Poster Children for Security Problems

    November 12, 2002
    Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.

    Read more here

  10. .NET has similar design flaw by goombah99 · · Score: 4, Interesting
    From what I have read .NET has a similar design flaw. Where java uses rigorous theorem proving approach to making sure that code cannot exceed its authority, .NET once again trusts code that has been signed rather than attempting to check it. The reason for this apporach I believe is 1) the potential for speed by distirbuting compiled binary rather then VM code 2) the ability to take quick shortcuts, call undumented APIS and the litiny of other very handy but bad programming ideas that make MS what it is.

    So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  11. CNN by theonetruekeebler · · Score: 4, Interesting
    CNN's headline for the story is: Microsoft: Yet another security flaw. The story describes it at the 65th alert MS has issued this year and notes that MS has dumbed down its security alerts to the point that the people affected by them (e.g. darned near everybody) can read them.

    I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.

    What will happen when people start treating Microsoft's security lapses like the epidemic they are?

    --
    This is not my sandwich.
  12. Re:He's right about the fonts by mbogosian · · Score: 4, Interesting

    Actually, I think more realistically, this would mean that Windows Mozilla would become the next hot bugtraq item. Mozilla running on Windows is not the same as Mozilla running on any other OS. Mozilla is guilty of using Windows-specific stuff too (like the JavaScript interpreter).

    While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.

    Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).

    Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).

    However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.

    No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.

    In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.

    Okay, maybe that analogy doesn't work either, but I think you get my point.

    --

    moto411.com