Slashdot Mirror
Another Critical Microsoft Hole
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another
related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
"can make IE and IIS to run any code in the system"
Noooooo!
Minesweeper WON'T stop coming up!
--This girl at the library the other day
Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)
Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.
I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.
Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.
Difficult to read this post is, hmmm?
This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.
Reality is defined by the maddest person in the room
Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.
*flame retardent jacket on*
That is all.
Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?
Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...
The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?
I removed Microsoft from my "trusted publishers" list a long time ago ; )
All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.
"Don't trust us"
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
Reproduced for your enjoyment:
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:
1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.
Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.
"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"
An Eye for an Eye will make the whole world blind - Gandhi
Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.
I read the internet for the articles.
According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?
The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.
Conclusion:
-Microsoft refuses to kill itself.
how does this relate to: the story Microsoft on Security: We'll Break Your Apps
Hey... linus refused to change the behaviour of kill -9 -1 also
Because there are still quite a few of us
who still use Windows...
I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.
This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.
And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.
Do you?
I like you, Stuart. You're not like everyone else, here, at Slashdot.
but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.
I miss the Karma Whores.
...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.
How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...
25% Funny, 25% Insightful, 25% Informative, 25% Troll
People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.
Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.
Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.
Avantslash - View Slashdot cleanly on your mobile phone.
I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.
.NET Framework Security -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.
.NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...
.NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?
.NET: Enforce Code Access Rights... .NET Framework
Looking forward, I recently picked up
Mobile code that runs in the
Frustratingly, you can't run
Anyway... here's some additional links to M$ references on mobile code:
Security in
Security in the
"He wrested the world's whereabouts from the heavens And locked the secret in a pocketwatch." - Dava Sobel
The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.
To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.
Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph
or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it
pm
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
Here's a URL for you, even...
MDAC 2.7 Refresh
Keeping Windows secure is hard, but it's easier if you install the recent components...
According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.
Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?
It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...
So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...
Prescriptive grammar:linguistics
While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.
Windows XP Shows the Direction Microsoft is Going.
Well yes, but now you run in the horrible paradoxal loop !!
Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
Finally their claim is just another way to make your system / brain crash due to stack overflow...
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:
The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.
What do you think?
I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
From MS02-065:
So, who want to bet that the e-mails we will soon see circulating will have something like:
From: billg@microsoft.com
Subject: You can safely trust me
<html><body> Please read this e-mail carefully and make sure you download the provided control.
Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...
Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?
I don't think so.
Money for nothing, pix for free
Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?
I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
Trojan Found in libpcap and tcpdump
Bind 4 and 8 Vulnerabilities
and
Vulnerability In Linksys Cable/DSL Router
were posted?
i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system
1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.
2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?
My beliefs do not require that you agree with them.
Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.
However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?
"If you think education is expensive, try ignorance" - Derek Bok
If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...
"The simplest way is to make sure you have no trusted publishers, including Microsoft."
So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?
It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?
Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?
Oh, if we can't run anything we want on your system, nobody else should either. pfft.
oktay
---------------
Founder of the The Free Linux CD Project
Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.
/. users use Windows.
/.
Nearly half of
This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on
Hello, today when browsing the site, I found an error (probably typographical) on the site. I would appreciate it if you could correct this: The story "Another Critical Microsoft Hole" should be reposted under the "It's Funny. Laugh." category. Thank you for your time.
Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.
However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.
What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.
Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.
autopr0n is like, down and stuff.
Aberdeen Research Group has this to say about open source and Linux security:
Open Source and Linux: 2002 Poster Children for Security Problems
November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.
Read more here
beowulf cluster of yoda there are.
karmasuicide2k2
world was created 5 seconds before this post as it is.
Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..
--note to self--
Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
So, to fix this particular little problem needs a hardware replacement "upgrade" :-(
Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.
I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?
So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.
(...)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)
We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!
This message doesn't need a signature
This message doesn't need a sig
From the MS Technet article:
Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?
A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.
Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.
$8.95/mo web hosting
Ahh, It's all coming clear... Microsoft is using A.L.I.C.E. now!
:-)
Microsoft1: All things you need to trust are from Microsoft.
Microsoft2: But all things are not always me need to trust are from Microsoft.
Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
etc.
Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).
1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit
Then later when you can rest assured that the investors or collectors are happy...
5. Fix bugs
And if you're a monopoly...
6. Release bug-free "Upgrade" and charge more money.
A fool throws a stone into a well and a thousand sages can not remove it.
So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.
Some drink at the fountain of knowledge. Others just gargle.
Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.
I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.
What will happen when people start treating Microsoft's security lapses like the epidemic they are?
This is not my sandwich.
Actually, I think more realistically, this would mean that Windows Mozilla would become the next hot bugtraq item. Mozilla running on Windows is not the same as Mozilla running on any other OS. Mozilla is guilty of using Windows-specific stuff too (like the JavaScript interpreter).
While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.
Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).
Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).
However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.
No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.
In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.
Okay, maybe that analogy doesn't work either, but I think you get my point.
moto411.com