Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
AntiFA: An abbreviation for Anti First Amendment.
Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?
BTW: Interesting timeline of more to come
Better keep checking for updates.
---- join dshield.org Distributed Intrusion Detec
Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
Is there any evidence that this "exploit" has been widely abused? It doesn't matter how long Microsoft sat on the exploit if there was no real harm done.
Of course the "could've, would've, should've,..."-crowd will disagree, but keeping the exploit info in a limited (dare I say, compartmentalized) group of professionals for a limited time will always help to prevent widespread abuse.
The owls are not what they seem
The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.
But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?
Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
at cnn.com and was patching all the machines here at work. interesting article for a few reasons- looks like M$ is still making weekly updates...
I'm so glad I switch to linux and os x for all my personal stuff, it makes me feel so much better.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.
.net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
Not every MS user updates once a year, you idiots.
Assuming you didn't mean that as a joke...
The entire point of this article centers on the very fact that no fix existed, despite MS knowing about the problem for over six months.
So, even the most attentive network admin in the world, applying every fix within an hour of release, would not have had the ability to remove this vulnerability from his systems.
Personally, I find it more interesting that MS has the same problem that OpenSSH had, dating from the same time period. Time for a few folks to start comparing the relevant libraries for similarity... Wouldn't that look just great for MS's PR, getting caught not only in a copyright infringement, but using that nasty GPL'd software they so hate...
Yeah, subject says it all. What about systems with embedded windows, where patching (if possible) usually proceeds slowly, for example cash machines?
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
This seems all well and good but I call foul. This is NOT why it is unlikely that buffer overflows are going away in the future. Microsoft has realized that there is just too much code to deal with and like or not humans (even with families to feed) make mistakes. And buffer overflows are notoriously difficult to spot with human eyes.
The solution isn't put more eyeballs on the problem. the solution is to build a better compiler. I don't have the documentation on hand but the newer compilers at microsoft simply do away with the problem while it's building the opaque executables. the newer operating systems also operate with a "canary" in the memory system which listens for possible buffer overflows and handles the exception.
Srividya, get over yourself. "I do not make security mistakes ever." You have and you will undoubtedly make more in the future. Coders in India are not that much more astute then american counterparts, they're just paid less.
The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it.
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site.
Developers: We can use your help.
FYI, the morning after the Superbowl, I caught a story about the MyDoom virus (they referred to SCO as a "small software company") on the morning news. Granted, it's not Tom Brokaw, and they avoided technical details, but you get the point. There are presumably several people in major news organizations that are not brain-dead when it comes to tech news.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
I am looking at WindowsUpdate right now, and am not seeing this patch.
I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.
Secure computing indeed.
Just browse through Freshmeat. I'd say 1/8 of the projects there have not been updated since 2001.
Or search Google for no longer under development. See how many hits are open source projects.
Here is my list of apps that I want to see under development:
Big Sister for Windows (this one is the one I want updated most of all)
Slackware (well, its alive, but barely)
NCSA Server
In all cases I found that they were unsupported and had to switch to a different solution.
And remember, just because YOU don't use it, doesnt mean there aren't a lot of other people that use it and depend on it.
Yea, the stupidity of basing the executable potential of a file in the filesystem on three letters at the end of it's name.
And THEN HIDING IT (the extension).
File extension hiding is one of the most critical vilnerabilities in Windows and Microsoft won't do a thing to fix it.
Can anyone do is a favour and list some other applications that might be affected... for example, other Windows mail clients or web browsers that use SSL?
BTW, my SSL mail client (jbmail) is not affected since it uses OpenSSL.
Critical Update for Windows (KB833407)
Download size: 309 KB, 1 minute
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols. After you install this item, you may have to restart your computer. Read more...
A dingbat of Janet Jacksons Nipple??? Just What do they mean my 'unacceptable@?
Just wait for a couple of more viruses/worms to propagate on Windows and screw up people's computers and people will switch. People have switched over this, I can attest to that, not me of course but I talked to a lady over the weekend who is a writer and uses her computer for just that. Her Windows PC got infected by a virus, not sure which one, but she ended up being fed up. She dropped the PC off to be repaired and went to one of the Apple Stores to buy a Mac. Now, that's not to say Macs are virus proof, I explained that to her when she told me. She ended up getting a virus scanner just in case. But the possibility is there, it seems to me that people are looking at the Mac because of security concerns over Windows. Now if Linux gets a good Desktop that's easy for the end user to set up and use, I think we might just get people switching over just like that :-)
I'd probably still use my Mac though, I like Linux but the Mac does what I need for now, and if not then I look at ports coming in from Linux or BSD :-)
.... ... }
int main (void) {
And some reports said there were two swastikas there.
Truth is that there was not even one.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This is not surprising. It is only controversial because some people desperately *want* to believe that Microsoft is good. This is a juvenile reaction to the bad-mouthing that Microsoft gets. This constant bashing is in bad taste, but whether it is fair or not will be borne out entirely by the facts that are unfolding before our very eyes.
The problem with Microsoft and all of their drone customers is that the relationship is not mutually beneficial. It seems so, however, to the dupes who take the terms that the vendor pitches them. The problem with bashing the house-of-cards is all of the hurt feelings involved with people who realize it too late.
So, try not to say anything bad about Microsoft. Just be compassionate towards the people who are suffering. Try to help people realise how much they are sharing the pain with others... no wait... you'll just end up saying the same things that piss off the Microsoft drones. On second thought, just keep a CDROM on hand with something better to install, and give it to the tortured drones with a smile and your head cocked slightly to one side (AOL style). Don't say a word. It isn't necessary or even helpful.
--- Nothing clever here: move along now...
Well
The norwegian-microsoft CEO Birger Steen said that making the patch is just a fragment of the whole job. Distributing/Testing the patch takes much longer time. Clients has also requested not to release patches every week, cause that makes so much work for them.
So, Microsoft waits a couple of weeks before releasing new patches.
I guess they've fucked up the timing now
> Microsoft was notified 6 months ago.
> Either they didn't know about it before that
> or they didn't disclose that they did.
I think they knew about it before. There was the trial of Microsoft Corp v States of California & others with regards the terms of settlement of DOJ v Microsoft Corp
During that trial I seem to remember an MS VP saying that they couldn't disclose their source because Windows contained a critical and deep-seated vulnerablity and they didn't want every Tom, Dick & Harry seeing it and hence exploiting it.
My guess is that we've probably just seen it fixed. If we haven't then perhaps they should say so.
The Machine stops.
You betcha!
run strings against c:\WINNT\system32\ssleay32.dll
You will find that it is OpenSSL v 0.9.6g
(at least on our system...)
> You forget that the U.S. was founded by people who left Europe to find a level of self imposed repression not available to them in the old world.
Those people left Europe to experience religious freedom -- and paradoxically denying it once they got to the U.S. -- which the U.S. then proceeded to eliminate from public discourse in the last 20 years.
And for the record I'm an athiest.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
(Wow, great post.)
One of the good parts of Eric Rayrnond's new book The Art of Unix Programming is the discussion of protocol design, and in particular the foolishness of trying to squeeze out every single bit.
In particular, he points out that it's often better to just use a simple encoding, and then run a compressor like LZO or GZIP over the whole thing. This lets you design a simple protocol, and you get the benefit of compression over the whole thing rather than just the metadata. Complexity, of course, is the enemy of security. It is both simpler and gives better compression; and people with more network than CPU can turn compression off or down.
Keith Packard has some similar papers looking at X11, where he concludes that clever tricks like Low Bandwidth X really don't help all that much compared to just using SSH compression.
Latency is a different and harder problem, but one that's often better solved in the high-level design than by bit-banging.
If I were at home, I'd give you the name of the researcher who gathered actual data on this very question.
What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.
What did matter was the release of automated attack tools based on the disclosure.
One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.
All that leaves plenty of room for interesting arguments over disclosure policy.
According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws.
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
"Rocky Rococo, at your cervix!"
If you contemplate it for a second, think about all the systems blindly updating their binaries from windows update. Imagine what one turd hotfix would wreak on the computing public. Kinda scary. Kind of goes against the old mantra if it ain't broke don't fix it. But then again mostly it's broke. Heh. I'm still waiting for the ol Windows Update Black Tuesday of '06
Servus,
6 months is not a long time for Microsoft to fix a serious security flaw. Beeing able to send batch commands since at least 1998. http://www.phrack.org/show.php?p=54&a=8
Active X is still found in IE and Microsoft doesn't even think about removing that security hole by design.
Servus
Casandro
My company just spent many thousands of dollars on licensing for Oracle on Redhat Linux.
The only people believing gimp is as good as photoshop are people who won't be doing professional graphics work anyway, and that's who photoshop targets.
Remember, photoshop costs more than $500. If you're not using it professionally, you simply can't afford it. The mac is still the default graphics design platform, with windows coming in second due to its huge desktop marketshare. Linux and graphics artists are like bananas and car tires. They make no sense together.
This is exactly the kind of assumption that I think is silly. This bug had been in existence for YEARS. What the heck does the date you discovered it have to do with anything?
Crackers have had YEARS to find and exploit this error, but someone decides to make the silly assumption to no one else could have ever found it before them.
If the vuln is not being exploited then giving the vendor a few days or a week to make a release is probably OK.
This is another assumption that I think is crazy. How do you know this vulnerability is not being exploited?
You don't.
Just because there hasn't been some giant worm that takes advantage of it doesn't mean that no one knows about it and is using it. A smart hacker/cracker can take advantage of it without running around waving a huge red flag going "Look I found a vulnerability!"
The only way to really know if it's being exploited is to publicly disclose it, so that a large number of people can actually check to see if it is.
Disclosures often do lead to attack tools, or at least more widespread use of them.
But disclosures also lead to the problem being fixed. A public disclosure of the problem gives a system administrator 4 options:
By keeping the problem a secret, you're eliminating 3 of those options, and allowing companies to take security much less seriously.
Life is too short to proofread.