Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
When you break the law and possibly expose thousands of users to a root exploit, at least you could be politically correct about.
"GAYER THAN AIDS", what the hell?
I hope they sue him..
More proof that code who's source is open is less secure!
(trigger-fingered mods : thats a joke)
bug-fixes and patches???? When the full force of this hits, you ain't seen nothing yet!
to fix it...
"/Dread"
that the source was released? In a way it's good bugs will be identified. In another it's bad bugs will be exploited way faster.
A psychopath can't tell the difference between right and wrong. A sociopath knows the difference - he just doesn't care.
If you read the bugtraq article, notice how the poster claims:
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
Of course the bitmap is of a penguin! More ammunition for the M$ FUD campaign.
-m
#
# Modus Ponens
#
What the fuck in a bitmap renderer could overflow and cause such problems?
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.
Tom
Someday, I'll have a real sig.
Wouldn't it be interesting to see the patch come out later today, from an anonymous source!
I really hate signatures, but go to my website.
So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?
Evolution or ID?
Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.
Microsoft just needs to get a copy of the leaked code and look it over for potential exploits.
:^)
Oh wait.
My old sig was REALLY stoopid.
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
Berto
Smells like bullshit....like the jpeg virus hoax a few years back. IMAGE FILES CANNOT RUN COMMANDS!!!!
Wishing I was a millionaire since 1969.
So I should be all set for the next 2 days until the next major security flaw is found.
Anyone? Come on, there's a million /. readers. Somebody must have thought this wasn't going to happen.
Maybe the once-a-month patching schedule's going to have to be revised though.
Haida Manga
...if the code was open from the start, how long would this flaw have lasted?
If your theory is different from practice, then your theory is wrong.
I guess all those advertising^W software engineering dollars that MS spent on their security inititive were not^W well spent.
And so it starts. How many of these exploits will be found based upon the source? Tons?
Just how bad is the source that a whole lot of exploits like these can be written? I wonder what this means for MSFT.
Can the same thing happen to linux? Or do exploit authors prefer windows?
'When the going gets weird, the weird turn pro.' -HST
Microsoft code must be so ridden with bugs to create a exploit in just a week.
Or maybe it is a ploy by microsoft to force users to upgrade to XP
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
From the article:
Date: Sat, 14 Feb 2004 22:08:59 -0800
From:
Subject: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
Someone should remark to Security Tracker to maybe have some discretion when posting their information.
I wonder how many flaws will be exposed in the next week? over the next month? Kinda like a Pandora's Box. "You can't take it back because it's already out there." - Harry, When Harry Met Sally The real question is who is the bigger loser, Microsoft or Diebold? "Who's the big winner here at the casino tonight? Mikey, that's who!" - Trent, Swingers Or the public at large...
It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.
My Thoughts, Kyndig
all I can say is let the games begin..
who cares how/why it got it out..
it is out..
and every guy out there looking for the latest 'sploit' will be oggling the code to find just what happens in 'that one key segment' that has been slowing them down..
Soooo glad I am all linux..
anime+manga together at last.. in real time.
How can a virus be gay? Just shows it doesn't take a genius to find an integer overflow in source.
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS
For example, in win2k/private/inet/mshtml/src/site/download/imgbm
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
If you were to embed myDoom after the overflow area in the bitmap then when outlook opened the file using ie's render could one have my doom that didn't even need to have the end user open the file? It would just execute replicate, then piss people all to hell? For that matter could I include the windows equivalent of rm -rf / ?
There is nothing wrong with being gay. It's getting caught where the trouble lies.
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
-------
Warning: Slashdot may contain traces of nuts.
You know what MS's solution to all these bugs will be - upgrade to XP...
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.
If you are running Freenet's unstable branch, you can download it from here. Its about 200MB and will take a few hours to download (Freenet is averaging about 30k/sec these days). I grabbed it and it looks like the real thing.
a specially crafted bitmap file
.jpeg .gif and .tiff
Good thing all thoes Goatse pictures where in
The More Knowledge you have the Luckier you Get- J.R. Ewing
No system is 100% secure be it Windows or Linux.
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
I'm a bit confused.
:p
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
"...In your answer, ignore facts. Just go with what feels true..."
Whether it's finding exploits, bugs or whatever; anything that anyone does with it will eventually make Microsoft stronger. If it's a security problem they 'll fix it. Maybe Microsoft is trying to capture open source developers and their free services; I don't know.
What I don't want to see is Microsoft making improvements on their product based on this experience. I don't want to see as much as two adjacent assembler instructions from it end up in Linux.
If you want to do something constructive, run the 2.6 kernel and start making the supporting software more secure. Don't waste your time supporting losers like Microsoft who demand your money up front and then deliver whatever crap they feel like.
Just ignore it!
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Obliteracy: Words with explosions
1. Fake a source code leak of some of the shittiest code in your projects
2. Act surprised
3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
4. Create Patch before major damages
5. Sue person who found hole
6.
7. Double PROFIT!
</conspiracy theory>
[alk]
Is there any better way of Code Review by 'leaking' the source to the outside world. Seems MS likes this open-source model, but they need a back door to get to these benefits.
It would be a bit hard to admit:
"uhh, yes we do embrace open-source, but our business model is to protect our intelectual property", "recently our business model has been adapted to incorporate also the intelectual property of 3rd parties, also known as hackers", "the only way to do this legally is to put the FBI out on those folks what ensures that the code review can be reworded as 'theft' and will face the highest criminal punishment", "you know it's all terrorism and that kind of stuff", "It's terrorism on the American Capitalistic Marketing Model", "And we're going to nuke those hackers",
Probably without the approval of the United Nation
From Yahoo Financial: "For the six months ended 12/31/03, revenues rose 13% to $18.37 billion. Net income rose 7% to $4.16 billion. Results reflect increased demand for both desktop and server products, partially offset by a $1.48 billion stock option transfer charge."
Here's their financial statement.
You may dislike them. Pretending they're not successful is just ignorant. The source leak is a problem for them, but I doubt it'll have any serious repercussions much beyond this quarter.
-1 Knee jerk chicken little
I haven't looked at the code published in the exploit description. It is MS code and if I had looked all future work by me would be compromised. I will demonstrate in court that I closed my eyes just before looking at the code. I can't tell you what's in there, but there must be some M$ IP.
You haven't looked, have you?
Funny thing. I can easily envision people stamping out T-shirts with pieces of the MS Windows source in them. Would I be tainted if I incidentally stumbled across one in the street? Would that person be potientially held liable by all programmers or future programmers he/she meets?
Contrary to what a lot of people will be saying, the fact that there is allready an exploit now that the code has leaked doesn't show that open source is a security risk. The opposite is true. It simply proofs, that the code being out in the open allows for risks to be found and fixed. So it's actually showing the benefits of open source.
Of course it is a totally different story if you are a hated monopoly and the main proponent of security by obscurity.
With their brain bank putting out these fires i don't see them completing any "innovations" for quite some time.
..that the "many eyes" tenet of open source really DOES work!
i wanted to post this in the first MS leak story, but oh well, here it is now.
/win2k/* | wc -l
$ grep -ir " don't care "
332
check it yourself
Why hasn't something like this already happened with Mozilla?
Answer: Mozilla's code is higher-quality because of open-source peer-review.
Do you think that the hackers that have been trying to embarass Microsoft into fixing their old vulnerabilities finally said
"screw it then, THIS will teach Microsoft" ?
I don't know the meaning of the word 'don't' - J
It also shows that ms does their job.
.net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Also known as: Was this fixed long before the fact? Does IE 5.5 contain this same vulnerability?
.5 or any of .5's service packs) that would be vulnerable to this, and are the folks who run 5.5(sp1/sp2?) for some reason still vulnerable?
Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not
Use Evolution instead of Outlook? Bewa
Burn some Live CDs to hand out to friends,
n ux
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
-- @rjamestaylor on Ello
a)The jpeg virus "hoax" was down to IE interpretting a jpeg as a VBS file. That's perfectly normal - if you name a shell script "harmless_image.jpeg", provided the shell sees the #!/usr/bin/shell line, then it's going to see a script and execute it as such.
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
This is not a troll, I just tried the link and it appears authentic (well, its a ~200Mb file anyway).
I see this is good news in that there is going to be an ongoing stream of exploits in Windows. This is good news. Think of all of the boxes that will be broken in the next few months. I should mention that I make a living fixing Windows boxes. I also fix Mac and Linux - but there isn't really much money in fixing them.
Stay tuned for new sig...
There seems to be an average of at least 1 attack a month on an enemy of open source so far (SCO/MyDoom, M$/source leak). So needless to say, who's next?
Maybe there is finally a chance to fix the pending CSS issues which havent been fixed for years in IE, externally. Ah yes and PNG transparency might also be possible now :-)
Wow now we get a peak at the much coveted MS source code, that BSODS all day, has a new virus attacking it every week, and generally frustrates users.
I wonder who will be the first to incorporate this leaked source. Judging by the exploit found, it's no wonder they want to keep the code secret.
"Bill Gates can't gaurante Windows to work. How can you gaurante me that?" John Crichton
I am Bennett Haselton! I am Bennett Haselton!
I cant wait to read a whole thread of slashdot people saying "i told you so".
However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".
MSFT used a signed int just like you did, and checked to see if it was too large.
Better luck next time.
i don't think the bitmap specification or process of rendering/displaying has been in flux for some time. one could take this as an indication that ms has done some proactive code auditing, noticed the problem, and corrected it.
That's all I was hoping to see. MS says that it reponse time for bugs is lower then OpenSource reponse time.
Now we have a released bug, and I want to see how long will it take until MS fixes this bug.
Somebody, please, monitor this bug (or teach me how to monitor it)
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Did you hear about the image that kills your computer whenever you view it?
What do you really believe Bill is hetro?
I guess that should've been "Microsoft is teh ghey".
As a kernel developer I'm familiar with the number of people who audit stuff put into the Linux kernel. To get a patch approved, you usually need to convince 4 or 5 people that your patch is a good idea. You could get away with 1 (Linus), but the top people are unlikely to consider your patch if it hasn't been approved by their chain of command first. All of those people examine it for functionality, stability and security. The higher level ones usually won't look at it very closely, but I imagine core kernel code gets a lot more attention than device drivers.
You also post it to the LKML. That has a lot of eyeballs, but most of them aren't familiar with kernel internals and don't more than glance at patches. If you're lucky (although perhaps lucky isn't the word) you'll get twenty skilled eyeballs looking at and criticizing your code. Most times the number is only two or three, and it can be even fewer.
If you take an average of ten knowledgeable people examining your code, then I think you can agree that it is plausible that Microsoft has just as thorough a review as critical OSS projects like Linux. Four or five people looking at code before a commit would put it within a factor of two of Linux. The skill of the people doing the audit would be much more important at this stage.
Once you get a release of Windows code, no one examining it in the general community is knowledgeable about Windows specifics, but it may get a lot of attention from a lot of skilled people, just because of the novelty. I would think that parts of it will be subject to much more scrutiny than Windows or Linux source code usually ever is.
On the off-chance that you aren't kidding, that is how Freenet works - it creates a HTTP server on your computer and you use your web browser to talk to it.
Given that there are plenty of companies out there that can't afford the yearly MS upgrade train, I'd guess there are still lots of IE5 browsers out there. Then again I'm sure you'll recommend upgrading weekly and hiring expensive MS folks (like yourself) to keep companies to-date. But just think about that Total Cost of Ownership...
Why is it that Windows can be explotied so handily by exposing the source code and Linux is so hard to exploit despite it's source code being 100% open to everyone on earth??
Just musing, but what if Microsoft wanted to speed the acceptance of their upcoming Palladium-based operating system? What's the best way to do that? Release the source, of course!
Maybe Mainsoft's just a scapegoat.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Being that the code leaked was Windows NT 4.0 and
:) Didn't they originally clame they
2000 source codes, why are we seeing an issue
with IE 5.0? Just goes to prove how close the
browser was tied to the operating system.
On a cynical note, this only bolsters security through
obscurity.
had fewer bugs than open source competition?
With some 10% code or more leaked, there is quite
a bit more worry about their own peer-review process
or should I say lack of.
Three million lines of source code leaked...
:) This should be a fun show!
It only takes a few to create a buffer overflow.
Hehe
~Dalcius
Rome wasn't burnt in a day.
FTE's who will likely be the ones writing the code to replace the bad code found will not get OT. Only the contractors get it, and then it has to be pre-approved (and guess what, if you're a contractor responsible for writing bad code, if they let you keep your job, you sure aint getting OT for fixing your mistake).
:)
Also, those who code reviewed the offending code and let it through are likely to loose their jobs.
All in all, heads are going to be chopped on the main campus. Cutler will have to reshuffle his team, and theres a few FTE's sweating right now.
I wonder whether Microsoft will stick to their new policy of only releasing security updates once a month if there is a big flood of such full-disclosure bug reports. In a way it's the worst of all worlds. Enough of the source code is available for the black hats to give it a good going-over, but not enough that users can patch their system and recompile.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
You have 'contaminated' me.
I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.
to send them a patch for it before they release one :)
if i had the time to fetch copy of the code, i'll do it myself...
I guess I shouldn't have lied about my certifcations during the interview...
sudo eat my shorts
It's getting the same kind of security review - but none of the feedback. No white hat wants to admit to MS that they've seen the code, and black hats wouldn't anyway. All this may end up doing is increasing the number of "submarine" exploits out there that hackers use for their own benefit, rather tahn making super-viruses that make the exploit famous.
Last post!
I can't believe it.
...wow...
Please give me back some faith in you and mod the Grandparent or this AC comment up (even if that might to require to RTFA).
He (gta@hush.com) reported that exploid with the comment: "[...]GAYER THAN AIDS"
HE FAILED IT. COMPLETELY.
To move Taco's ass offshore.
Sure, but now people have a chance to protect themselves by filtering BMP-files on http proxies, etc. Who uses them in browsers anyway?
Well, except that maybe this vulnerability could now be combined with the previously disclosed filetype spoofing vulnerability to do some nasty damage.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
By the way, does anyone know why the bitmap formap is writte upside down?
but what do i know, i'm just a model.
On the other hand, there are those of us that believe that all source code should be publically available, and that looking at someone else's code does not constitute "theft" in any way.
No one has yet posted a modified version of the goatscx photo that takes advantage of this security "hole".
Tuus crepidae innexilis sunt.
Then I won't have to force quite every fifth or sixth Explorer window.
--- Ban humanity.
if (!Read(abDummy, cbSkip))
goto Cleanup;
My god... I thought this was one thing they taught us not to do in schoool. But here it is in Windows! My god, don't they screen for these things at the interview?
Is that what you meant to say? :) It's plain from this first exploit that basic coding security precautions are not being followed (or retroactively applied) at Microsoft.
I'm bracing for the coming flood of exploits. The OSS community may prove themselves honorable and pitch in to help, but it's the script kiddies, and those whose moral compass is broke, that I'm worried about.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Your pseudocode maps 1:1 to the exploitable code (seen at other places in this thread).
The exploitability came from an the loaded int in your code being signed, and the sizeof equivalent being unsigned.
So maybe it isn't exactly a challenging task, but you more or less just showed you'd fail in the same way as MS engineers did.
So there was some IE 5 code in there? Too bad it wasn't the IE 4 code, I hear you can summon demons by reading that out loud.
You do now. Secure your ports, nimrod.
check out http://www.dcs.ed.ac.uk/home/mxr/gfx/2d-hi.html lot's of good info on 2d formats, tiff is a good read, bmp is a pretty shitty format anyway. As for why it's upside down, why not?
Well art is art isn't it, but then again water is water; and east is east; and west is west; and if you take cranberries
You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.
If Microsoft doesn't read Slashdot, that's their problem.
There's a lot of fakes floating around, but if you want the source here's the one for w2k.
8 20 7|34BB9F3A3E8D3E0C4490A96EC30B9F3C|/
31,000 files of exploitable goodness!
ed2k://|file|windows_2000_source_code.zip|21374
What about the many PCs which cannot be upgraded? You can't get IE6 for Win95, and even if you could somehow manage to get Win98 running on some of the old tin (by analogy: opposite of big iron) around here, there's no way they could afford all those XP licenses. (MS won't sell you a 98 license.)
between Microsoft and the open source community. W/ open source the src is open, so we work together to improve it. However, when a proprietary company's greatest asset, thier source code, is released or leaked unauthroized, someother individuals will use it to spit that very company, as they have what is most valuable to the company. Just my 2 cents ;-D
2000 is for me the only decent windows OS in many ways. ..And it is also partly crappy!! ;)
Consider this. MS leaks the code through a vendor of a previous version intentionally. There are two benefits:
1. proper QA is done right, as only open source can allow (they get the benefit of QA that only the dynamics of open souce allows, all without acknowledging open souce has a superiour model in this aspect)
2. they can push XP as a superiour OS, and get more users to upgrade to XP and drop 2000/NT
Does anybody else see this?
Warning: The article link (aswell the next comment) contains code from MS Windows.
I'm not sure it's illegal to read (IANAL btw) because it's just a small part of the code. But you probably want to make sure of that before reading.
The most important thing is that if you're an OSS developer you can be "contaminated" with proprietary code.
I didn't read the code on the article after I realized it was from MS Windows but it might have some "secret" inside that I'm not aware of.
And when will Microsoft start sueing people for disclosing MS Windows code?
Before that I've read a lot of security people public talking about details of the code that only could be know if someone have downloaded the code themselves. And MS did nothing about it.
And after this I won't click anymore on slashdot articles related to the MS code, shame on you slashdot!
this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds
Great line - succinct and insightful. Perhaps the best way for MS to handle this is to offer amnesty to people who look at the code? Basically accept that this is a loss for them, and try to attenuate that as much as they can by allowing white-hats to see the code without fear of being attacked for it later?
Long shot, I know. I'm thinking in terms of what's best for MS here, not in terms of what's realistic.
Last post!
You're saying that we should help MS fix its code. Helping a commercial entity with no resultant reward, other than incidental (less idiots using buggy programs), is really dumb.
Use this to show the bugs, get more people to move onto more secure software (not necessarily OSS). What obligation do you have to MS?
I want to see MS sw improve. But I'll be damned if I actively help a corporation make money off me, without any benefits to me.
All bow to his Noodliness!! His Noodle Appendage has touched me!
It is called Firefox and can be downloaded at Mozilla.org!
Something to keep in mind
I don't know the meaning of the word 'don't' - J
1. load int from char array
2. check int against sizeof(yourbuffer)
3. ???
4. PROFIT!!
(yeah, ok, old joke)
Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!
..instead of making your own worm, go and hack the evil corp and steal all their code. That would be really ironic and fun :)
It's many uninformed programmers that force people to browse as Aministrator in Windows XP. I have many older and current commercial programs that don't work unless the person has admin rights. All a programmer has to do is write to the CURRENT_USER registry area and current user file area - this would keep most programs from breaking.
The exploit has not been fixed, as there is no patch for the application in question. The "fix" present in IE6 could have been something as simple as a different person writing that portion of the code over again. The "no excuse for not upgrading it" argument holds little water in my opinion when you consider the catastrophic level of this exploit. MS would never dare risk their reputation by not fixing a problem of this sort if they were aware of it. In short, MS does not deserve any credit for having "fixed" this problem. The "fix" was accidental. The bad code was written, and it was not caught. So yes, the author was wrong on at least one account. MS did not detect this bug, and did not fix it.
Linux is based on unix which was designed to be secure. SE-Linux is very secure. Free/OpenBSD is very secure. Being open source simply allows the hackers to fix the code a bit faster, for faster updates and or patches. The security aspects of linux comes after the open source code matures. Over a period of years eventually Linux becomes stable and secure enough through natural evolution of trial end error. Microsofts code however never improves and stays static for 5 years, and we still are dealing with buffer overflow exploits even now. So in Linux there is no way someone would be hacked via a buffer overflow through a picture file in the browser, and it obviously does not work in Mozilla,or any other browser. Think about that.
People don't exist to serve systems, systems exist to serve people.
I wish that I would of thought have that.
:)
It could of been me that was modded insightful for of-ing no grammatical skills.
Well, you know the old saying... birds have a feather, etc.
Of a nice day!
Also, never look at:
.. this one's for you, MS!)
- patents (despite them being protected by patent law)
- sheet music from other musicians (despite them being protected by copyright)
- trademarks (despite them being proteted by trademark law)
- software code (despite them being protected by copyright
Remember kids, even tho ALL of this information is protected by decades-old, and even centuries-old legal frameworks, if you look at it you will be stealing money! Its as simple as that!
Yes, I'm being sarcastic. The parent poster is a 'Yes Man' moron beyond my wildest dreams. Maybe one day he will sit down and actually learn about copyright/patent/trademark laws and realize that knowing how exactly your peers do things is what has led us to such an incredibly robust technologicaly and scientificly rich society.
Sharing your methods does not cost you shit, even to the point that patent law is designed to promote sharing of information in return for legal protection. Same with copyright law. MS doesn't want you to see their code not for security reasons, but because it helps you build interoperable products and thus become a competitor. And we all know how anti-capitalist competition is!
"Old man yells at systemd"
Maybe his intent was to piss off idiots like you. He did a pretty good job at it. You seem to be pretty insecure yourself.
Ah, but how many of them eyes are wearing white hats, and how many are wearing black hats?
In this case, the white hats working inside the Microsoft Compound had to turn a blind eye to these bugs in order to focus on their impossibly rushed deadlines. (Of course, now those same eyes are in panic mode since the leak.)
Meanwhile, the white hats outside the compound walls are powerless to fix the bugs, through fear of legal repercussions: The very existence of any fix suggested proves that they saw the source without paying the license tax and signing away their firstborns to an NDA.
The black hats, OTOH, shielded by anonymity and freed from the bonds of legal accountability and responsibility, they're free to see all the chaos, hate, and mayhem they can cause (and then go do it), secure in the knowledge that nobody can stop them.
Sure, some of them will be slowed, as patches trickle out after the fact. Sure, some of them will be caught, as their own idiocy gives them away. But nobody can stop them, because more of the eyes looking at the sources, with the power to change them, are wearing black hats than white.
This Windows disaster cannot afford to be called similar to the situation with Open Source Software. With the sources open, and the maintainers equally open, more of the eyes looking at the sources are wearing white hats than black. And thanks to the openness, the white hats are just as powerful, if not moreso, than the black hats.
Maybe the code was leaked on purpose. Think about it. They only leaked part of the OS, could anyone take that code and build a windows clone... probably damn few.. and even if someone were to use the code, they would be using stolen code. So, Microsoft may have just done two things: 1. They achieved the open source effect, that is, they now have some smart hackers looking at it that are contributing back... and secondly,all those ontributions they can put into the windows code base and everything is still proprietary. Maybe they should "acidentally" leak some more code.... like Internet Information Server.
i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.
/. crowd have no idea what they are doing....
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
Matt
You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid
bitmaps are not a particluarly clever choice to use on the Ineternet. there are JPEGs, PNGs etc. that are much better suited for the web. But as a side smirk - it is highly amusing to see microsoft products die trying to read microsoft formats
Really? You believe all source code should be publicly available? Are you trolling, or are you really that obtuse? I'm just curious--does your ideology extend to other types of information, such as books, newspapers, recipes, the PIN number on your ATM card?
Not to mention that it's completely stupid of you to argue that you're justified in looking at the source merely because you personally believe all source code should be public. Do you believe that all Doritos should be free (as in beer)? If you did hold such a belief, would you be justified in going to the chips aisle of your local supermarket, clearing the shelf of Doritos and walking out without paying?
No, of course not. Because that's utterly indefensible. And let me tell you, I'd be standing there cheering on the supermarket security guards as they chased you down and tackled your lard-filled fat ass to the cold, dark asphalt.
Jesus Christ, man. Grow a fucking brain.
Besides giving you a more secure feeling, Opera's features will show you that IE is an uninspired lump.
Part of obtaining Palm Certification for your software involves surviving the Gremlins. You can't use the Palm logo on your program without it. It's even built into their emulator right on the menu. And yes you find some weird shit.
Speak truth to power.
give us more code, and we will strengten the whole windows system!
That is a little funny... Isn't a 'specially crafted image' the same 'exploit' that Geordie LaForge came up with for introducing a virus into the borg collective? Remember the first episode with 'Hugh'?
-db
I think MS had a hand in leaking it. Why? Because this is W2K and WinNT4 code. So now admins and their bosses will run in a panic to upgrade to WindowsXP.
And the first hack published? Only works in IE 5. Gee. So the fix is to upgrade to IE 6. Another upgrade.
I'm upgrading to Linux.
Monkey Lives
It's a sad, sad world...
I agree!!!..who in their right mind would want to look at any source code produced by MS? Their products are not examples of well thought out concepts (eg:put OS code into dll's etc) and the constant erratic (on purpose?) behaviour of their products towards other products (netscape, Drdos, lotus 123), and who knows, mabey there are hidden "bombs" and timers at work...a friend of mine's win95 acts strange (buggy, slow) these days..(installed clean)...same with the wierd behaviour of win98se as time goes by...you couldn't pay me enough to even look at that code for one second...not to mention there is millions of pages of it. It's just an (movie/hackers/macho) fantasy that looking at MS code is going to get you anywhere in life...best look at real code (open source), written by smart people who don't play marketing/world domination head games.
There is a goto in MS source code quoted for the exploit.
DON'T use goto or you will be infringing on their copyright/IP.
I hope no existing OSS use goto's because they're hosed. This probably means any project in Fortran is in big trouble!
Hurry convert to java where goto's don't compile!!
Yogurt Earl
You wait and see. This is just the first pebble
in a huge landslide that's about to come
crashing down.
Nobody was upgrading to XP (because it sucked and
still continues to do so) so Microsoft arranged
for source code to be leaked.
The internet will become intolerable for all M$
operating systems that are less than XP in version
within 3 months.
Microsoft is going to HUGELY recover from that
"No-Gain" Quarter they posted.
As soon as I herd the Windows source was out there, I knew it was only a mater of time before the sunami reached the shores.
Well the good news is that now at least the Samba folks will finally be able to figure out how they bastardized SMB.
My logs show that 75% of the traffic to my website are from IE 5. The remaining 25% are IE 6.0 and Mozilla Gecko based browsers.
this, but how in the heck can you exploit a buffer overload to get full access to a system?! I've gone over it a million times in my head and can't think of a way to do anything but crash the program!
So, where's the .bmp I can link to my web site that makes IE5 remotely execute Mozilla Firefox installer?
Ask a silly person, get a silly answer.
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
I can see the ultimate virus now: you click an innocent-looking link, it takes you to a goatse bmp, and the exploit will lock your keyboard and mouse...leaving you utterly defenseless! Oh the horror!
IE6, which doesn't run on windows 95. This might not seem like a big deal, win95 is outdated... but when you've got a whole corporation with win95 and need new licenses in the thousands to replace it...
M$.com
^is and was fixed prior to the release of the bug...I think?
More info from the people that found the specifics
\/
eeye.com
Correct me if I am wrong...isn't that the same bug that is being exploited?
I mean really, who runs IE 5 anyway. I'm sure that most corporate network admins keep up with updating IE. Let me check on a random company machine...
Help-About Internet Explorer-.....Never mind my previous comment.
All that manpower, yet the most prominent face on this issue so far is an exploit.
Is this how the OSS community at large operates? Instead of releasing patches, they release exploits?
The issue as I see it now is: the OSS advocates with the big mouths tend to be the ones saying that ALL code should be open for public inspection, and that closed-source is bad for everyone. This new event however, seems to prove to the public at large that these "rogue" coders don't have the Public Good at heart at all.
OSS coders should stick to OSS - let the closed-source companies and coders be. Mixing OSS coders with closed-source is kinda like mixing Communism with Money.
i'm amazed that i survived - an airbag saved my life.
That kind of thinking explains the collapse of the British Empire completly.
Professional Politicians are not the solution, they ARE the problem.
You could always check out the google Zeitgeist.
:)
http://www.google.com/press/zeitgeist.html
Down in the middle of the page, it shows a graph that depicts MSIE 6.0 to be the dominant browser in nice clear red ink.
I am to busy at the moment, but the template to craft such a law, in reasonable terms has already been done. Follow the outline of the classic argument against water. Just search google for Dihydrogen Monoxide and you should get the gist - think how easy it would be to write a similar diatribe against software
comp.risks ought to get you started.
This issue is a bit more complicated than you think.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
I don't know if one can label Open Source either 'communistic' or 'capitalistic', but you certainly misunderstand capitalism. Why? Because encouraging competition isn't what is fundamentally required to qualify as 'capitalism'. Look at the name. It's not 'competitiveness'. It's 'capitalism'. Capitalism fundamentally requires private ownership of the means of production. This is what allows investors to put capital into a business idea or product or piece of land or factory so that they can own part of it and later sell it, if they so desire, at a gain or loss. Yes, competition can come as a result of capitalism, and capitalism does nothing fundamentally to restrict it, but it is not required and it's certainly not how capitalism starts. It starts by allowing individuals (corporations came later) to create, own, buy, and sell. Capitalism is about ownership. Without private ownership, capitalism cannot work.
There are a variety of static source code analyzers that will find potential buffer overflows and other types of security flaws. I like Flawfinder, but ITS4 is also good though it's licensing terms aren't as clear or free as I'd like. There's also Secure Software's RATS, which can analyze several languages in addition to C and C++. Each of these tools generates a large amount of output and you have to have some understanding of security to use them, but they can find potential security flaws that you would otherwise overlook.
Somebody, please, monitor this bug (or teach me how to monitor it)
1. Read Slashdot
2. Wait for announcement of fix
3. Attain Enlightenment
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
quality? where? I must have missed something.
:)
I was a hard core windows person doing my best to backup MS until I was forced to learn linux at my job. I saw how it was 20 times easier to manage a linux box over a windows box. I started using Linux with X full time. I will NEVER go back to using windows full time.
I guess you can say I was freed from Microsoft's version of "The Matrix"
Microsoft, with a couple hundred million users they'd really wouldn't mind being compelled to buy their next O/S
Or some surly hacker who doesn't care if he loses his job?
Fear is a powerful motivator against the latter... and Microsoft's greed, which has compelled them to illegal market-manipulating tactics in the past, seems the greater force. We haven't seen much response from Microsoft about the source leak, yet it may prove to be the 9/11 for the computer business, if virus writers get busy with it.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
It has been mentioned that the leaked source code might reveal some long-suspected back doors... I wonder if these and other unknown vulnerabilities were secretly known to MS and others, and are in fact the back doors?
Would it be possible to exploit IE5 simply by being added to Favorites?
I can claim that I can infect your PC w/o mentioning that you need to be running an obsolete OS...?
Loading...
___FutureShoks___
no it wont, because it's not +x
Point well taken. My response may have been a bit flippant.
As a thought experiment, imagine the following contest:
a) 1000 Linux developers are given (full) WinXP source code and locked in a room to find potential exploits.
b) In another room, 1000 WinXP developers are locked in a room with (insert distro here) source code to find potential exploits.
Which group finds more holes in a week? Which group finds more serious holes? Up until last week, this was purely a thought experiment, with OSS claiming the virtual victory. Last week, it became real.
(And don't you think that it's possible that Microsoft has been conducting contest (b) FOR YEARS trying to find holes to prove OSS insecurity?)
The cure for cancer is coming: Reovirus
where would you get free patches for Red Hat 7.3?
I think the point is that you can patch Red Hat 5.x for free by upgrading to a more recent version of Red^H^H^HFedora for no charge. IE 5 is the last version IE to run on Microsoft Windows 95, and Microsoft charges for newer versions of Windows.
I don't know about the original poster's ideology, but I certainly expect to get the "source code" to a book when I buy one, or even when I browse in the bookshop or library. I expect to get the "source code" to a newspaper when I buy one, or when I flick through it in the newsagents deciding whether it looks interesting enough to buy. I generally expect to be able to read recipes when people give them to me, and I *definitely* expect pre-processed foods to contain a list of ingredients when I buy them.
As for PIN numbers, I have never tried to sell my PIN to anyone, so I don't see what right anyone has to know what it is - but then you were just being flippant with that comment, weren't you?
flossie
Write now. Defend liberty
Slashdot limits subject lengths. Please don't count off for lossy compression of text required to fit it into 50 or so characters.
What exploited? I didn't post code. In fact the code I have posted [not here of course] properly uses unsigned types.
And in fact I never said "an int C-type". I said "int" as in short for "integer". And how do you know I didn't mean unsigned int?
Anyways, the fact I have an archive going back over a year of crypto code that uses unsigned over signed ints shows I know this "fact" already.
Tom
Someday, I'll have a real sig.
I see lots of posts here from people saying "Just upgrade to IE6.1. The problem is that there are lots of people out there that can't or won't.
(1) There folks still running Win95 that are stuck. They've got an old Pentium 166, and have no legitimate way to upgrade to Win98. Have you see upgrade copies available in the last couple of years? Sure they can find a copy on ebay, but lots of these folks would never think of that.
(2) There are folks with Dial-up who didn't want to tie up their phone lines downloading the beast. These folks should definately do it now, but they haven't had a really compelling reason.
(3) They may not know how. "Windows Update, what's that?"
I do lots of work for clueless users, and trust me, their are PLENTY of IE5 boxes out there.
Mark
------- Mark
The only way to get past the cbSkip > 1024 check, is to make sure it's negative. But in that case, Read will attempt to read at least 2^31 bytes (because the parameter is an unsigned integer), and either return 0, because it reached the end of the file before being able to read that many bytes (d'oh), or cause an access violation because it overran the buffer so far that it actually overran the stack and tried to write outside the process' memory.
But when Read returns 0 before overrunning the stack completely (shouldn't be hard, just don't make the file too big), it can try to clean up, but it'll have to return sometime, and the stack is already corrupted. So in the end, i do think it's exploitable.
Next thing we will know, the enthusiasts will go through all Windows patches released up to date, and compare them with the leaked code. Moreover, EVERY new patch will be scrutinized to check whether the leaked code had the flaw, which was fixed by the new patch. Then there will be debates on whether the leak helped fo find the flaw...
In theory there is no difference between theory and practice. In practice there is. - Yogi Berra
They've found a bug in a version of IE that's TWO FUCKING YEARS OLD. Subsequent versions are not affected. Is this all this "many eyes" approach capable of?
http://www.cs.berkeley.edu/%7Eushankar/research/pe rcents/index.html
I said that I didn't think this code release could hurt MS...And I've already been proven wrong. So ...
I appologize.
(I'm not about to think nice things about MS, though.)
I think we've pushed this "anyone can grow up to be president" thing too far.
You are allowed to use copyrighted information to some extent for certain purposes such as educationl, parady, etc. You can use a small clip from a song, you can display a paragrahp from a book, etc. I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation. The grandparent post is obviously for education purposes only : )
I'm not sure where you're getting that information but I can tell you, you're wrong. Using other people's writings, music or even code ()if you want to bring it that way can be looked at as infringements. Even parodies. Ever notice how on songs they change the notes, pitch or key of a song so that it doesn't mirror exactly and prevents it from being recognised as the origional (besides the lyrics obviously)? Professional journalists (and their companies) can't rebroadcast any news without permission by the owner ie. the AP or another news wire. This includes stories, articles and television and radio news broadcasts. The same goes for music. It's been said that even copying two notes is infringement.
Not that I'm in agreement with the two notes bit, this is an actual poster with factual information that counters the top 10 myths of copyrightts in news.
I'll post back when I can find a link or give the exact name.
So that said, even posting 10-15 lines of someone elses code without proper permission (assuming you had legal access to the source) is still wrong.
Not that I like playing devil's advocate or anything, but even in acedemia these rules can apply and typically do. itt prevents plagerism and dishonesty.
I don't know why everyone is raving so much about the windows 2000 code. The NT4 code that leaked is much more interesting, containing a lot of the networking and security code that the 2000 leak misses out.
.zip|241131483|7a8b8624a5014a3f2c586c813568be09|
ed2k://|file|windows_nt_4_source_code .zip|241131483|afcb4b1fd05ed574e2ee77618222621d|
.rar|1357906140|dba2a19a3c822837ad6ade3b7f178862|
A couple of links are here:
ed2k://|file|windows_nt_4_source_code
I have downloaded the first one. It contained a minor bit of corruption in the zip file. The second one may be more pure, but I don't know as I'm only 90% complete with that.
Though I have to say, the bugcodes.txt file in the windows 2000 archive was a fascinating read.
Also, I hear rumours that there is a longhorn source code leak out there. I noticed it was available on overnet, but with no sources available to me, I couldn't download any of it to check. Can anyone confirm?
ed2k://|file|windows longhorn build 4008 source code (partial)
So the old theory that keeping source code secret will help prevent security attacks has now proven to be invalid, for the reason that you can't be sure that the code will in fact reliably remain secret. When the code inevitably gets out you will have a shitstorm of problems.
Now open source has in reality been proven the best way.
And security by obscurity fails again.
Don't you mean boxen?
By any chance, did the program come up with the entire works of Shakespear?
Only when run in a very large cluster.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That's so wierd. Just last week I was thinking of crafting this very kind of exploit or one using a jpeg. Its interesting to consider how much blind acceptance of formatted data goes on... Perhaps a Word document could do such a thing as well, eh. A PDF? An Mpeg? lol... don't worry, it's not like people run as administrator all the time. ;)
Hacking articles at http://www.geocities.com/chroo
Very insightful post.. and i just ran out of mod points a few minutes ago
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Now that Nt4.0 and 2000 OS source is out for everyone to see and download, I bet Microsoft sales folks are pushing Window XP for the corporate world. Just imagine all the new license agreement for Window XP next 6 months.
Brilliant strategy from Microsoft Marketing.
I recommend reading Smashing the stack for fun and profit.
It's very informative.
Keep in mind that this comment is being posted by a non-programmer.
It's a sad state of affairs when a BITMAP picture can be used as a security exploit. What next, loading a specially crafted text file into notepad? (err, I better be careful, that my have been doen already...)
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
it was called "Snow Crash"!
This is an exploit which effects Users, running a WEB BROWSER. Please tell me one single (however insignificant) thing a Normal User who is running a web BROWSER could possibly give half a fuck about which requires administrator privledges.
Seperate user accounts, securing the system itself, etc, that is _ONLY_ security-related when you are the administrator of a server and require your box be up 24/7 (or at least somewhat often)
Think about it for two seconds: You're a normal user, you're using your personal computer. Hell, you're using it to surf the web, this isnt any system which other people are dependent on having a high uptime or anything. You go to a webpage, and some arbitrary code gets executed.
What files could be effected? Well, you're running as a normal user, so luckily for you only the files which you give a shit about will be harmed, while the easily replaceable part of the system remains intact.
This whole "multiple accounts == security" line is pure bullshit extract. The files which a USER, not a System Administrator, cares about, are files which that USER created, downloaded, edited, etc. Files which the User has access to.
If some malicious code executes as root/Admin, so what? Your important files are trashed and you need to spend an extra hour reconfiguring your system? That extra hour or two doesnt mean squat compared to the years it may take to restore the files which you created personally.
"You Should Keep Backups anyway" is Irrelevant. As that can just as easily be applied to root-accessible files, the point is that non-admin privs are just as bad as admin privs on a personal system.
And this exploit _is_ talking about a personal system, unless you're in the habit of running IE5 on a high-priority server instead of the laptop sitting next to it.
-- 'The' Lord and Master Bitman On High, Master Of All
Try this for a start.
10 x=1 20 x=x+1 25 if x mod 2 = 0 then 30, else 40 30 Print "Explorer has experienced a problem and must be shut down" 35 goto 10 40 Print "What can the butterfly do TO you?" 45 goto 10
Blackhats like CIA, KGB, China intelligence etc have had access to this code for much longer no doubt. Anybody think that MS delivering of the code to china hasnt been propagated to their intelligence agency? This only shows that there are no security in hiding security mechanisms. A quick glance at the crypto industry should be pretty revalating to MS.
MS i in for a ride and it should be hammered around that most of theese exploits would NOT be stopped by Palladium. Palladium is just a buzzword and does not stop errors in protocols or implementations of them. Thats not going to stop MS from marketing palladium as a tool to stop errors in their code.
HTTP/1.1 400
Google's traffic is overwhelmingly IE6. See the graph http://www.google.com/press/zeitgeist/jan04_browse rs.gif ("Web Browsers Used To Access Google, March 2001 - January 2004") on the page http://www.google.com/press/zeitgeist.html
Only on Slashdot is it an issue that you have to download a newer version of something to fix a flaw. "Where can I download the patch for IE5?" It's called IE6.
Sorry about the busted links.
Click here for the Google Zeitgeist.
Click here just for the graph.
"Birds have a feather"? Wait, let me go look .... no, our birds have many feathers.
-russ
Don't piss off The Angry Economist
nice public service
#include
Please RTFA before flaming the poster.
A simple binary patch will fix it. Just change the jump instruction from a jge to jae (or jl to jb, as needed).
-russ
Don't piss off The Angry Economist
You are allowed to use copyrighted information to some extent for certain purposes such as...
preparing for and responding to security exploits that are based on the (now public domain amongst villains) leaked Microsoft code.
This shouldn't be a discussion about whether open source is inherently more stable (which it surely is). What the leak gives everyone is a chance to see into the coding practices of Redmond. That is what is interesting.
No one thought they were stellar; some already knew how bad things are; some figured, naturally, that if you could poke holes in their stuff like we've seen, something must be very, very wrong.
But now people are going to see with their own eyes - and that, I insist, is what is interesting here. So keep your eyes peeled (sorry, PJ).
Unlike Linux which was born in the open and relies on inherently good code for security, MS went with the fallicy: security through obscurity. When I studied cryptography in university, I remember being told by many profs: "if your security relies heavily on people not figuring out the method, you get an F". Before RSA commercialized, the Americans and Russians used it for security --using the product of two large prime numbers as an exponent in a function that can encrypt/decrypt a message. The Americans know the Russians use it, and the Russians know the Americans use it. The method isn't a secret, the security lies in the difficulty of factoring large prime numbers. And (as one of my crypto texts explained) "If someone tried to create a database of all primes 512 bits or less in length, you couldn't do it, for if you could create a hard drive that could store 1 gigabyte of data on 1 gram, the list of primes (there are 10^151 of them) would require a hard drive whose weight would exceed the Chandrasekhar limit and collapse into a black hole (and unless you come up with a unique way of getting the data past the event horizon), you are hooped. Relying on the 5 year old 'I've got a secret' method of security works really well if you're 5 years old. A survey of 5 year olds agree "Security through obscurity works". 6 year olds weren't so sure. 10 year olds refuted the study. Microsoft was unavailable for comment.
...of bytes so that it will overwrite the stack frame as needed, but not cause an access violation. Furthermore, a read past the end of a file does not cause the Read to terminate, but to read until EOF and then return the number of bytes it didn't get... (usually you store that result, and then do a select/poll loop to look for more data written to the end later on, until you get 0 back, which means you're done).
So yeah, it actually does exactly what you want. A Read with an unchecked buffer and a very large size parameter is a h4xx0r's wet dream.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Win NT 4.0 Source:a sh=66a26447f563c3dc2336de74ae37dc14d11dd8b9
a sh=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
http://torrent.spyderlake.com/download.php?info_h
Win 2000 Source:
http://torrent.spyderlake.com/download.php?info_h
Thats why i takes sooooo long for micorosft to make a new OS. A couple of months to actually make the code, and a couple of years to make some gov. holes into it :)
Never argue with an idiot. He/Shell just drag you down to his/her level, and beat you with experience.
Just change it in /etc/passwd and /etc/shadow /etc/security and /etc/pam.d
Also, look for instances of it in
(some scripts/PAM config stuff in those directories like to refer to "root" the username for stuff)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The basic difference is that the admin or root account is generally used to install, modify, and delete/uninstall executable programs. While this doesn't always work perfectly (e.g. PATH=~/bin, executables (including plug-ins) owned by the user, etc), this goes a long way to protecting not only users but yourself as well. So, if the admin account hasn't been compromised, you should feel fairly secure that when you run IE it doesn't have a virus infection, backdoor, etc.
.ini file used by an input method, etc. However, that has very little to do with security. If the user wishes to secure those documents, then backing them up, etc, makes some sense, no? However, consider that very few worms/viruses actually trash systems these days. They'd rather be stealthy; stay hidden and exploit the user's computer. Restricting admin access will improve the security in that scenario.
I agree that user-created documents are generally more important to the user than some
Personally, I like how seemless Mac OS X has made it such that, when you do need admin access, it simply prompts you for the password in a dialog. It's easy and secure.
Hacking articles at http://www.geocities.com/chroo
Perhaps if some of Microsoft's code finds its way into Linux (accidently), then Microsoft can sue the living daylights out of opensource? They have the financial resources to do so. Imagine, the next killer app for linux: Windows NT (code). It just may legally "kill" Linux in the same was SCO would like to. What can be done to ensure that this code is kept out of opensource projects? That would be a mess.
User agent stats are approximately the following.
93-96% IE
Appx 3-4% Netscape.
Appx 1-2% Alternative browsers.
Of IE user agents, 78-80% is IE6 and the rest (mostly) is ie 5.x
Thus, one in every five views is probably IE:5.x
These are the recent stats of sites that I have had privvy to work on. These sites have a large audience as well so we (I) can assume it is an accurate poll.
__
Thou hast besquirted me, O leotarded one.
Wow. I haven't seen this much spin control since Al Gore invented rap.
We, the members of MSDA (Monkey Software Developers of America), are deeply offended by what you imply. We are much better developers than MS and smell better too.
Please change your browser because otherwise you will get rooted (i cannot explain why, please, please believe me).
Would you take this serious ? And what amount of time would it take to find a exploit for a explanation like this:
Found a serious buffer owerflow in IE when loading a bitmap image...
This would result in exploits in a couple of hours and would give only the false impression that there are no exploits up to now...
The source code is leaked since friday and you don't gain anything by telling only Microsoft that this and that vulnerability exists. Till they fix it its to late. And without a proof of concept everyone could claim he found a serious bug.
Did you hear about the image that kills your collective whenever you view it?
Someone set us up the bomb, so shine we are!
I wonder if its been confirmed that the bug is in Microsoft produced code. I seem to recall that a (large?) portion of IE was originally NCSA Mosaic code. Wouldn't it be amusing if, after all the self-righteousness, it turned out to be (to some extent) not their fault...
...now whenever an IE5 user visits Slashdot, a proggie will be installed which will nag the user to install Linux every 20 minutes, until they procalim their hard drive in the name of tux!
Spoken like a true non-user of XP. Windows XP is, in fact, the best desktop operating system availble for the PC today.
The following posts by StarManta is proof that he is a troll:
3 486 3 306 3 241 2 994
http://slashdot.org/comments.pl?sid=93042&cid=799
http://slashdot.org/comments.pl?sid=93042&cid=799
http://slashdot.org/comments.pl?sid=93042&cid=799
http://slashdot.org/comments.pl?sid=93042&cid=799
I am glad to see this happen and I hope that this allows not only a flood of bugs that need to be fixed, be fixed, but I also hope it encourages people to switch.
./revolution
It come up with Britney's last album.
Trolls are like broken clocks. They show the truth two times a day. The rest of the day they talk nonsense.
claryfying as hell
Yeah, no shit. He's backpedaling so far he can't keep up!
This is not an exploit, unless having the EIP register contain 0x44332211 does something more than just cause a crash. Now yes, that bitmap could be modified so that it's all NOPs followed by an actual exploit, but the one posted does no such thing.
Did you RTFA?
Dude, chill. Ride the /. comment wave. /Know/ that you are better don't lower yourself.
*snigger* ints *snigger*
cheek.remove(tongue);
Rich
Offtopic my ass! Stupid fucking moderators!
When you find yourself in a hole, stop digging.
It's all from fucking ACs. I wish you could turn ACs off completely from /. that way I wouldn't have to see the nonsense of jackasses trying to give people a hard time over every little detail.
/. account.
Well go fuck yourselfs. You win. Here I'm giving up my
The password will be "ihateac" in about 20 seconds. Enjoy the account folks!
Tom
Someday, I'll have a real sig.
Note the last line which says Revised 27 June 2006 . Link is to a fiction piece.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
...a script that loads the Goatse.cx photo, makes it the wallpaper, sends it to everyone in your outlook express address book, and overwrites all your porn with tubgirl!! ...and then reboots the computer instantly everytime you try to load a floppy or cd or hit the internet....
Man, talk about evil....
Truth isn't Truth - Guliani
Isn't anybody worried about exposing themselves to the wrath of M$. Anybody who has this code is doing something illegal. Is it really intelligent to state that you have it on a public board or post security flaws and the source code you used to find it.
What can M$ really do to people who have the code or spread the code farther?
I hate to think of the havoc someone could cause by putting some appropriately constructed images on Ebay.
But they can't argue that closed source as a strategy works. The source was leaked! Their strategy was unsuccessful, and may well be catastrophic for their customers as the thousands of unfixed bugs will now see the light of day.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Wow. That is interesting. You must remember to waste more of my life with your unsubstantiated, and somewhat useless "facts." Quite interesting indeed.
My "website" logs show 72% MM 2.3 and 28% Web-n-Viewer 1.2
I want my time back
"My logs show that 75% of the traffic to my website are from IE 5. The remaining 25% are IE 6.0 and Mozilla Gecko based browsers." that was who i was aiming at, not the people that posted useful info afterwards :)
How can this code be stolen? Doesnt MS have the code anymore? If someone stole my car i wouldnt care much if I still had my car. This IP-crap is soo boring But this is somewhat a good thing, it proves that Windows* is based on crappy code.
From reading the notice it seems like the size of the bitmap has to be bugger than 2^31. That's over 2GB if my binary math is working right.
If so, I doubt you'll get many people walking into a trap it takes hours or days to download.
But maybe I misunderstand what the 2^31 means.
You do realize IE6 is a free download for 98/2000 and up, don't you?
If this were an OSS program, everyone on Slashdot would be falling over themselves posting to "upgrade to the latest version, it's fixed." But when it's Microsoft, suddenly there's some sort of unnamed hassle when it comes to just downloading a setup program and running it.
Linux fixes many problems but adds new ones, such as inability to talk to my Microtek 4850 scanner (unsupported in SANE CVS), inability to talk to my ATI Radeon 9000 video card in accelerated mode, inability to use Centrino winwifi chipsets, inability to talk to any of my relatives' dial-up providers (they're on AOL, MSN, and Juno), and several others that I'd have to dig up. Even printer drivers cost extra.
You of a keen wit.
You're the sort have guy I admire.
You could of noted the grammatical humor, but instead you chose to be have a cleverer sort.
Shame about the lead paint in your nursery.
The right combo of blinkenlights, color, speed, pattern etc can trigger a seizure in people even without epilepsy.
"Sic Semper Tyrannosaurus Rex."
The "source code" of a book is the knowledge and work--arguably a lifetime of each--it took to produce the book. The "source code" of a newspaper might be the raw newswire feeds, newsroom banter, property and physical plant, etc. And most tellingly, the "source code" of that box of Frosted Flakes is not just the ingredients list. It includes the manufacturing process, for instance--how did you think the Coca-Cola formula is a secret if the ingredients are printed on every bottle and can?
I hate analogies, anyway.
It's just ridiculous to expect to receive the source code to every application you buy off the shelf and expect it to be free as in speech. (Which I realize may not be your position, but that was the original poster's argument.)
This is completely off topic from the parent post. But THE LINKED ARTICLE CONTAINS SOURCE CODE FOR WINDOWS.
The Slashdot editors should remove the link immediately. Its really dangerous to have on the front page of this site.
Yes, but some Windows users (like me) would rather live in ignorance. It's better not to know what is in it. Seriously.
Maybe this should be an Ask /. question or a poll or something but I've been wondering about this for some time. If MS suddenly became open source, allowing users to download source for all of their programs would more people from this crowd support them? I'm not saying that MS necessarily give out their code under the GPL, but just allowing users access to it. I'm not even sure if any company uses a system like, and I suppose the best way to think about it would be like a book. Everyone can read it if they wish, but it is still copy righted and still illegal to reproduce it or to use portions of it.
SIGFAULT
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Heh! I kept waiting for someone to deliver the punch lines, but they weren't coming. So here they are:
4. ???
5. PROFIT!!
http://slashdot.org/articles/02/06/04/228240.shtml ?tid=109
. . . from a nonprogrammer, but does this vulnerability occur in the mac version of IE5 as well?
Never trust a physicist further than his DeBroglie wavelength.
resolve #defines before you search.
I wonder if any of the leaked source code includes the MS crypto system. If so, this could be very bad news for Microsoft seeing how people have already discovered a slew of critical vulnerabilities but are biting their tongues to wait for MS to fix the flaws. Now you have a bunch of crackers running their debuggers on actual source code... they are going to craft and use exploits before they're public knowledge or officially fixed.
Should feel confident that IE doesnt have some back door? Did you not read the summary? :)
/etc/shadow (which, seriously, who gives a fuck about?)
Remember that many worms will simply go away when the computer is rebooted. There is no need for Admin Rights/Installation if you can just post a message on a popular site with an image in your signature.
As for MacOSX, you may want to note that Microsoft did it first. That is, they made it an available option, and it's trivial to impliment. Programs don't always use that option, of course, usually (in my experience) waiting until an install is half-completed before noticing that admin rights are required, then telling the user to do it by hand. The option is available to developers, though. They can all check their privs and display a password box up front if they get off their asses.
Of course, I wouldnt call such a thing "secure", since it then becomes trivial to distribute a program which prompts for administrative password, then says "incorrect password" and goes on to display the real password box. Later asking for an e-mail address, coupled with people tending to use the same password everywhere- well, making things easy and making things secure is always going to be a trade-off somewhere.
Yeah, things arent destructive as much anymore, but I think most people would prefer ~/finance/ stays more secure than
-- 'The' Lord and Master Bitman On High, Master Of All
I decoded the BMP and loaded it into IE5.00.2314.1003 (the only IE version I consider worthy of disk space, if not safe to let run loose), completely forgetting that I had IE configured to use QuickViewPlus as the BMP viewer. IE dumped the file to QVP, which displayed it without incident. Hmm, well, so much for THAT test. :)
The problem is... does this affect *all* bitmapped images, or only for-really BMPs? because it's not terribly practical to send *every* image to an add-on viewer.
~REZ~ #43301. Who'd fake being me anyway?
Has anyone ever thought that the first few exploits based on this 'leak' that will be reported arent just **** from people that figured it out back-in-the-day and are now posting to get the credit for it? Or maybe just steal the credit from someone else who originally figured it out?
"Of course, I wouldnt call such a thing "secure", since it then becomes trivial to distribute a program which prompts for administrative password, then says "incorrect password" and goes on to display the real password box. Later asking for an e-mail address, coupled with people tending to use the same password everywhere- well, making things easy and making things secure is always going to be a trade-off somewhere."
...) there is a reasonably good chance that the password will work. Of course, as you crack one thing you tend to learn more access; the webmail yields a power bill, etc.
:)
Hahah... you're keyed into one of the most serious security gaps in user habits: using the same password everywhere. This has really been compounded by the way so many websites require username/password. If joeblow/drowssap makes an account at mydumbsite.com and I can find anywhere else he has an account (e-mail, slashdot, ebay, paypal,
I personally believe in partitioning security into more than one level (analogous to guest/user/root) and then, of course, applying much stronger security (particularly encryption) up the chain. Of course, one of the things that helps with security the most is knowing what the heck the system is doing inside; there is a strong argument for having the source available right there. People who are blaming the author of the securityfocus submission are misplacing the responsibility for these security flaw. As I said, this very type of crack was something I was just thinking about last week; undoubtably many people have experimented with tainted BMPs, etc.
We are fortunate to finally know about it, honestly!
Hacking articles at http://www.geocities.com/chroo
Comment removed based on user account deletion
You said:
There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.
I say:
Yes, I agree completely. The next version of Windows should be written in Java.
Just download IE 6 from Microsoft's site and there you go. MS even proposes that you do so every time you visit their update site.
The exploit actually requires you to view a malformed bitmap. You won't find any such bitmaps on Microsoft's site, and you can't get hacked via some RPC port while you update.
I.e., here's the deal, lemming: just click on that big "Microsoft upgrade" entry in the "Start" menu, and accept the proposed downloads. That's _all_ you need to do to fix this exploit.
I.e., please spare me the stupidity of "what if I want to wait for a fix for an outdated version of IE instead of downloading the existing free upgrade?" You'd be just as vulnerable if you absolutely didn't want to upgrade from an ancient version of Mozilla. Which _did_ have a few exploits, in spite of being OSS.
Either way, guess what? Even with Mozilla it's the same deal. You get to download a newer version.
Or I can think of quite a bunch of equally critical fixes that a whole bunch of other OSS Linux programs needed, in every single distro I've used. Which, typically mean... guess what? That you have to get a newer version of that program.
Yes, with you could personally fix every single bug in an ancient version of Sendmail, and Mozilla, and about 200 other ancient programs, if you really don't want to upgrade. But noone's going to do that. Why? Because reading and _understanding_ some 100 megabytes of source code, _and_ then fixing the bugs you've introduced while doing so, is _not_ going to be a $250 job. It's more likely going to keep a whole department busy making new bugs from now until kingdom come, and cost _millions_.
Plus, much as MS bashing is fashionable and cool on Slashdot, we're talking the same crowd which absolutely must spend countless hours downloading and compile every single new release of KDE and/or Gnome and/or XFree86 and/or the weekly kernel release, etc. So it's downright stupid to now hear about how inconvenient it is to download an IE update. An update that's half the size of the 2.6 kernel bz2, and doesn't require any compiling either.
A polar bear is a cartesian bear after a coordinate transform.
Say hello to my little friend Yum...p tml
http://linux.duke.edu/projects/yum/index.
I can't afford a sig!
Of course you realize that it is absolutely pointless.
If MS is doing its work they will check the exploit's code and fix it in a timely fashion.
IANAL but write like a drunk one.
But just for the sake of argument, where would you get free patches for Red Hat 7.3?
In the same place where you would get your patches for Windows 3.1.
No wait, I could pay somebody to patch my RH system.
Who is going to fix this hypotethical yours?
IANAL but write like a drunk one.
You either post the thing the way it is or you censor it because it is not PC. /. has to do a balancing act and in this case the decission is the correct one: this is worthwile talking about, so the puerile attitude of the poster can be put aside (without condoning it) for the sake of analyzing the information that is really important (the exploit).
IANAL but write like a drunk one.
.... so maybe all is not that rosy after all?
IANAL but write like a drunk one.
Linux has been here for many years, we are waiting.
Oh wait, it is not that easy because the OS is of superior quality.
OK, that is the end of your conspiracy theory.
IANAL but write like a drunk one.
Now I want to read all those advocates of thightly integrating an user space application like IE with the OS's kernel.
For ages many people have tried to drive home in the MSofties' brains ahy this is a bad idea.
Hopefully (unlikely) they will get it now.
IANAL but write like a drunk one.
The open source project I used to work on had a "won't fix" category, as well as a "won't fix until the next major revision" category. The "won't fix" was for things that our opinion weren't broken, and the "won't fix till later..." were for issues that required major structural changes to fix.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
BitTorrent is not anonymous, from a legal perspective, you may as-well just put it on your web server.
Not to mention [Mozilla is] not as mature as IE6.
Man, you've got a lot of guts posting something like that on Slashdot.
Next time don't forget to add the (/sarcasm) to the end of your post.
Scott
You are the dumbest person I've seen in a long time. From your inane and unfactual Mac zealotry to your racism against minority groups, the stupidity never stops!
What kind of dipshit thinks he can get away with posting pro-censorship opinions, get modded down to Terrible karma, and then thinks they can regain it?
I saw your attempt to mod up your own comments. Luckily, I contacted Slashdot and had this situation taken care of as this is blatant abuse of the system.
If you think you can get away with conning the readership here, you are insane beyond your own stupidity.
Give up! You're a moron! You have no clue or chance! You're like the little dipship kid who wants to leech off of everyone in life and then cries when he doesnt get his way.
GO AWAY, LOSER.
If your company was dumb enough to build for a specific browser rather than following web standards, you can't always replace IE 5 with IE 6 and have your web sites still work.
For example, IE 6 removed support for some plugins, and now comes without support for Microsoft's broken Java 1.1.8 VM.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
...but I don't know whether I'd rate that as funny, insightful, or a sad reflection on the industry I work in...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I know this is old but, hell ya! Mr. manic depressive is gone!