Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Based On Leaked Windows Code Released

Posted by simoniker on from the nda-never-signed dept.

mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"

72 of 952 comments (clear)

  1. See! by Anonymous Coward · · Score: 4, Funny

    More proof that code who's source is open is less secure!

    (trigger-fingered mods : thats a joke)

    1. Re:See! by Lumpy · · Score: 4, Funny

      Nahh...

      The virus writer used the links to the SECURITY_HOLE refrences in holes.bas module from the VB.NET code that IE is written in.

      --
      Do not look at laser with remaining good eye.
  2. so THATS why it was leaked by SlashDread · · Score: 5, Funny

    to fix it...

    "/Dread"

  3. Re:Open Source More Secure... maybe not by The+Unabageler · · Score: 5, Funny

    OTOH M$ should thank the code thiefs for expediting their QA process :-)

    --
    perl -e '$_="\007/4`\cp%2,".chr(127);s/./"\"\\c$&\""/gees; print'
  4. The bitmap in question... by lacrymology.com · · Score: 4, Funny

    Of course the bitmap is of a penguin! More ammunition for the M$ FUD campaign.
    -m

    --

    #
    # Modus Ponens
    #
    1. Re:The bitmap in question... by p4ul13 · · Score: 4, Funny

      This seems to be what the BMP would look like.

      --
      Paul Lenhart writes words!
  5. What the fuck? by tomstdenis · · Score: 4, Funny

    What the fuck in a bitmap renderer could overflow and cause such problems?

    Fuck MSFT it's called bounds checking. e.g.

    1. load int from char array
    2. check int against sizeof(yourbuffer)
    3. reject if greater

    Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.

    Tom

    --
    Someday, I'll have a real sig.
    1. Re:What the fuck? by vontrotsky · · Score: 5, Funny

      I think it went more like

      1. load int from char array
      2. check int against sizeof(yourbuffer)
      3. user=root if greater

    2. Re:What the fuck? by SlashDread · · Score: 5, Funny

      In the old days, when I was young system admin, it was called "Monkey Testing".

      It went something like this:
      You position yourself behind a functional input screen, and start hammering viciously and blindly. The latter is important, the more blind the better, it invokes he Holy Random God. Repeat for 5 minutes. You repeat this for each input screen.
      If the screen showed anything similar to "ERROR: OTHER INPUT EXPECTED" it passed.
      If it showed anything similar to "OK, 98zxc3v4^DD^C^Z NEW CUSTOMERS ADDED" or failed to read at all due to overly blinkeyness or so, it failed.

      I understand MS needs more monkeys.

      "/Dread"

    3. Re:What the fuck? by tomstdenis · · Score: 2, Funny

      char whatoverflow[3];

      scanf("%s", whatoverflow);

      ;-)

      --
      Someday, I'll have a real sig.
    4. Re:What the fuck? by tomstdenis · · Score: 2, Funny

      MS optimized it [their innovative]

      1. Look at bitmap, get scared.
      2. user == root

      They also merged in a backdoor so the attacker wouldn't have to embed it in the bitmap

      3. open port 1234 as a rsh automatically logged in.

      Tom

      --
      Someday, I'll have a real sig.
    5. Re:What the fuck? by corbettw · · Score: 4, Funny

      By any chance, did the program come up with the entire works of Shakespear?

      --
      God invented whiskey so the Irish would not rule the world.
    6. Re:What the fuck? by AstroDrabb · · Score: 4, Funny
      I understand MS needs more monkeys.
      It appears they have their fair share already
      --
      If Tyranny and Oppression come to this land,
      it will be in the guise of fighting a foreign enemy. -James Madison
    7. Re:What the fuck? by Walterk · · Score: 4, Funny

      I bet some MS exec misinterpreted it and used the monkeys for the coding, and not testing.

      --

      "If anyone needs me, I'm in the angry dome."
  6. No Problem by Jedi1USA · · Score: 5, Funny

    Microsoft just needs to get a copy of the leaked code and look it over for potential exploits.

    Oh wait. :^)

    --
    My old sig was REALLY stoopid.
  7. Smells by first.last · · Score: 0, Funny

    Smells like bullshit....like the jpeg virus hoax a few years back. IMAGE FILES CANNOT RUN COMMANDS!!!!

    --
    Wishing I was a millionaire since 1969.
  8. Well I got IE6 by superpulpsicle · · Score: 5, Funny

    So I should be all set for the next 2 days until the next major security flaw is found.

  9. Anyone surprised? by LearnToSpell · · Score: 3, Funny

    Anyone? Come on, there's a million /. readers. Somebody must have thought this wasn't going to happen.

    Maybe the once-a-month patching schedule's going to have to be revised though.

    --
    Haida Manga
  10. Re:You thought Microsoft were tardy with by lacrymology.com · · Score: 4, Funny

    "It's called IE6"

    Weird... I would have sworn that it was called Windows XP.
    -m

    --

    #
    # Modus Ponens
    #
  11. Re:Funny comment by the bugtraq submitter by Anonymous Coward · · Score: 5, Funny

    This means that the exploit is so obvious that even a 14 year old can figure it out.

  12. Boogle... by mark_space2001 · · Score: 2, Funny
    I guess I should have expected that someone would start posting bug fixes to Windows when I heard that the code was got released, but I'm still surprised that they are finding actual exploits in the code.

    I guess all those advertising^W software engineering dollars that MS spent on their security inititive were not^W well spent.

  13. Re:You thought Microsoft were tardy with by cgranade · · Score: 5, Funny

    And here I was thinking it was called Mozilla.

    --

    #define DRM chmod 000

  14. Re:You thought Microsoft were tardy with by Lifewish · · Score: 5, Funny

    Mine's called "Linux". Seems to fix a whole host of problems.

    --
    For the love of God, please learn to spell "ridiculous"!!!
  15. Re:Open Source More Secure... maybe not by 1010011010 · · Score: 5, Funny

    Finally, Microsoft's "Trustworthy Computing" exercise begins in earnest.

    Hehe

    --
    Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
  16. Gone.. But Never Forgotten by halo8 · · Score: 5, Funny

    a specially crafted bitmap file

    Good thing all thoes Goatse pictures where in .jpeg .gif and .tiff

    --
    The More Knowledge you have the Luckier you Get- J.R. Ewing
  17. Business plan by loconet · · Score: 3, Funny


    1. Fake a source code leak of some of the shittiest code in your projects
    2. Act surprised
    3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
    4. Create Patch before major damages
    5. Sue person who found hole
    6. ...??
    7. Double PROFIT!
    </conspiracy theory>

    --
    [alk]
  18. occurances of " Don't Care " in MS code by Anonymous Coward · · Score: 5, Funny

    i wanted to post this in the first MS leak story, but oh well, here it is now.

    $ grep -ir " don't care " /win2k/* | wc -l
    332

    check it yourself

  19. This is not BAD news by IamGarageGuy+2 · · Score: 4, Funny

    I see this is good news in that there is going to be an ongoing stream of exploits in Windows. This is good news. Think of all of the boxes that will be broken in the next few months. I should mention that I make a living fixing Windows boxes. I also fix Mac and Linux - but there isn't really much money in fixing them.

    --
    Stay tuned for new sig...
  20. Re:I'll be first to say it by lacrymology.com · · Score: 5, Funny

    "We have an interesting 6 months ahead of us, folks."

    I can see the headlines now;

    "New exploit found in IE5"
    "Yet another exploit found in IE5"
    "Exploit found in Minesweeper"
    "Expolit found in Notepad"
    "Yet another exploit found in Minesweeper"
    "Yet another exploit found in Notepad"
    "New exploit found in IE5"
    "God damn! Another exploit found in Minesweeper"
    .
    .
    .
    "Exploit found in taskbar"
    "Exploit found in Times New Roman"
    "Exploit found in bootstrap"
    "Exploit found in Wingdings"
    "Exploit found in ...."

    Sounds pretty redundant and boring to me. ;)

    -m

    --

    #
    # Modus Ponens
    #
  21. Re:And awaaayyy we go! by bshroyer · · Score: 2, Funny

    Can the same thing happen to linux?

    Yeah, let's hope that the source code for Konqueror or Mozilla never gets leaked... No telling what kinds of exploits might pop up then.

    --
    The cure for cancer is coming: Reovirus
  22. Re:Text of advisory by myowntrueself · · Score: 1, Funny

    So now the /. servers are going to be raided by DMCA police? Time to move offshore, guys! ;)

    --
    In the free world the media isn't government run; the government is media run.
  23. I cant wait by Edmund+Blackadder · · Score: 4, Funny

    I cant wait to read a whole thread of slashdot people saying "i told you so".

    However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".

  24. Time to MS proof what it says by famazza · · Score: 3, Funny

    That's all I was hoping to see. MS says that it reponse time for bugs is lower then OpenSource reponse time.

    Now we have a released bug, and I want to see how long will it take until MS fixes this bug.

    Somebody, please, monitor this bug (or teach me how to monitor it)

    --

    -=-=-=-=
    I know life isn't fair, but why can't it ever be un-fair in MY favor!?
  25. Re:Get the source code from Freenet by Anonymous Coward · · Score: 5, Funny

    You bastard! That's my IP address!!!

  26. This reminds me of "The Ring" by MetaMarty · · Score: 5, Funny

    Did you hear about the image that kills your computer whenever you view it?

  27. Re:But the question is... by Apiakun · · Score: 3, Funny

    And the other question: How long would Microsoft have lasted?

  28. Contaminated! by esnible · · Score: 4, Funny

    You have 'contaminated' me.

    I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.

  29. Re:Text of advisory by grub · · Score: 5, Funny


    I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation

    SCO does. :)

    --
    Trolling is a art,
  30. I wrote that code by AragornSonOfArathorn · · Score: 4, Funny

    I guess I shouldn't have lied about my certifcations during the interview...

    --
    sudo eat my shorts
  31. I'm disappointed by Greedo · · Score: 4, Funny

    No one has yet posted a modified version of the goatscx photo that takes advantage of this security "hole".

    --
    Tuus crepidae innexilis sunt.
  32. Re:Ha Ha Only Serious by CodeRx · · Score: 2, Funny

    "Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"

    Ha, that reminds me of a recent article on devx. This guy demonstrates how being a little stupid and misinformed can lead you down all kinds of wrong paths.

    His argument is that some crazed open source hacker is going to put a back door in an open source program. Further he presents this as a disadvantage of open source when compared to closed software. Because, of course, it is so much easier to hide backdoors in programs that EVERYONE HAS THE SOURCE CODE TO. No one could even hide a backdoor in a program that nobody except the developers have seen the code for. That is unpossible. Right.

  33. IE code by Anonymous Coward · · Score: 3, Funny

    So there was some IE 5 code in there? Too bad it wasn't the IE 4 code, I hear you can summon demons by reading that out loud.

  34. Re:off topic, but orthogonal kind of prompted this by orthogonal · · Score: 5, Funny

    By the way, does anyone know why the bitmap formap [sic] is writte [soc] upside down?

    It's an obscurity that provides extra security against exploits like buffer overflows. ;)

    --
    Opinions on the Twiddler2 hand-held keyboard?
  35. Re:huh by tverbeek · · Score: 5, Funny
    a well-seasoned older programmer who has the social skills of a 13 year old?

    You say that as if it were unusual. ;)

    --
    http://alternatives.rzero.com/
  36. Re:Text of advisory by prockcore · · Score: 3, Funny

    Oh my god! I read the source! Now I'm tainted! All future code written by me will inadvertantly contain MS's copyrighted and patented signed int overflow techniques!

  37. Re:Text of advisory by Anonymous Coward · · Score: 1, Funny

    Thanks to Microsoft AutoParody Wizard!

  38. Re:Source Code by Maserati · · Score: 2, Funny

    I don't do spelling flames often, but I will for a Farscape quote in a .sig.

    "guarantee"

    --
    Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
  39. Patch is already released!!! by iamwahoo2 · · Score: 2, Funny

    It is called Firefox and can be downloaded at Mozilla.org!

  40. Re:Open Source More Secure... maybe not by OsCarJ · · Score: 5, Funny

    It's like seeing your sister naked. Ack!

    I don't know. I always thought your sister was pretty hot.

  41. Re:off topic, but orthogonal kind of prompted this by Anonymous Coward · · Score: 0, Funny

    writte [soc] [sic]

  42. Find a serious unpatched bug and... by Anonymous Coward · · Score: 1, Funny

    ..instead of making your own worm, go and hack the evil corp and steal all their code. That would be really ironic and fun :)

  43. Re: of been by Anonymous Coward · · Score: 5, Funny

    I wish that I would of thought have that.

    It could of been me that was modded insightful for of-ing no grammatical skills.

    Well, you know the old saying... birds have a feather, etc.

    Of a nice day! :)

  44. Re:Open Source More Secure... maybe not by fetus · · Score: 3, Funny

    The patch is called "IE 6"

  45. why BMP? by Anonymous Coward · · Score: 1, Funny

    bitmaps are not a particluarly clever choice to use on the Ineternet. there are JPEGs, PNGs etc. that are much better suited for the web. But as a side smirk - it is highly amusing to see microsoft products die trying to read microsoft formats

  46. Re:huh by poot_rootbeer · · Score: 4, Funny

    Who browses as root? Oh, yes, thats right Windows users.

    I'm a safety-conscious Windows user! I never login as "root"! I just use the "Administrator" account instead!

  47. Re:Open Source More Secure... maybe not by ostrich2 · · Score: 1, Funny

    I think you misunderstand: he's talking about your sister.

  48. 'Specially Crafted Image' by bokmann · · Score: 3, Funny

    That is a little funny... Isn't a 'specially crafted image' the same 'exploit' that Geordie LaForge came up with for introducing a virus into the borg collective? Remember the first episode with 'Hugh'?

    -db

  49. Re:And counting by Viadd · · Score: 2, Funny
    Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly"

    According to the comp.basilisk faq about Basilisks (images that cause system crashes in wetware):
    10. Is it true that Microsoft uses basilisk booby-traps to protect Windows 2005 from disassembly and pirating?
    We could not possibly comment.
  50. use it for change! by tau_ · · Score: 5, Funny

    So, where's the .bmp I can link to my web site that makes IE5 remotely execute Mozilla Firefox installer?

    --
    Ask a silly person, get a silly answer.
  51. Hmm.. by Anonymous Coward · · Score: 4, Funny

    I can see the ultimate virus now: you click an innocent-looking link, it takes you to a goatse bmp, and the exploit will lock your keyboard and mouse...leaving you utterly defenseless! Oh the horror!

  52. Who Runs IE 5 anyway? by vwjeff · · Score: 5, Funny

    I mean really, who runs IE 5 anyway. I'm sure that most corporate network admins keep up with updating IE. Let me check on a random company machine...

    Help-About Internet Explorer-.....Never mind my previous comment.

  53. Re:Text of advisory by Anonymous Coward · · Score: 2, Funny

    worse than that, it contains a "goto" statement... *shudder*

  54. Re:stop knocking Microsoft by BCW2 · · Score: 2, Funny

    That kind of thinking explains the collapse of the British Empire completly.

    --
    Professional Politicians are not the solution, they ARE the problem.
  55. Re:well, the source is out there by gnu-generation-one · · Score: 2, Funny

    "Wouldn't it be interesting to see the patch come out later today, from an anonymous source!"

    Line 3: replace "int" with "unsigned int"

    Do I need to be anonymous for this to work?

  56. Re:Open Source More Secure... maybe not by 1010011010 · · Score: 5, Funny

    60% Funny
    20% Troll
    10% Insightful

    Welcome, Microsofties!

    --
    Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
  57. Re:Open Source More Secure... maybe not by bach37 · · Score: 4, Funny

    Where can I download the patch for IE5?

    The Patch.

    Scott
    (Come on, you knew this answer was coming!)

  58. Take That Back! by Anonymous Coward · · Score: 1, Funny

    We, the members of MSDA (Monkey Software Developers of America), are deeply offended by what you imply. We are much better developers than MS and smell better too.

  59. Re:Exposing Your Identity by gooman · · Score: 2, Funny

    You tell 'em. Someone called the cops the last time I exposed myself.

    --
    "Kittens give Morbo gas!"
  60. Re: of been by Anonymous Coward · · Score: 2, Funny

    You of a keen wit.

    You're the sort have guy I admire.

    You could of noted the grammatical humor, but instead you chose to be have a cleverer sort.

    Shame about the lead paint in your nursery.

  61. Re:Open Source More Secure... maybe not by Rysc · · Score: 2, Funny

    Yes, but you didn't post the uptimes.

    --
    I want my Cowboyneal
  62. I like it by scribblej · · Score: 2, Funny

    You said:
    There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.

    I say:
    Yes, I agree completely. The next version of Windows should be written in Java.

  63. FUCKING TROLLS! by jotaeleemeese · · Score: 2, Funny

    Of course you realize that it is absolutely pointless.

    If MS is doing its work they will check the exploit's code and fix it in a timely fashion.

    --
    IANAL but write like a drunk one.