Slashdot Mirror


Exploit Based On Leaked Windows Code Released

mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"

66 of 952 comments (clear)

  1. Open Source More Secure... maybe not by LostCluster · · Score: 5, Insightful

    Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)

    1. Re:Open Source More Secure... maybe not by Anonymous Coward · · Score: 5, Insightful

      > Oops... we just gave MS a chance to say keeping the source secret keeps flaws
      > like this secret as well. :)

      Yeah, but if Windows were truly open source then there's not chance it'll just be sat on for six months...

    2. Re:Open Source More Secure... maybe not by aborchers · · Score: 5, Insightful

      Funny, yes, but in the interest of full disclosure it's worth noting for the credulous that this code was perhaps only vulnerable because it had not been open for audit before.

      In other words, had the source code for IE been OSS from day one, then the bug might very well have been found and fixed before the application was widely distributed.

      --
      Trouble making decisions? Just flip for it.
    3. Re:Open Source More Secure... maybe not by Anonymous Coward · · Score: 4, Insightful

      "Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)"

      Who says it was secret? For all you know, it could have been the cause of that "mysterious intrusion" a few years ago...

    4. Re:Open Source More Secure... maybe not by LostCluster · · Score: 4, Insightful

      On the other hand, this bug existed in IE5 all along, but was not discovered until the code was leaked. Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.

    5. Re:Open Source More Secure... maybe not by Anonymous Coward · · Score: 5, Insightful

      Open-source security doesn't come from having the source available. It comes from lots of people actively working on the source. Tell me, how many random hackers do you think will work on the Windows codebase?

      This is one of the reasons why "open source" is more than "source available"

    6. Re:Open Source More Secure... maybe not by aborchers · · Score: 5, Insightful

      A valid observation, but how many exploits were found without access to the source? If that number were low, the security-through-source-obscurity would be valid, but unfortunately for MS's credibility, it isn't low.

      It just turns out this one was extra easy to find because the code could be read. It would have been equally easy to fix as to exploit (had non-assholes been reading the source, but fear of contamination is keeping most credible OSS engineers from touching that stuff with a 10-ft debugger), bringing us right back around to the superior security of open-source position.

      --
      Trouble making decisions? Just flip for it.
    7. Re:Open Source More Secure... maybe not by Anonymous Coward · · Score: 4, Insightful

      You have to remember that this exploit has already been fixed. As:-

      Only affects IE 5 apparently

      shows.

    8. Re:Open Source More Secure... maybe not by Short+Circuit · · Score: 5, Insightful

      It seems so obvious to someone who's been using OSS for years.

      Linux source code has been around for how long? An how many exploits have been released for it?

    9. Re:Open Source More Secure... maybe not by yamla · · Score: 5, Insightful

      What evidence do you have that this bug was not found until the code was leaked? It is entirely possible that some people did indeed know about this bug and had used it to exploit Windows systems for quite some time. Of course, I have no evidence of this either but as I'm not a black-hat (or indeed a hacker at all), I wouldn't expect to hear about it.

      --

      Oceania has always been at war with Eastasia.
    10. Re:Open Source More Secure... maybe not by diersing · · Score: 4, Insightful
      Where can I download the patch for IE5?

      Just because it doesn't occur in future releases, doesn't mean its been fixed. Unless your arguing that staying current is the only way to avoid exploits, then your making a strong argument that the TCO of Open Source should be sung from the moutain top.

    11. Re:Open Source More Secure... maybe not by tedgyz · · Score: 4, Insightful

      Your last point is particularly poignant. I followed the link, started reading, and then saw there was source code in it. I quickly x'ed the tab to avoid even glancing at the code.

      The editors should add an update warning that some source code is in the article. It's like seeing your sister naked. Ack!

      Obligatory Monty Python reference:
      GOD: ...What are you doing now!?
      ARTHUR: I'm averting my eyes, oh Lord.
      GOD: Well, don't. It's like those miserable Psalms -- they're so depressing. Now knock it off!

      --
      "No matter where you go, there you are." -- Buckaroo Banzai
    12. Re:Open Source More Secure... maybe not by slipandfall · · Score: 4, Insightful

      That's exactly the point -- it's impossible to keep source code secret, as this proves.

      Ummm. You need to go back to logic class. This doesn't prove that it's impossible to keep source code secret at all. That would be like saying that the fact that I got a ticket on my way to work this morning proves that it's impossible to speed without getting a ticket. It doesn't follow.

    13. Re:Open Source More Secure... maybe not by GlassHeart · · Score: 5, Insightful
      Just because it doesn't occur in future releases, doesn't mean its been fixed. Unless your arguing that staying current is the only way to avoid exploits, then your making a strong argument that the TCO of Open Source should be sung from the moutain top.

      You're right, but open source software don't all conveniently provide security updates for old versions, either. It is definitely better, because if nobody else (package maintainer) does it for you, you can do it yourself. However, let's not sing from the mountaintops, because the TCO for insisting on running Red Hat 5.0 today is probably considerable.

      Both forms of development obey the same equation: cost versus benefit. The difference is that the cost in commercial software is entirely calculated based on the perspective of the source code owner. While open source is better, it can still be "too expensive" to fix relative to just upgrading.

    14. Re:Open Source More Secure... maybe not by Vargasan · · Score: 4, Insightful

      "TCO for insisting on running Red Hat 5.0 today is probably considerable."

      Hmm, Windows 2000 comes with IE 5.0. My Windows 2000 with slipstreamed SP3 still has IE 5.0. Not to mention, I still have IE 5.0 installed, because I don't use IE.

      How many places do you know still have Windows 2000 compared to places with Red Hat 5.0?
      Exactly.

      Maybe you should compare it to a relatively new Red Hat version, like 7.3 or say 8.0.

      --
      Putting the romance back into necromancer.
    15. Re:Open Source More Secure... maybe not by ajs · · Score: 5, Insightful

      Let's make this clear: the value of open source to security is not that there are this passive pool of eyes waiting to look at all code, but rather that when you have the eyes, they already have the code.

      How is this practical? Look at Linux, and more specifically Red Hat. There was a period of a year or two where Red Hat was finding a TON of bugs and fixing them. Why? Because they paid an external auditing firm to find them.

      This seems like business as usual until you think about the SuSE user... he gets a security update to openssh and sendmail even though HIS vendor didn't do the audit. This idea that everyone benefits whenever ANYONE in the community does the right thing means that the right thing gets done far more often. It's not that Linux vendors are more security conscious, it's that there are more of them.

      When Microsoft gets around to doing a security audit that's great, but they don't benefit when Red Hat does one or when FreeBSD does, etc., and that's hurting them and their reputation.

    16. Re:Open Source More Secure... maybe not by dbkluck · · Score: 4, Insightful

      What's more secure, secret flaws or no flaws at all? I don't see how MS has a leg to stand on. This bug has been there--presumably unnoticed--for literally years. Within a matter of days of the source code's being "released," it has been identified, and if the MS developers were anything like OSS developers (i.e. didn't have some ridiculous "200 day" fix policy) it would be fixed in a matter of a few more days. I can't see how this is anything other than a vindication of the OSS model.

    17. Re:Open Source More Secure... maybe not by G.+W.+Bush+Junior · · Score: 5, Insightful

      I know plenty of projects that get far fewer eyes and have TONS of bugs.


      it's a pretty moot point

      The impact of a bug i probably inversely proportional to the amount of people auditing the code in an open source project...
      Sure, there are a lot of small projects that nobody really uses, so there aren't that many eyes for auditing the code... but so what?

      The projects are unpopular, so if somebody found a security bug it wouldn't affect that many people (and is it really worthwhile spending the time making an exploit that will affect 1000 users worldwide?)

      As long as the popular projects are safe then I don't really care.

      --
      "I don't know that Atheists should be considered as citizens, nor should they be considered patriots." -George H.W. Bush
    18. Re:Open Source More Secure... maybe not by Paleomacus · · Score: 5, Insightful

      My company has one of these lists as well. I'd bet most companies do.

      Just because someone claims something is a bug doesn't mean that it _is_ and must be fixed.

      A lot of our bug reports are just user preference/pickiness.

    19. Re:Open Source More Secure... maybe not by Eric+Savage · · Score: 5, Insightful

      And that's just Linux. There have been gobs of them for the various popular software packages out there (Apache, Samba, PHP, etc). I try to stress to other developers that OSS isn't necessarily more secure, its more prone to security, a fine line that can be very significant. I am hugely in favor of OSS, but the idea that opening crappy source means other people will fix your bugs is as false as the idea that opening unfinished source means other people will finish it.

      --

      This is not the greatest sig in the world, this is just a tribute.
    20. Re:Open Source More Secure... maybe not by mdpye · · Score: 4, Insightful

      Yes, look at open source bugzillas, they have them as well. That category is for bug reports which aren't really bugs in the eyes of the maintainer.

      I'm not saying that MS might not throw a lot of remote root vulnerabilities in that category too, I don't have access to their bug db!

      MP

    21. Re:Open Source More Secure... maybe not by arkanes · · Score: 4, Insightful

      You're correct. The proper way of phrasing this would be "As this proves, it's irresponsible to assume that the source will always be secret".

    22. Re:Open Source More Secure... maybe not by sterno · · Score: 4, Insightful

      Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.

      Open source scales well. A small project that few people take an interest in has few users and lots of bugs. It's not a big problem if the bug is exploited because only a handful of people are even using it.

      As more people use it and more people get involved more people see the code. As more people see the code, more bugs are eliminated and the code becomes better. Thus the risk of serious bugs declines as more people use the software.

      In the case of a closed source product though, the scrutiny does not scale at all. The scrutiny is a fixed value based on the company's internal policies. Given that most companies are far more concerned about time to market and profit margins, extensive security audits are seen as unneeded costs. As the product becomes larger and more complex, the likelyhood of bugs developing increases, but the likelyhood of a thorough review remains constant or even declines.

      --
      This sig has been temporarily disconnected or is no longer in service
    23. Re:Open Source More Secure... maybe not by vondo · · Score: 4, Insightful
      I think the point is that the fix for the bug may not have been applied, but the exploit may not work (or a different exploit would be needed) because the whole binary might have changed a little.

      When an exploit is found for, say, the Red Hat 7.3 kernel, it may not work on Red Hat 8.0 let alone Debian for just this reason. That's not to say the bug isn't present in all three.

    24. Re:Open Source More Secure... maybe not by WNight · · Score: 4, Insightful

      Part of the reason old systems don't get new OSes is that they don't need them enough to justify the cost.

      You can download RedHat 9 (10?) and upgrade some or all of your ailing RedHat 5.0 box. Either upgrade the whole thing (RH9 would do slim installs suitable for old machines) or just upgrade the old service.

      Call Microsoft and ask them if they allow free upgrades to WinXP from older OSes to fix security problems. Ask if they mind if you grab some WinXP DLLs from a friend and use them on your WinNT machine. That is, if they would work. Services in RedHat would probably work on an older machine, though they may require a parallel install of some libraries.

      Then there's the issue that even for outdated versions of software that aren't patched directly, a moderately skilled coder (perl - barely any C - like many junior unix admins) can usually adapt the fix for an older version, or use the information provided to script some firewall rules to avoid it.

      Then there's simply the fact that it's available. Even if you can't do it internally, you can pay a coder for a day of work ($250 tops - about the cost of a trouble call with big software companies) who can go grab all the source code (no NDAs required) and do the fix for you.

      If this IE5.0 fix was critical for you to have, how could you go about getting it before Microsoft got around to fixing it? Turn off images?

  2. It may not of been a secret to everyone by Anonymous Coward · · Score: 5, Insightful

    Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.

  3. But the question is... by Xeth · · Score: 4, Insightful

    ...if the code was open from the start, how long would this flaw have lasted?

    --
    If your theory is different from practice, then your theory is wrong.
    1. Re:But the question is... by lintux · · Score: 5, Insightful

      Yeah, but I don't expect the Microsoft PR-team to talk about that in their anti-OSS campaigns...

  4. Bugs by Agent_Number_4 · · Score: 5, Insightful
    This is just the tip of the ice-berg, just imagine what could be done if the whole code was released, and included source for XP.

    I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.

  5. Leak a good thing for MS by kyndig · · Score: 5, Insightful

    It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.

    --
    My Thoughts, Kyndig
    1. Re:Leak a good thing for MS by Savant · · Score: 5, Insightful

      And yet those who contact Microsoft with patches for the leaked code are marking themselves as individuals who've read that code. As such, they are now fair game for Microsoft should they ever work on a piece of open source or commercial software that duplicates in some way functionality present in Windows.

      I'm staying away from the code, and if I were ever tempted to look at it and did discover a vulnerability, I certainly wouldn't release a patch with my name attached.

  6. Re:I'll be first to say it by KingOfBLASH · · Score: 5, Insightful

    IF this is true, the release of the source is the nail in the coffin for Microsoft.

    Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.

  7. Re:Smells by Xeth · · Score: 5, Insightful

    They can if the tool you use to open them is ridiculously poorly designed and permits buffer overflow (i.e. IE).

    --
    If your theory is different from practice, then your theory is wrong.
  8. Re:What the fuck? by millahtime · · Score: 4, Insightful

    "1. load int from char array
    2. check int against sizeof(yourbuffer)
    3. reject if greater

    Not exactly a challenging task


    It all goes to the quality of the coder. This is just plain bad code. I learned how to write something to check these kinds of things in middle school.

  9. Outbreak and email renderer by secondsun · · Score: 4, Insightful

    If you were to embed myDoom after the overflow area in the bitmap then when outlook opened the file using ie's render could one have my doom that didn't even need to have the end user open the file? It would just execute replicate, then piss people all to hell? For that matter could I include the windows equivalent of rm -rf / ?

    --
    There is nothing wrong with being gay. It's getting caught where the trouble lies.
    1. Re:Outbreak and email renderer by Phillup · · Score: 5, Insightful

      Congrats... you are the first post I've seen that gets one of the very important points.

      I've seen everyone say that IE 6 isn't vulnerable... and all I keep thinking is: Not to this particular instance of the exploit. That doesn't mean it is free of problems from this class of exploits.

      But, you can bet that the person that wrote this one little bit of code wrote a lot of other code. So, what you have in front of you is a class of problem that can be tried over the entire binary code base. You now know that one image handling routine is succeptible to this flaw... and now you can start targeting them all. Without needing access to the source code for that part of the software.

      Know how many times Windows (a graphical user interface) handles bitmapped files? Every one of those is a possible point of failure that you don't need the source code to find... simply start feeding something like this bmp to each of them.

      Automated testing at it's finest.

      --

      --Phillip

      Can you say BIRTH TAX
  10. Re:Is it good or bad by Lifewish · · Score: 4, Insightful

    My feeling is that, in the context of preventing attacks, it's bad. With linux, discovery almost immediately leads to a fix cos it's the same volunteer community does the finding and the fixing, but Microsoft doesn't let the Bugtraqs of this world help. It's going to buckle under the strain of too many bugs at once.

    Of course, from the point of view of converting everyone to Linux, this can only be a good thing :)

    --
    For the love of God, please learn to spell "ridiculous"!!!
  11. Re:I'll be first to say it by HardCase · · Score: 4, Insightful
    IF this is true, the release of the source is the nail in the coffin for Microsoft.


    Please...you might as well say that BSD is dead. Nobody is happy about all the ruckus that the whole affair is going to raise, but it's a little early to pronounce Microsoft dead.


    -h-

  12. Outlook by eth00 · · Score: 5, Insightful

    So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.

  13. The lessons learned by PierceLabs · · Score: 5, Insightful

    No system is 100% secure be it Windows or Linux.

    When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.

    Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.

    The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.

  14. Ignore it! by stuffduff · · Score: 4, Insightful
    I think the best thing we can do is to just ignore the code. That's right, I said IGNORE IT!

    Whether it's finding exploits, bugs or whatever; anything that anyone does with it will eventually make Microsoft stronger. If it's a security problem they 'll fix it. Maybe Microsoft is trying to capture open source developers and their free services; I don't know.

    What I don't want to see is Microsoft making improvements on their product based on this experience. I don't want to see as much as two adjacent assembler instructions from it end up in Linux.

    If you want to do something constructive, run the 2.6 kernel and start making the supporting software more secure. Don't waste your time supporting losers like Microsoft who demand your money up front and then deliver whatever crap they feel like.

    Just ignore it!

    --
    "Can there be a Klein bottle that is an efficient and effective beer pitcher?"
    1. Re:Ignore it! by dreamchaser · · Score: 5, Insightful

      You're absolutely right that it should be ignored, but for the wrong reasons other than the fact that we shouldn't give MS free labor/programming services.

      Why don't you want to see MS software improve? My guess is that you think of your OS choice as a religion or a political statement, which makes you just as bad as pro-MS zealots.

      If MS code gets stronger and less buggy, everyone benefits. Remember how many worms have caused major Internet congestion problems? How many spammers now use trojan's/worms to create relays for themselves? I don't think I'm the only advocate of Open Source who thinks that it would be a good thing to see more quality come from Microsoft.

      I'm not fan of MS, but I am a fan of quality software. If MS can improve the stability and security of their products then it's a Good Thing(tm) for everyone, even those who don't use said products.

      The real reason to ignore the code is so that MS can't try to pull a SCO and claim that OSS projects are steaing their code.

  15. Re:huh by Dalcius · · Score: 5, Insightful

    You really are going to try and blame this guy for "possibly [exposing] thousands of users to a root exploit"?

    There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.

    Cheers

    --
    ~Dalcius
    Rome wasn't burnt in a day.
  16. Ha Ha Only Serious by American+AC+in+Paris · · Score: 5, Insightful
    More proof that code who's source is open is less secure!

    You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...

    "Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"

    --

    Obliteracy: Words with explosions

  17. Re:huh by iso · · Score: 5, Insightful

    That was interesting to read. It made me wonder who the people are who come up with these exploits. This person is obviously very immature, but also very knowlegable about programming to spot something so quickly in so much code. The question is, is this a ridiculously knowledgable 13 year old, or a well-seasoned older programmer who has the social skills of a 13 year old?

  18. Well sucks but by Tobias+Luetke · · Score: 5, Insightful

    It also shows that ms does their job.

    When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.

    Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or .net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.

    1. Re:Well sucks but by Nynaeve · · Score: 4, Insightful

      It doesn't mean MS found and fixed it. That particular piece of code may not be present in IE6 for a completely different reason.
      If they knew it was a security risk, they'd have fixed it in both IE5 and IE6.
      Since they didn't, you may safely conclude that MS doesn't "do their job."

  19. Re:And counting by RomikQ · · Score: 5, Insightful

    Even, for an IE hole, this is pretty severe - now worms just have to send html emails with an img tag that points to a specific bitmap and voila: anyone who uses an mshtml based email client(including webmail) and hasn't updated for a while gets infected just by opening the message.

    Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.

    --
    Join the elite! Post at score:2! Ghostwheel is online.
  20. Now is a good time to Burn CDs by rjamestaylor · · Score: 5, Insightful

    Burn some Live CDs to hand out to friends,
    family, co-workers. Introduce them to Linux and
    warn them of the dangers of LOOKING AT IMAGES
    using Internet Explorer 5.0.

    There are many good ones*. Personally I fell in
    love with the Knoppix 3.4 c't edition with the
    2.6 kernel -- using it gave me my first
    experience of non-stuttering KDE with heavy
    loads, looping MP3s and lots of useable features
    (except detecting the Dell Inspiron 5150's on
    board WiFi -- not Centrino).

    Pick several, spend a few bucks on good CD-R
    discs, make a nice label with "do exactly these
    steps" instructions on the label.

    It's not about world domination, it's about
    stopping the theiving cracker spammers from
    gaining more zombie Windows boxes to do their
    bidding and ruin the Internet for the rest of us.

    * start here:
    http://www.google.com/search?q=live+cds+lin ux

    --
    -- @rjamestaylor on Ello
  21. Re:I'll be first to say it by bmwm3nut · · Score: 4, Insightful

    yes, but that's assuming that everyone who finds a simple exploit like this one actually reports it. i can imagine that there'd be a number of black hats that will find and use these kind of exploits and not tell anyone how they did it.

    but i am happy that this leak happened. it just shows that the code should be out for peer review from day one. security-by-obscurity is second only to security-by-telling-people-what-not-to-do. (e.g.: "don't open that door, there's valuable stuff in that room")

  22. Re:huh by j-turkey · · Score: 5, Insightful
    There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.

    Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).

    To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.

    The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.

    --

    -Turkey

  23. Two Interesting Notes by Slavinski · · Score: 4, Insightful

    Being that the code leaked was Windows NT 4.0 and
    2000 source codes, why are we seeing an issue
    with IE 5.0? Just goes to prove how close the
    browser was tied to the operating system.

    On a cynical note, this only bolsters security through
    obscurity. :) Didn't they originally clame they
    had fewer bugs than open source competition?
    With some 10% code or more leaked, there is quite
    a bit more worry about their own peer-review process
    or should I say lack of.

  24. Except... by DahGhostfacedFiddlah · · Score: 4, Insightful

    It's getting the same kind of security review - but none of the feedback. No white hat wants to admit to MS that they've seen the code, and black hats wouldn't anyway. All this may end up doing is increasing the number of "submarine" exploits out there that hackers use for their own benefit, rather tahn making super-viruses that make the exploit famous.

  25. Re:I'll be first to say it by Anonymous Coward · · Score: 5, Insightful

    Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.

    There is only one problem: the source code is ilegal.

    Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.

    It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.

    IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.

    Unless MS is trying to pull an SCO, I can't imagine a worst scenario.

  26. Re:A quick look at the source code by W2k · · Score: 5, Insightful

    But this IE exploit shows that the author was wrong on at least one account.

    Wrong. He was right. This particular IE exploit has been fixed; it only affects an old version of IE. And IE is free, so there's no real excuse for not upgrading it. If I found a bug in an older version of an open-source app, and filed a bug report on it despite the fact that it had been fixed AGES ago in a newer version, I think I would be told to shut the fuck up and upgrade with little or no delay.

    --
    Quality, performance, value; you get only two, and you don't always get to pick.
  27. Re:Tad Sad. by Boing · · Score: 5, Insightful
    I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?

    Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.

    It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.

    It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)

  28. I posted that vulnerability on August 13, 2000 by Animats · · Score: 4, Insightful
    In this Slashdot article back in 2000, I reported that vulnerability: So this has been publicly known for years.
    • The ... decompressor for RLE-compressed .BMP files is in the kernel, and contains a buffer overflow.

    You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.

    If Microsoft doesn't read Slashdot, that's their problem.

  29. Re:What the fuck? by prockcore · · Score: 5, Insightful


    Fuck MSFT it's called bounds checking. e.g.

    1. load int from char array
    2. check int against sizeof(yourbuffer)
    3. reject if greater


    AHahahaha, you know you just made the exact mistake MS did. You're using ints, not unsigned ints. Reject if greater does nothing if it's less than 0, which would still cause an overflow.

  30. Re:huh by SloppyElvis · · Score: 5, Insightful

    It isn't all that difficult to narrow the search when looking for exploits like this. Its surprising (or maybe it isn't) that M$ never looked for them. At our shop, its common practice to detect dangerous code.

    Just search for all stack arrays in the source...

    $ egrep "\[[:digit:]+\]" ...

    ...then inspect the code for ways to read/write past the bounds. That narrows the search field quite a bit (ok, you'd miss arrays defined with #define symbols, but you'd catch the sloppy ones, which is what you want in the first place).

    Combine a search as above with one for calls to strcpy(), strcmp(), sprintf(), [or any other C runtime/misc. function that fails to check input], and you have an even smaller lump of code to inspect.

    So, the 13 year old wouldn't need extensive knowledge, just what you could glean from reading an article or two on buffer overflows. Still, I'd bet its a seasoned socially backward individual.

    Anyway, good question to ponder.

  31. Just one little thing... by gexen · · Score: 5, Insightful

    Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!

  32. Re:they use GOTO? by pclminion · · Score: 4, Insightful
    My god... I thought this was one thing they taught us not to do in schoool. But here it is in Windows! My god, don't they screen for these things at the interview?

    You're seeing an example of one of the very few instances where goto is considered "acceptable" to use. Sometimes you code a function which winds up a lot of complicated state, and a failure halfway through requires that you "unwind" the partially constructed state. This is most easily accomplished by having a "bailout ladder" which can be jumped into (via goto) from various points in the code above.

    The only other solution involves lots of code duplication, or very bizarre function calls such as CleanupMyState(&context, 6) which just ends up use a Duff's Device in a switch() statement to simulate the use of goto in precisely such a manner, anyway.

    When you find that the cleanest way to do something is goto, then the solution is goto. What is the point in cortorting your code just to follow a piece of dogma that was only meant as a guideline anyway? Remember, the point is clarity, not adherence to dogma.

  33. eh... its not really an IE problem... by MattyCobb · · Score: 5, Insightful

    i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.

    its really more of an education problem than a software problem. most computer users (not the /. crowd have no idea what they are doing....

    at least thats my 2 cents.

    --

    Matt
    You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid
  34. Re:huh by j-turkey · · Score: 4, Insightful
    I think you are full of it. The poster has done a lot of folks a HUGE favor. If he had sat on this, and allowed MS to sit on this, possibly millions of unsuspecting IE users put their computers at risk, waiting for someone else with the knowledge to find this exploit who would use it in the wrong way.

    I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:

    Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."

    Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."

    Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.

    Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.

    PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.

    --

    -Turkey

  35. Re:What the fuck? by spectecjr · · Score: 4, Insightful

    Fuck MSFT it's called bounds checking. e.g.

    1. load int from char array
    2. check int against sizeof(yourbuffer)
    3. reject if greater

    Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.


    I guess you missed the original article, brainiac, but your code is flawed.

    "Reject if greater" will fail if int is negative.

    But hey, thanks for proving that you're as dumb as a box of rocks.

    --
    Coming soon - pyrogyra
  36. Re:Open Source Coders by Vegeta99 · · Score: 4, Insightful

    Doing ANYTHING with the code, good or bad is illegal. So if we DID make a patch, we couldn't claim we did.

  37. Re: Not running as Admin or Root != safe by Lord+Bitman · · Score: 4, Insightful

    This is an exploit which effects Users, running a WEB BROWSER. Please tell me one single (however insignificant) thing a Normal User who is running a web BROWSER could possibly give half a fuck about which requires administrator privledges.

    Seperate user accounts, securing the system itself, etc, that is _ONLY_ security-related when you are the administrator of a server and require your box be up 24/7 (or at least somewhat often)

    Think about it for two seconds: You're a normal user, you're using your personal computer. Hell, you're using it to surf the web, this isnt any system which other people are dependent on having a high uptime or anything. You go to a webpage, and some arbitrary code gets executed.
    What files could be effected? Well, you're running as a normal user, so luckily for you only the files which you give a shit about will be harmed, while the easily replaceable part of the system remains intact.

    This whole "multiple accounts == security" line is pure bullshit extract. The files which a USER, not a System Administrator, cares about, are files which that USER created, downloaded, edited, etc. Files which the User has access to.
    If some malicious code executes as root/Admin, so what? Your important files are trashed and you need to spend an extra hour reconfiguring your system? That extra hour or two doesnt mean squat compared to the years it may take to restore the files which you created personally.

    "You Should Keep Backups anyway" is Irrelevant. As that can just as easily be applied to root-accessible files, the point is that non-admin privs are just as bad as admin privs on a personal system.
    And this exploit _is_ talking about a personal system, unless you're in the habit of running IE5 on a high-priority server instead of the laptop sitting next to it.

    --
    -- 'The' Lord and Master Bitman On High, Master Of All