Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.
My Thoughts, Kyndig
Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
They can if the tool you use to open them is ridiculously poorly designed and permits buffer overflow (i.e. IE).
If your theory is different from practice, then your theory is wrong.
So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.
No system is 100% secure be it Windows or Linux.
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
You really are going to try and blame this guy for "possibly [exposing] thousands of users to a root exploit"?
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Cheers
~Dalcius
Rome wasn't burnt in a day.
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Obliteracy: Words with explosions
That was interesting to read. It made me wonder who the people are who come up with these exploits. This person is obviously very immature, but also very knowlegable about programming to spot something so quickly in so much code. The question is, is this a ridiculously knowledgable 13 year old, or a well-seasoned older programmer who has the social skills of a 13 year old?
It also shows that ms does their job.
.net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Even, for an IE hole, this is pretty severe - now worms just have to send html emails with an img tag that points to a specific bitmap and voila: anyone who uses an mshtml based email client(including webmail) and hasn't updated for a while gets infected just by opening the message.
Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.
Join the elite! Post at score:2! Ghostwheel is online.
Burn some Live CDs to hand out to friends,
n ux
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
-- @rjamestaylor on Ello
Yeah, but I don't expect the Microsoft PR-team to talk about that in their anti-OSS campaigns...
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
-Turkey
You're absolutely right that it should be ignored, but for the wrong reasons other than the fact that we shouldn't give MS free labor/programming services.
Why don't you want to see MS software improve? My guess is that you think of your OS choice as a religion or a political statement, which makes you just as bad as pro-MS zealots.
If MS code gets stronger and less buggy, everyone benefits. Remember how many worms have caused major Internet congestion problems? How many spammers now use trojan's/worms to create relays for themselves? I don't think I'm the only advocate of Open Source who thinks that it would be a good thing to see more quality come from Microsoft.
I'm not fan of MS, but I am a fan of quality software. If MS can improve the stability and security of their products then it's a Good Thing(tm) for everyone, even those who don't use said products.
The real reason to ignore the code is so that MS can't try to pull a SCO and claim that OSS projects are steaing their code.
Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
There is only one problem: the source code is ilegal.
Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.
It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.
IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.
Unless MS is trying to pull an SCO, I can't imagine a worst scenario.
But this IE exploit shows that the author was wrong on at least one account.
Wrong. He was right. This particular IE exploit has been fixed; it only affects an old version of IE. And IE is free, so there's no real excuse for not upgrading it. If I found a bug in an older version of an open-source app, and filed a bug report on it despite the fact that it had been fixed AGES ago in a newer version, I think I would be told to shut the fuck up and upgrade with little or no delay.
Quality, performance, value; you get only two, and you don't always get to pick.
Congrats... you are the first post I've seen that gets one of the very important points.
I've seen everyone say that IE 6 isn't vulnerable... and all I keep thinking is: Not to this particular instance of the exploit. That doesn't mean it is free of problems from this class of exploits.
But, you can bet that the person that wrote this one little bit of code wrote a lot of other code. So, what you have in front of you is a class of problem that can be tried over the entire binary code base. You now know that one image handling routine is succeptible to this flaw... and now you can start targeting them all. Without needing access to the source code for that part of the software.
Know how many times Windows (a graphical user interface) handles bitmapped files? Every one of those is a possible point of failure that you don't need the source code to find... simply start feeding something like this bmp to each of them.
Automated testing at it's finest.
--Phillip
Can you say BIRTH TAX
Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.
It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.
It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
AHahahaha, you know you just made the exact mistake MS did. You're using ints, not unsigned ints. Reject if greater does nothing if it's less than 0, which would still cause an overflow.
It isn't all that difficult to narrow the search when looking for exploits like this. Its surprising (or maybe it isn't) that M$ never looked for them. At our shop, its common practice to detect dangerous code.
...
...then inspect the code for ways to read/write past the bounds. That narrows the search field quite a bit (ok, you'd miss arrays defined with #define symbols, but you'd catch the sloppy ones, which is what you want in the first place).
Just search for all stack arrays in the source...
$ egrep "\[[:digit:]+\]"
Combine a search as above with one for calls to strcpy(), strcmp(), sprintf(), [or any other C runtime/misc. function that fails to check input], and you have an even smaller lump of code to inspect.
So, the 13 year old wouldn't need extensive knowledge, just what you could glean from reading an article or two on buffer overflows. Still, I'd bet its a seasoned socially backward individual.
Anyway, good question to ponder.
Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!
i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.
/. crowd have no idea what they are doing....
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
Matt
You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid