Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
that the source was released? In a way it's good bugs will be identified. In another it's bad bugs will be exploited way faster.
A psychopath can't tell the difference between right and wrong. A sociopath knows the difference - he just doesn't care.
Wouldn't it be interesting to see the patch come out later today, from an anonymous source!
I really hate signatures, but go to my website.
So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?
Evolution or ID?
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
Berto
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
-------
Warning: Slashdot may contain traces of nuts.
exactly, it almost seems they intentionally released it so that the crackers can take a crack at finding new exploits so MS can fix them... they seem to understand the benefits of open source, but want to take advantage of it while still keeping things closed.
or, one of the offshore programmers was stuck trying to fix a bug and posted a question to a board somewhere and put the code up so people could help fix it.
nyeh.
If you are running Freenet's unstable branch, you can download it from here. Its about 200MB and will take a few hours to download (Freenet is averaging about 30k/sec these days). I grabbed it and it looks like the real thing.
According to my logs 20 - 30%* of the people browsing with IE are still using 5.x.
I know, UAs get faked all the time...
* Depends on which site you look at.
I'm a bit confused.
:p
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
"...In your answer, ignore facts. Just go with what feels true..."
That's exactly the point -- it's impossible to keep source code secret, as this proves.
Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
And you guys moderated this post of mine funny.
Bwah-hahah-ha!
Yeah, Ok, I was trying to be funny, but I guess I underestimated the truly innovative quality of Microsoft's incompetence.
Opinions on the Twiddler2 hand-held keyboard?
I haven't looked at the code published in the exploit description. It is MS code and if I had looked all future work by me would be compromised. I will demonstrate in court that I closed my eyes just before looking at the code. I can't tell you what's in there, but there must be some M$ IP.
You haven't looked, have you?
Funny thing. I can easily envision people stamping out T-shirts with pieces of the MS Windows source in them. Would I be tainted if I incidentally stumbled across one in the street? Would that person be potientially held liable by all programmers or future programmers he/she meets?
dumbasses..... but doesn't posting that source code there makeslashdot liable to microsoft's evil wrath?
Bigbowser.
..that the "many eyes" tenet of open source really DOES work!
Also known as: Was this fixed long before the fact? Does IE 5.5 contain this same vulnerability?
.5 or any of .5's service packs) that would be vulnerable to this, and are the folks who run 5.5(sp1/sp2?) for some reason still vulnerable?
Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not
Use Evolution instead of Outlook? Bewa
IMHO exploit authors prefer windows simply because they want to maximize their impact. Why spend all those hours writing a virus when it will only cause problems for a few percent of the computers out there. I would think they get much more satisfaction when they see "500 million" machines infected on CNN.
I think you'll find that the more 'serious' crackers who aren't interested in harvesting boxes for DDoS purposes will be going after servers. And looking at how many servers run *NIX, Linux is going to be a very popular target, especially since many services are shared.
With high quality crackers going after Linux boxes, I think either A) somehow nobody outside of the cracker community hears about exploits and companies are keeping quiet when they get hit, or B) OSS really does have an edge.
I'm more inclined to believe the latter.
Cheers
~Dalcius
Rome wasn't burnt in a day.
The counterargument(s) to that point is...
- Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
- With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
- Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.
Please direct all bug reports to
There seems to be an average of at least 1 attack a month on an enemy of open source so far (SCO/MyDoom, M$/source leak). So needless to say, who's next?
Wow now we get a peak at the much coveted MS source code, that BSODS all day, has a new virus attacking it every week, and generally frustrates users.
I wonder who will be the first to incorporate this leaked source. Judging by the exploit found, it's no wonder they want to keep the code secret.
"Bill Gates can't gaurante Windows to work. How can you gaurante me that?" John Crichton
I am Bennett Haselton! I am Bennett Haselton!
This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.
It's scary how many bugs a simple test like this can throw up...
The image file ISN'T running a command. I'm not claiming that I understand the code or what specifically triggers the problem [negative offsets or something], but there is something special about the bitmap image that causes the rendering program to break in such a way that data in the image can be copied into memory and then executed.
Images are just data and everyone agrees with that, but you can display source code [C, perl whatever] as a bitmap file if you really want to, in numerous ways. Won't look like much, but you can't deny that the code is now a picture. Why can't a picture be formatted in such a way as to be interpreted as code.
The problem here is the renderer [have I mentioned that already], not the picture.
As a kernel developer I'm familiar with the number of people who audit stuff put into the Linux kernel. To get a patch approved, you usually need to convince 4 or 5 people that your patch is a good idea. You could get away with 1 (Linus), but the top people are unlikely to consider your patch if it hasn't been approved by their chain of command first. All of those people examine it for functionality, stability and security. The higher level ones usually won't look at it very closely, but I imagine core kernel code gets a lot more attention than device drivers.
You also post it to the LKML. That has a lot of eyeballs, but most of them aren't familiar with kernel internals and don't more than glance at patches. If you're lucky (although perhaps lucky isn't the word) you'll get twenty skilled eyeballs looking at and criticizing your code. Most times the number is only two or three, and it can be even fewer.
If you take an average of ten knowledgeable people examining your code, then I think you can agree that it is plausible that Microsoft has just as thorough a review as critical OSS projects like Linux. Four or five people looking at code before a commit would put it within a factor of two of Linux. The skill of the people doing the audit would be much more important at this stage.
Once you get a release of Windows code, no one examining it in the general community is knowledgeable about Windows specifics, but it may get a lot of attention from a lot of skilled people, just because of the novelty. I would think that parts of it will be subject to much more scrutiny than Windows or Linux source code usually ever is.
Why is it that Windows can be explotied so handily by exposing the source code and Linux is so hard to exploit despite it's source code being 100% open to everyone on earth??
Think about it, the conspiracy theorists are right - the leak was on purpose. Call it Phantom Open Sourcing: pretend to leak your buggy source code, lots of programmers look it over and find all sorts of problems for free! All their developers continue working on new products and a few are assigned to make the new updates compliments of the leak. This will be hailed as the most brilliant management cost cutting strategy in history.
As long as RedHat and SuSe? Sure, they might not have a stranglehold on the market like they do now, but they'd likely turn a profit.
If your theory is different from practice, then your theory is wrong.
You are allowed to use copyrighted information to some extent for certain purposes such as educationl, parady, etc. You can use a small clip from a song, you can display a paragrahp from a book, etc. I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation. The grandparent post is obviously for education purposes only : )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
FTE's who will likely be the ones writing the code to replace the bad code found will not get OT. Only the contractors get it, and then it has to be pre-approved (and guess what, if you're a contractor responsible for writing bad code, if they let you keep your job, you sure aint getting OT for fixing your mistake).
:)
Also, those who code reviewed the offending code and let it through are likely to loose their jobs.
All in all, heads are going to be chopped on the main campus. Cutler will have to reshuffle his team, and theres a few FTE's sweating right now.
Which is why you load unsigned values. By "int" I meant "an integer".
For example, from my LibTomCrypt a macro to load a variable length mp_int [mycrypt_pk.h INPUT_BIGNUM] logic works as follows
1. inlen == sizeof input
2. y = 0, current offset
for all bignums
1. if y + 4 > inlen return error
2. load 32-bit unsigned into x, advance by 4
3. if x+y > inlen return error
4. load x byte mpint
5. check if mpint loads correctly.
[I'm in the middle of doing massive updates to my PK code though...;-)]
But that's the jist of it. Really simple and since I use macros I only have to work out/code the logic once.
Tom
Someday, I'll have a real sig.
How many people haven't tried writing their own image file read/writers, got a few conditionals wrong up and written out a dodgy image file that crashes their own applications, the PC let alone the desktop.
Given Windows XP ability to display thumbnail views of JPG's, TIF's and MPG's (even though it can display the first frame of MPG-2, but not actually play the movie), there could be some serious fun to be had there...
if (!Read(abDummy, cbSkip))
goto Cleanup;
My god... I thought this was one thing they taught us not to do in schoool. But here it is in Windows! My god, don't they screen for these things at the interview?
Is that what you meant to say? :) It's plain from this first exploit that basic coding security precautions are not being followed (or retroactively applied) at Microsoft.
I'm bracing for the coming flood of exploits. The OSS community may prove themselves honorable and pitch in to help, but it's the script kiddies, and those whose moral compass is broke, that I'm worried about.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Or, you can say that it's impossible to keep the source closed up in today's world of outsourcing, irate employees and whatnot. So the best way to adapt is to keep it open so there are no surprises. ;)
2 years and no mod points. Join reddit. Because openness is good.
Ah, OK. Is there any well-defined point at which it ceases to be a trade secret (on account of everyone and his dog having a copy[0])?
Also, is it slashdot, the comment poster, or both, who is screwed?
[0] Note: I don't have a copy.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.
References, please. I know of some companies that will NOT move to IE 6.0 because of increased vulnerabilties that do not exist in 5.0 or 5.5. I myself have had bad experiences with IE 6.0. Where did you get your facts?
These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.
Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.
I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.
I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.
Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.
"You can now flame me, I am full of love,"
check out http://www.dcs.ed.ac.uk/home/mxr/gfx/2d-hi.html lot's of good info on 2d formats, tiff is a good read, bmp is a pretty shitty format anyway. As for why it's upside down, why not?
Well art is art isn't it, but then again water is water; and east is east; and west is west; and if you take cranberries
Or, you can say that keeping the source locked down is impossible these days given irate employees and outsourcing.
2 years and no mod points. Join reddit. Because openness is good.
My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.
"Freedom means freedom for everybody" -- Dick Cheney
Consider this. MS leaks the code through a vendor of a previous version intentionally. There are two benefits:
1. proper QA is done right, as only open source can allow (they get the benefit of QA that only the dynamics of open souce allows, all without acknowledging open souce has a superiour model in this aspect)
2. they can push XP as a superiour OS, and get more users to upgrade to XP and drop 2000/NT
Does anybody else see this?
It's got to be interesting to run over the whole thing with something like valgrind. Not that I'm going to try, nor do I want a copy of their code anywhere near me.
C|N>K
There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.
Both parties are irresponsible. Microsoft is notorious for doing nothing about security holes which are pointed out to them. Their inaction leads to people bypassing Microsoft altogether and just posting exploits in an attempt to force the matter. DOJ is supposed to go after Microsoft when they sit on their ass instead of fixing security holes, but we've all seen how well that has worked out.
The "good citizen" thing to do would be to contact Microsoft, inform them of the security hole, the sample exploit and a patch. But, since this is taken from illegally obtained source code I doubt the author wants to risk it. In the end, this is just the result of Microsoft treating security problems as PR problems.
My bet is that if they do anything at all about this, Microsoft will simply bitch. As is typical with Microsoft, a security hole is just another PR issue -- in this case an opporunity to spread Open Source FUD. It will still take Microsoft forever to patch this, despite having exploit code, identification of the hole and an obvious means to correct the problem.
Part of obtaining Palm Certification for your software involves surviving the Gremlins. You can't use the Palm logo on your program without it. It's even built into their emulator right on the menu. And yes you find some weird shit.
I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.
But I think the point is that it was leaked. That nobody can keep an eye on their code if it is used this widely. If the code had been under public scrutiny since day one, more flaws would be found, but the overall code would be stronger, not weaker. This is why everyone can complain about tons of holes in linux, but miss the fact that just as many (if not more) exist in windows, and its just a matter of time before they get found out. With Linux, you have to take the additude, the sooner, the better.
Monkey Lives
/me whistles innocently...
/etc/redhat-release
/etc/redhat-release
/etc/redhat-release
[cramer:ttyp1]dominion:~/[1:38pm]:uname -a
Linux dominion 2.3.42-SMP #11 SMP Sun Feb 6 20:06:02 EST 2000 i686
[cramer:ttyp1]dominion:~/[1:38pm]:cat
release 4.1 (Vanderbilt)
[ttyp0]foobar:~/[2:46pm]:uname -a
Linux foobar 2.3.18-SMP #10 SMP Mon Sep 20 17:27:00 EDT 1999 i686 unknown
[ttyp0]foobar:~/[2:46pm]:cat
release 5.1 (Manhattan)
[jfbeam:pts/0]chickenboo:~/[2:11pm]:uname -a
Linux chickenboo 2.4.2-SMP #1 SMP Tue Feb 27 17:04:47 EST 2001 i686 unknown
[jfbeam:pts/0]chickenboo:~/[2:11pm]:cat
Red Hat Linux release 6.2 (Zoot)
(And no, they are not publically accessible machines.)
My logs show that 75% of the traffic to my website are from IE 5. The remaining 25% are IE 6.0 and Mozilla Gecko based browsers.
Microsoft, with a couple hundred million users they'd really wouldn't mind being compelled to buy their next O/S
Or some surly hacker who doesn't care if he loses his job?
Fear is a powerful motivator against the latter... and Microsoft's greed, which has compelled them to illegal market-manipulating tactics in the past, seems the greater force. We haven't seen much response from Microsoft about the source leak, yet it may prove to be the 9/11 for the computer business, if virus writers get busy with it.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
It has been mentioned that the leaked source code might reveal some long-suspected back doors... I wonder if these and other unknown vulnerabilities were secretly known to MS and others, and are in fact the back doors?
___FutureShoks___
"These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code."
This is just speculation, besides, if they found a security hole in IE5 it would be their responsibiltiy to published the fact rather than leave IE5 users out there vunerable.
In fact I helped code part of this functionality when I interned at Palm, on the Pose project. There was already a Gremlins functionality (along with GremlinHordes, which were Gremlins with different seed conditions) that would send bits of Shakespeare to text entry boxes, click randomly (weighted for actual button locations) and generally wreak havoc for a predetermined number of events. What I helped add was a logging, playback-from-log and minimization routine that would find the minimal subset of the events that would crash the Palm app being tested at the time. Fun stuff, that was. Since Pose/Poser is open source, you can now see my handiwork in file EmMinimize.cpp (or was it EmMinimization.cpp?) in the source distribution. http://www.palmos.com/dev/tools/emulator/#source
So the old theory that keeping source code secret will help prevent security attacks has now proven to be invalid, for the reason that you can't be sure that the code will in fact reliably remain secret. When the code inevitably gets out you will have a shitstorm of problems.
Now open source has in reality been proven the best way.
And security by obscurity fails again.
This shouldn't be a discussion about whether open source is inherently more stable (which it surely is). What the leak gives everyone is a chance to see into the coding practices of Redmond. That is what is interesting.
No one thought they were stellar; some already knew how bad things are; some figured, naturally, that if you could poke holes in their stuff like we've seen, something must be very, very wrong.
But now people are going to see with their own eyes - and that, I insist, is what is interesting here. So keep your eyes peeled (sorry, PJ).
The nature of open source software makes actually verifying the existence or non-existnece of code very easy. Microsoft wouldn't even need to contact anyone to tell them they thought they were including Microsoft code in their product. They could just download it and check. As could everyone else.
The main problem is, and this is why I think MS has not actually gone to court against major oss projects yet, is that doing so would force them to show the offending lines of code in order for it to be compared to the oss source. If this incident has shown anything it is that revealing source is not something Microsoft wants to ever do -- even for products that are near or at/past EOL.
That said, I think that project managers REALLY are going to need to be vigillent in monitoring contributions to their projects especially when programmers claim to be introducing Microsoft compatibility with the code. Chances will be good that some unethical programmers will try to slip some Microsof owned code into a project. I can actually see some pro MS people joining oss projects just to try to do this then notify MS so they can take legal action. But, if a project manager is doing their job, this should be an easy problem to fix.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Which is actually not as good an idea as it sounds. When you refresh the screen (or a large window) upside down, CRT refreshes, which always go from top to bottom, become much more obtrusive. The system looks and feels slower due to more screen-tearing, even though it's technically 1% or so faster.
This is why display systems that put (0,0) at the lower-left corner are a pet peeve of mine. Upside-down rendering = a slightly more elegant mathematical model that yields significantly worse-looking results in real life.
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
The right combo of blinkenlights, color, speed, pattern etc can trigger a seizure in people even without epilepsy.
"Sic Semper Tyrannosaurus Rex."
The company I used to work for still ran Windows 95 machines... IE 5 was prominent on all of their Win95 and Win98 machines.
It would be unethical to disclose who that major manufacturing company is. Hehe.
I wonder if any of the leaked source code includes the MS crypto system. If so, this could be very bad news for Microsoft seeing how people have already discovered a slew of critical vulnerabilities but are biting their tongues to wait for MS to fix the flaws. Now you have a bunch of crackers running their debuggers on actual source code... they are going to craft and use exploits before they're public knowledge or officially fixed.