Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Wouldn't it be interesting to see the patch come out later today, from an anonymous source!
I really hate signatures, but go to my website.
So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?
Evolution or ID?
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
Berto
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
-------
Warning: Slashdot may contain traces of nuts.
According to my logs 20 - 30%* of the people browsing with IE are still using 5.x.
I know, UAs get faked all the time...
* Depends on which site you look at.
I'm a bit confused.
:p
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
"...In your answer, ignore facts. Just go with what feels true..."
That's exactly the point -- it's impossible to keep source code secret, as this proves.
dumbasses..... but doesn't posting that source code there makeslashdot liable to microsoft's evil wrath?
Bigbowser.
..that the "many eyes" tenet of open source really DOES work!
The counterargument(s) to that point is...
- Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
- With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
- Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.
Please direct all bug reports to
This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.
It's scary how many bugs a simple test like this can throw up...
As a kernel developer I'm familiar with the number of people who audit stuff put into the Linux kernel. To get a patch approved, you usually need to convince 4 or 5 people that your patch is a good idea. You could get away with 1 (Linus), but the top people are unlikely to consider your patch if it hasn't been approved by their chain of command first. All of those people examine it for functionality, stability and security. The higher level ones usually won't look at it very closely, but I imagine core kernel code gets a lot more attention than device drivers.
You also post it to the LKML. That has a lot of eyeballs, but most of them aren't familiar with kernel internals and don't more than glance at patches. If you're lucky (although perhaps lucky isn't the word) you'll get twenty skilled eyeballs looking at and criticizing your code. Most times the number is only two or three, and it can be even fewer.
If you take an average of ten knowledgeable people examining your code, then I think you can agree that it is plausible that Microsoft has just as thorough a review as critical OSS projects like Linux. Four or five people looking at code before a commit would put it within a factor of two of Linux. The skill of the people doing the audit would be much more important at this stage.
Once you get a release of Windows code, no one examining it in the general community is knowledgeable about Windows specifics, but it may get a lot of attention from a lot of skilled people, just because of the novelty. I would think that parts of it will be subject to much more scrutiny than Windows or Linux source code usually ever is.
Think about it, the conspiracy theorists are right - the leak was on purpose. Call it Phantom Open Sourcing: pretend to leak your buggy source code, lots of programmers look it over and find all sorts of problems for free! All their developers continue working on new products and a few are assigned to make the new updates compliments of the leak. This will be hailed as the most brilliant management cost cutting strategy in history.
As long as RedHat and SuSe? Sure, they might not have a stranglehold on the market like they do now, but they'd likely turn a profit.
If your theory is different from practice, then your theory is wrong.
You are allowed to use copyrighted information to some extent for certain purposes such as educationl, parady, etc. You can use a small clip from a song, you can display a paragrahp from a book, etc. I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation. The grandparent post is obviously for education purposes only : )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
FTE's who will likely be the ones writing the code to replace the bad code found will not get OT. Only the contractors get it, and then it has to be pre-approved (and guess what, if you're a contractor responsible for writing bad code, if they let you keep your job, you sure aint getting OT for fixing your mistake).
:)
Also, those who code reviewed the offending code and let it through are likely to loose their jobs.
All in all, heads are going to be chopped on the main campus. Cutler will have to reshuffle his team, and theres a few FTE's sweating right now.
Ah, OK. Is there any well-defined point at which it ceases to be a trade secret (on account of everyone and his dog having a copy[0])?
Also, is it slashdot, the comment poster, or both, who is screwed?
[0] Note: I don't have a copy.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.
References, please. I know of some companies that will NOT move to IE 6.0 because of increased vulnerabilties that do not exist in 5.0 or 5.5. I myself have had bad experiences with IE 6.0. Where did you get your facts?
These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.
Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.
I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.
I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.
Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.
"You can now flame me, I am full of love,"
My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.
"Freedom means freedom for everybody" -- Dick Cheney
There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.
I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.
But I think the point is that it was leaked. That nobody can keep an eye on their code if it is used this widely. If the code had been under public scrutiny since day one, more flaws would be found, but the overall code would be stronger, not weaker. This is why everyone can complain about tons of holes in linux, but miss the fact that just as many (if not more) exist in windows, and its just a matter of time before they get found out. With Linux, you have to take the additude, the sooner, the better.
/me whistles innocently...
/etc/redhat-release
/etc/redhat-release
/etc/redhat-release
[cramer:ttyp1]dominion:~/[1:38pm]:uname -a
Linux dominion 2.3.42-SMP #11 SMP Sun Feb 6 20:06:02 EST 2000 i686
[cramer:ttyp1]dominion:~/[1:38pm]:cat
release 4.1 (Vanderbilt)
[ttyp0]foobar:~/[2:46pm]:uname -a
Linux foobar 2.3.18-SMP #10 SMP Mon Sep 20 17:27:00 EDT 1999 i686 unknown
[ttyp0]foobar:~/[2:46pm]:cat
release 5.1 (Manhattan)
[jfbeam:pts/0]chickenboo:~/[2:11pm]:uname -a
Linux chickenboo 2.4.2-SMP #1 SMP Tue Feb 27 17:04:47 EST 2001 i686 unknown
[jfbeam:pts/0]chickenboo:~/[2:11pm]:cat
Red Hat Linux release 6.2 (Zoot)
(And no, they are not publically accessible machines.)
___FutureShoks___
honestly i think any programming course should start out using goto for all loops and iterations because it shows much more closely what the CPU actually sees in compiled code, executable does not have "while" loops, "do while" loops, or "for" loops, it runs a series of instrucions, sometimes one of these instructions will cause it to go to another part of the code if a particular condition is met. goto is the only "loop" a processor understands, all other loops are build from that concept.
Snowden and Manning are heroes.
So the old theory that keeping source code secret will help prevent security attacks has now proven to be invalid, for the reason that you can't be sure that the code will in fact reliably remain secret. When the code inevitably gets out you will have a shitstorm of problems.
Now open source has in reality been proven the best way.
And security by obscurity fails again.
The nature of open source software makes actually verifying the existence or non-existnece of code very easy. Microsoft wouldn't even need to contact anyone to tell them they thought they were including Microsoft code in their product. They could just download it and check. As could everyone else.
The main problem is, and this is why I think MS has not actually gone to court against major oss projects yet, is that doing so would force them to show the offending lines of code in order for it to be compared to the oss source. If this incident has shown anything it is that revealing source is not something Microsoft wants to ever do -- even for products that are near or at/past EOL.
That said, I think that project managers REALLY are going to need to be vigillent in monitoring contributions to their projects especially when programmers claim to be introducing Microsoft compatibility with the code. Chances will be good that some unethical programmers will try to slip some Microsof owned code into a project. I can actually see some pro MS people joining oss projects just to try to do this then notify MS so they can take legal action. But, if a project manager is doing their job, this should be an easy problem to fix.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"