Slashdot Mirror


Exploit Based On Leaked Windows Code Released

mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"

20 of 952 comments (clear)

  1. well, the source is out there by WebMasterJoe · · Score: 5, Interesting

    Wouldn't it be interesting to see the patch come out later today, from an anonymous source!

    --
    I really hate signatures, but go to my website.
  2. And counting by millahtime · · Score: 5, Interesting

    So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?

  3. I'll be first to say it by MicroBerto · · Score: 5, Interesting
    IF this is true, the release of the source is the nail in the coffin for Microsoft.

    An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.

    I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.

    Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.

    We have an interesting 6 months ahead of us, folks.

    --
    Berto
  4. A quick look at the source code by Jacco+de+Leeuw · · Score: 5, Interesting
    Kuroshin has an article about the source code:

    "In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."

    But this IE exploit shows that the author was wrong on at least one account:

    "The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".

    --
    -------
    Warning: Slashdot may contain traces of nuts.
  5. Re:You thought Microsoft were tardy with by justMichael · · Score: 4, Interesting

    According to my logs 20 - 30%* of the people browsing with IE are still using 5.x.

    I know, UAs get faked all the time...

    * Depends on which site you look at.

  6. Tad Sad. by His+name+cannot+be+s · · Score: 5, Interesting

    I'm a bit confused.

    I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.

    I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?

    "The Very Best Kind" :p

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  7. Re:Text of advisory by Bigbowser · · Score: 4, Interesting

    dumbasses..... but doesn't posting that source code there makeslashdot liable to microsoft's evil wrath?

    --

    Bigbowser.
  8. Microsoft learns a lesson today by Laconian · · Score: 4, Interesting

    ..that the "many eyes" tenet of open source really DOES work!

  9. Re:Ha Ha Only Serious by DJ+Rubbie · · Score: 5, Interesting

    The counterargument(s) to that point is...

    - Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
    - With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
    - Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.

    --
    Please direct all bug reports to /dev/null
  10. Re:What the fuck? by david.given · · Score: 5, Interesting
    In the old days, when I was young system admin, it was called "Monkey Testing".

    This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.

    It's scary how many bugs a simple test like this can throw up...

  11. Re:so THATS why it was leaked by santos_douglas · · Score: 4, Interesting

    Think about it, the conspiracy theorists are right - the leak was on purpose. Call it Phantom Open Sourcing: pretend to leak your buggy source code, lots of programmers look it over and find all sorts of problems for free! All their developers continue working on new products and a few are assigned to make the new updates compliments of the leak. This will be hailed as the most brilliant management cost cutting strategy in history.

  12. Re:Text of advisory by AstroDrabb · · Score: 5, Interesting

    You are allowed to use copyrighted information to some extent for certain purposes such as educationl, parady, etc. You can use a small clip from a song, you can display a paragrahp from a book, etc. I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation. The grandparent post is obviously for education purposes only : )

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  13. Re:Text of advisory by adrianbaugh · · Score: 4, Interesting

    Ah, OK. Is there any well-defined point at which it ceases to be a trade secret (on account of everyone and his dog having a copy[0])?
    Also, is it slashdot, the comment poster, or both, who is screwed?

    [0] Note: I don't have a copy.

    --
    "'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
    - JRR Tolkien.
  14. Re:Open Source More Secure... maybe not by Anonymous Coward · · Score: 4, Interesting

    Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.

    References, please. I know of some companies that will NOT move to IE 6.0 because of increased vulnerabilties that do not exist in 5.0 or 5.5. I myself have had bad experiences with IE 6.0. Where did you get your facts?

  15. Re:Open Source More Secure... maybe not by malfunct · · Score: 5, Interesting

    These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.

    Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.

    I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.

    I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.

    Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.

    --

    "You can now flame me, I am full of love,"

  16. Re:Open Source More Secure... maybe not by El · · Score: 4, Interesting
    More importantly, what would be Micrsoft's reaction if you sent them a note saying "By the way, do you guys know there is a buffer overflow problem in IE5?


    My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.

    --

    "Freedom means freedom for everybody" -- Dick Cheney

  17. Re:Open Source More Secure... maybe not by imnoteddy · · Score: 5, Interesting
    What evidence do you have that this bug was not found until the code was leaked?

    I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.

    --
    No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
  18. Re:off topic, but orthogonal kind of prompted this by grozzie2 · · Score: 5, Interesting
    By the way, does anyone know why the bitmap formap is writte upside down?

    This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.

    Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.

  19. Re:Open Source More Secure... maybe not by KReilly · · Score: 5, Interesting

    But I think the point is that it was leaked. That nobody can keep an eye on their code if it is used this widely. If the code had been under public scrutiny since day one, more flaws would be found, but the overall code would be stronger, not weaker. This is why everyone can complain about tons of holes in linux, but miss the fact that just as many (if not more) exist in windows, and its just a matter of time before they get found out. With Linux, you have to take the additude, the sooner, the better.

  20. Oulook using IE engine to render HTML email by FutureShoks · · Score: 4, Interesting
    Does Outlook use this portion of the IE engine to render HTML emails?

    Therefore, if I was to run IE5 and Outlook and was to render a piece of spam with a malicious image, could I be open to attack?
    --
    ___FutureShoks___