GDI Vulnerabilities: An Open Letter to Microsoft

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

er,

[LurkerXXX]

Sooooo, how exactly is MS responsible for all 3rd party DLLs?

Re:er,

[White+Roses]

Because it's not a 3rd party DLL? Because it's a MS DLL distributed by a 3rd party? It's still MS's code. RTFA.

Re:er,

[LurkerXXX]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

Kinda silly eh?

Of course 3rd party apps might have exploits. It's up to those 3rd party vendors to supply patches. Even if the code is originally based on MS code, the 3rd party vendor may have modified it in any variety of ways and MS has no idea if those will be dangerous versions or not. MS has identified the bad code, the 3rd party vendors have been notified about it. It's up to them to tell you if their version is bad or not, and patch their software.

Re:er,

[julesh]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

If Linus wrote the code, and told the application authors that they were only allowed to use it by accessing a .so file (installed into a special directory for each application that uses it, for no good reason that anyone could gather, and Linus insists that they aren't allowed to modify it in any way), and there was then an update to that .so file, I would expect the update that Linus issued to fix all copies of it, yes.

Of course, nobody behaves like this in the Linux world. Shared libraries are installed to /lib or /usr/lib and you only have one copy of each of them. An update would ensure that the single copy you depended on had the vulnerability eliminated.

Re:er,

[pjrc]

Of course, nobody behaves like this in the Linux world.

I believe you missed the zlib buffer overflow, which turned out to be staticly linked into many applications, as well as in the shared library.

Yeah, not quite the same, since static linking is different (perhaps worse) than having lots of copies of the DLL in different directories, as far as updating is concerned. Also, a different situation because developers had the option to link the way they wanted.

But to say this sort of thing never happens in the "linux world" and that all library security bugs are easily cured for all apps by updating the shared libs neglects some really unfortunate occurances like the zlib buffer overflow.

It's actually a tough job even on Linux

[shoppa]

Scanning your own systems for vulnerabilities, especially when you have third-party stuff on it, is a tough job.

You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.

Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.

Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.

Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).

Re:It's actually a tough job even on Linux

[sEEKz]

I don't think so!

It's a complete different world...

Normally you can see on security lists like bugtraq what kind of vulnerabilities are discovered, or patches which are available.

Now you have different options.
1. fix it yourself (you have the source)
2. wait for maintainer of the program or library to release a patched version
3. wait for your linux distro to release a patched version

What I mean to say is, in Linux or other Open Source projects, it's pretty obvious what to fix or where the problem itself exists.
Worst case scenario, you can fix it yourself.

In case of Microsoft or other closed sources, you have to wait for the main distributer to get a fix of the program or library. And even then you're not 100% sure if the problem is fixed.

Like We're Not Idiots?

[MankyD]

Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.

Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.

I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.

Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.

Re:Like We're Not Idiots?

[ConceptJunkie]

And all this approach does is scare the idiot users, because the typical computer-phobe will assume his machine's been infected with a virus.

So really, the tool doesn't serve anyone well.

Re:Like We're Not Idiots?

"...Most users ARE idiots. It seems completely appropriate that they should be treated this way...."

That's a little harsh especially considering your example. You can, of course, be a very smart person and not know much about wireless networking. That "gentleman" could be, for example, the lead scientist in a bio research project and if he asked you a question about something he had detailed knowledge of and you didn't know the answer he, too, could conclude most people are idiots.

The world is full of technology that no one person can, or has the time, to absorb it all.

Re:Like We're Not Idiots?

[maxpublic]

Most users ARE idiots.

Everyone's an idiot in a field they know little or nothing about. Computer users want their machines to work; they don't want to know how they work, and why should they? You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function, yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work, or for not wanting to learn how these things work.

Computers don't get a special exemption to this rule. They're just tools like any other tool, nothing more.

Max

Other ways

[globring]

Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.

Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?

Not only would it be more interesting to read, but they might actually be more willing to consider it.

Re:Other ways

[slipstick]

As a way of getting Microsoft's direct attention the letter admittedly sucks.

However, I would argue that the guys point wasn't to garner browny points with geeks as much as to get the frustration off his chest AND get geeks to recognize once again the flaws in MS's security protocols.

Furthermore it isn't a "cheap pot-shot". He's venting, he's not bootlicking. He's saying "for crying out loud, you guys have Billions of dollars, resources up the wazoo and you can't get it right, damn I'm mad and I'm going to vent(but I'm going to be humorous in doing so)!" Haven't you EVER felt that way. The beauty of the web is that he can post that and hopefully feel better about it.

So, your right, this isn't for MS, it's for the masses, including the press and geeks who might read it, giggle a bit, and maybe as a group hold MS's feet to the fire on this.

Re:Hate to quote a quote but...

[LittleGuy]

which he calls 'worse then useless'
So it gets worse, _then_ it is useless? :)

With 40+ subvariants of the patch, just saying "there's a vunerability on this here machine" without giving the source of the vunerability and the solution to patch said vunerability is dangerous, bordering on the criminally neglient concerning network security.

I second that "information we can use" point

[Asprin]

I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.

Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.

Re:Yes, Microsoft can fix everybody's code!

[BeerCat]

Actually, according to TFA, your analogy should be:

"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"

Re:Yes, Microsoft can fix everybody's code!

[AceCaseOR]

Funny, but irelevant. Microsoft wrote the DLL's in question, but distributed them through third parties (as has been mentioned by other posters).

For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.

Re:No Warranty Implied

[gl4ss]

would you give warranty for something you give for free?
i don't think so.

well, maybe he'll give you your money back!

In "How not to write an open letter 101"...

[strAtEdgE]

... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".

Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?

This is NOT just a Microsoft bug!

[Ryu2]

Microsoft did not write their own JPEG code; rather they used the freely available implementation from the Independent JPEG group. The flaw is actually in the IJG code, not any Microsoft code.

Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)

http://www.openwall.com/advisories/OW-002-netscape -jpeg/

Re:Hate to quote a quote but...

[LittleGuy]

Please back up your assertion that this is "bordering" on criminally neglient.

Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.

You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".

Re:Don't go for pretty software

[Skye16]

No, software should work AND look pretty. Just because form follows function doesn't mean it should be completely disregarded.

Why not offer a common jpeg DLL?

[AaronW]

I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.

Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.

We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.

Re:Rules for this story

[Allen+Zadr]

May I be the first to agree, except all of the DLLs complained about are Microsoft DLL files. Regardless of what 3rd party re-distributed the Microsoft DLL, I would hope that Microsoft's own scanning tool would be able to find and identify DLLs that Microsoft wrote (whether written for redistribution or core-os).

Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.

If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.

On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...

So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.

Re:Rules for this story

[SoSueMe]

"1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence."

Please read the letter again (assuming you read it once).

When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

As for the "...but Mozilla is vulnerable too!" defence, Yes I imagine Mozilla on Windows certainly is.

As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.

Re:Hate to quote a quote but...

[Sputum]

This tool is not designed for use or supported in enterprise environments.

I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.