Slashdot Mirror
GDI Vulnerabilities: An Open Letter to Microsoft
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Sooooo, how exactly is MS responsible for all 3rd party DLLs?
http://isc.sans.org//diary.php?date=2004-09-26
Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft
GDI Vulnerabilities: An open letter to Microsoft
Dear Redmond Folks:
When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."
And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.
Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.
MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.
Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.
[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]
What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)
When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?
Please stop treating your customers like idiots and give us information; information that we can use.
In other words: Turn on the lights and open the door. We're ready to come back upstairs now.
-TL
Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.
Bill
In my SUS server at my corporation, I disabled this stupid tool because all it does it pop up with some confusing error message that the end user does not understand. Then they would all just call me asking about a weird popup they got on their screen. I am deploying the windows patch via SUS and the office pack via scripts, so there is nothing for the end user to do anyways.
As soon as I read something like the above the letter goes straight into the circular file.
I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.
--- No, english is not my mother tongue.
No, MS IS checking third party software, but not updating it, and still warning you about it. And warning you without telling you exactly what is wrong, the worst kind of error message, one that Windows is quite fond of.
My blog. Good stuff (when I remember to update it). Read it.
You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.
Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.
Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.
Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
...to ignore.
This is my sig. There are many like it but this one is mine.
Dear Tom,
Next time, less cutesiness and more explaining what the fucking point is.
HTL. HAND.
The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.
But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.
So, any VB program that does image manipulation may be poetentially vulnerable.
The funny thing is.. no slashdotters are windows users until a cool tool like that NASA world wind one comes up.. then suspiciously its slashdoted. .
Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.
Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.
I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.
Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
-dave
http://millionnumbers.com/ - own the number of your dreams
Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.
Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?
Not only would it be more interesting to read, but they might actually be more willing to consider it.
Okay, everyone. One...More...Time...
RTFA!
I thought the LaBrea Tarpit had been around for millions of years....
I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.
Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.
"Lawyers are for sucks."
- Doug McKenzie
Actually, according to TFA, your analogy should be:
"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"
"She's furniture with a pulse"
His letter might as well read:
It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
I guess I am too smart for my own good... It told me to only check Office update as it seemed to know that I was already up-to-date on the OS side.
So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.
That's at least how I saw it.
So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?
For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Has anyone ever sent a closed letter?
Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did.
No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.
However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.
MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.
So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.
The Microsoft tool also misses several of Microsoft's own products, including the Office Viewers like Word viewer, Excel, Powerpoint, and Visio, all of which are vulnerable to the jpeg vulneraility.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
Uh, an extension cord perhaps?
Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux
... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".
Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
----- sXe
This just in! Massive security flaw found in microsoft copyrighted code, which lests the hacker take over the users machine:
int main(){
printf("Hello World!");
}
Microsoft recommends heading over the windows update to patch this flaw.
A morning without coffee is like something without something else.
with a letter like Tom wrote, he'd kind of deserve that response. What is he, thirteen? Microsoft will probably push it around in a little circle of their corporate bureaucracy but with little in the way of enthusiasm. How can you not put that letter in the angry, political, CS major pile?
/.'er but come on, even I can an effective letter critical of a companies product. Even as a lame attempt to curry favor with the disaffected masses, it manages to be rambling despite its brevity.
I'm as antisocial as the next
MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.
This sig under construction. Please check back later.
It's called an envelope.
Ita erat quando hic adveni.
Anyone else getting this from the current version of Nero:
C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
I'd have been happy if their "list of affected applications" was even remotely accurate. They say Office 2003 and .NET Framework 1.1 were vulnerable, but if you had applied PREVIOUSLY AVAILABLE updates to either of those products, then, in fact, they weren't. Mentioned anywhere in the KB article? Nope, the user has to figure out for themselves that even though they haven't installed any patches for this vulnerability for their products on the "affected" list, they're not actually vulnerable.
Not to mention that their client scanner for the Windows vulnerability didn't even correctly identify vulnerable machines until several days AFTER the initial patch was release.
This was a badly handled security update, even by Microsoft standards. I think Microsoft should start focusing at least SOME of their efforts on some sort of security initiative or something.
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/
There's 10 types of people in this world, those who understand binary and those who don't.
an open letter to microsoft?! wow, that'll show'em.
I've been trying to clean the system from spyware and other mallicious goodies. Finally firefox works with pogo.com so IE is now not in use at all. I managed to find a site that posted ALL of the startup locations for XP. And this has stopped the lurking spyware in the background.
However I'm still looking for a site that can direct me on how to delete the malicious DLL's that are loaded up with IExplore. Anyone have any tips?
I got that message, did everything it said, got the message again, and figured MS was on crack, reporting problems that didn't exist.
It's good to know, instead of them being on crack, they're just failing to actually solve any problems, present any logical ways to solve them yourself, or even tell you exactly what is wrong, but there is actually a problem.
I guess you're supposed to search for the filename you weren't told and check and see if the version is higher than the vulnerable version you weren't told, so you can go and download updates from Microsoft's website at the URL that you weren't told.
It's certainly an interesting defination of 'Automatic Updates'. It's like a giant idiot light for your computer saying CHECK ENGINE, but it says UPDATE SOMETHING.
If corporations are people, aren't stockholders guilty of slavery?
A vulnerability in libjpeg would be a planet-killing event, akin to the Earth being hit by an asteroid the size of Texas. Yet, no vulnerability has been found in over six years since the last release, despite the source code being freely available. Too bad Microsoft apparently decided to write their own decoder.
My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it
Well, yes. If Ford has a manufacturing defect in their engine, they do need to fix it. In keeping with the analogy, this Ford engine may well reside in a Saleen car.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Yes, when my Ford pick-up is having engine trouble, I always drive it to the nearest Harley Davidson to get it fixed.
You might if it was a Harley manufactured component that was failing.
Or, more accurately, if you have a Ford car which you've installed a Kenwood stereo in, but that stereo uses a special Ford component to integrate with the car; then if that component failed, who would you expect to fix it?
Learn how to spell!
I think "learn how to cut-n-paste" would be the appropriate admonition.
I am not a crackpot.
I have serious doubts that this 'open letter' will draw a response of any kind from our pals at Microsoft. If it takes more than 15 seconds to get to the point, it's going to get scanned in Redmond. I have heard repeatedly of management and strategic meetings (particularly those run by contracts, vendors or other "outsiders") wherein people will simply stand up and walk out if they aren't implicated in the first two minutes. The travails of a boy terrorized by a sibling won't keep a busy exec from his IM session with the Portuguese yacht firm that's fitting out his troller. Live and learn, eh? Too bad though, it's really a rather compelling tale of deceit and greed. I wasn't expecting the part at the end about the snake.
"The Borba"
And, to nitpick even yet still further, a dash is typically typed as two hypens -- but I'm sure you knew that.
Intentionally spreading FUD about their _own_ products?
Actually, I was trying to be Insightful, not Funny.
he said he likes purple flowers with sprnkles on top.
See Sig! See Sig Zig! Zig Sig Zig!!!!!
Open Letter to Micr0$haft, I had a basement which smelt, and my brother would lock me in and yell at me saying: "It's cooooooooming..... It's cooooooooming to get you.......". And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water. This is exactly like Windows. I can't read your code because it is spaghetti code. Your "GDI Scanning Tool" is worse than useless. stop treating your customers like idiots. Windows sucks, I hate you x 10, -TL
I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:
Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?
See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.
So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?
Schwab
Editor, A1-AAA AmeriCaptions
No, software should work AND look pretty. Just because form follows function doesn't mean it should be completely disregarded.
And why cant they enforce a piracy check on EVERY update? Eventually they will anyway..
.. 2 day grace period for weekends, and without it, we couldn't do business.. no alternative choices).. It also required admin rights, so once a month I had to login to the damned machine and do the process, manually.. And god help you if you need to reinstall... what a nightmare..
its their software, they can make it expire each month and force you to renew.. Don't laugh, I had to deal with software like that.. every month it had to phone home to verify we were current with our nearly 1000$ a month maintenance contract.. or it would die.
That said, it *would* be annoying to have microsoft do this, and might be a problem with enterprise installs. prompting users for things they shouldn't know..
But hey, make it too hard to use their products, people will start looking for alternatives..
---- Booth was a patriot ----
I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.
Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.
We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
My college classmates and I had a term for this. We called them "flashy people". As you described them, they're the people who value looks over functionality. There's a small bit of play on words with Flash there, too, since flashy people (usually a part of management and/or graphics design) are the ones responsible for demanding the Flash animations for a corporate/product page that prevent a more straightforward display of content.
kulakovich
What's the procedure for updating third party gdi installations?
And at a fundamental issue, why does my system need multiple copies of this gdiplus library? Isn't the whole purpose of DSOs to avoid needing multiple copies?
He just needed to patch his brother.
I think he could have used an extension cord and the bucket of water...
Randy.Flood@RHCE2B.COM
One word.
Guess which word.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
CERT and Bugtraq also MUST be shutdown if users don't use this info. Might as well just write the software authors when a bug is found. Quiet-like. MS would approve."
The problem with this scenario is that exploits would be less public, and more private and nasty. No public pressure to fix. Those who wanted to protect themselves really couldn't.
The bulk may be [l]users, but the few who are not drive the business, and to some extent, protect everyone.
Hi Tom,
I remember back in the day when I used to rat-race CAT's just for jollies and hack on CP/M systems for the money. Those were good times.
But, frankly, as I have aged, a couple of things have come up: one, I know have a helluva' property-tax to get out of...er... pay, yeah, pay. And you think we can send all those poor kids in Africa medicine with cheap software? No sir, buckeroo, it requires a lot of dough.
As for treating our customers "like idiots", I take umbrage at the remark. We treat everyone exactly the same. No favoritism. Except for Michael.
We have responded to the problem. After all, we have said security is job #1. Well, actually, we said profits, didn't we? Okay, let's call it job #2. Or maybe #3? We can't forget all those poor African children. Or do you have something against African children, now?
Again, I hope for the best for you. Perhaps this is merely a subject you and I can agree to disagree.
Your pal,
Bill
IANAL, but I've seen actors play them on TV
It's a tough job if you want the absolute highest currently available level of security.
The Linux problems that get found (and usually fixed within a very short time indeed) are mostly theoretical vulnerabilities that nobody would even bother to report on Windows. For example, last month there was a vulnerability (now fixed) that could, theoretically, enable an ordinary user to get root access.
Nobody would ever report a flaw like this in Windows, because everybody knows it is trivial to do on Windows. (E.g. the shatter attacks.)
For reasons like this, any reasonably recent Linux distro is more secure than the latest patched version of Windows.
Did a file search and found 13 *gdi*.ddl files on my XP Home + SP2 system. Liston's scanning program reported the following warnings:
* \G diPlus.dll
* \G diPlus.dll
C:\Program Files\RecordNow!\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
To-do List: Receive telemarketing call during a tornado warning. Check.
No, this is incorrect. MS is not checking 3rd party software and warning the user. MS is only checking MS software, but not all MS software on the computer, and then giving a message that, for instance, MS Office 2003 may be vulnerable and that you should update via this link (insert link to office update). However, after getting there, you may scan for updates and see that there are none. Running the GDI scan will give you the same message.
MS' GDI vulnerability scan tool does not mention 3rd party software.
The truth doesn't care what I think.
Microsoft PPL think we're idiots because they're idiots, too. They can't seem to distinguish that there are VARIOUS KINDS of users. Dummies, informed, advanced, experts, and superpower users.
They may not want to confuse a user with bloated information he doesn't need. But they should provide the info for us advanced users, anyway!
Wouldn't you like in MS apps to give you access to "advanced" information when you click a button?
i.e.
BEFORE: "The current application has terminated abnormally"
(advanced)
AFTER: "The current application, process executed by filename.exe tried to read at address xyz. This address is currently in use by process mnop."
Or in this particular case
"The following DLL's were found defective:
c:\program files\yaddayadda\yatta\gdiplus.dll" which was installed as part of application "Yatta Plus!".
(Finishes list)
Do you want to?
a) Replace defective dll's with fixed ones whenever possible
b) Delete defective dll's and render applications unusable (but safe)
c) Nothing.
Hey, how about other vulnerabilities in the MS knowledge base?
"A vulnerability has been found that permits a user take control of the system" (Hey, big deal! We already know that. Why don't they tell us:
"A workaround would be to disable X and Y service from windows XP. Click here for more info."
The same when i accidentally delete some file that is used by the system (hey i didn't know netmeeting was required!)
I only get something like:
"Warning! You idiot deleted some critical file. Insert the CD before the next reboot OR ELSE!"
Instead of:
"You deleted critical file xxxxxxx.yyy. Please insert the CD, or try to specify an alternative directory.
This is something that's ALWAYS bothered me. That Windows takes ALL the decisions for me.
According to NTBugtraq's article, TiVo has software package that allows a user to setup an Image and Audio server on their PC. When connected to the same LAN as the TiVo it allows the image and audio files to be viewed on a TV via the TiVo DVR. The software uses gdiplus.dll file that has a JPEG parsing engine.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.
I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?
"Provided by the management for your protection."
... really seemed to be a lot more about his parents' basement than the Microsoft jpeg vulnerability.
"Stop throwing the Constitution in my face, it's just a goddamned piece of paper!" - George W. Bush Nov. 2005
Hold on a second.
1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.
Scan them all. Does a good virus scanner only scan the files it installed?
2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.
Mozilla's vulnerability was, afaik, only for local files. Even so, mozilla didn't put out a scanner that scanned a few select shared libraries, and then declared that you did or did not need updates for your system.
Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.
If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.
Kinetic stupidity has a new brand leader: Allen Zadr.
Until Microsoft become a profit organisation rather than a tax-harvesting one, then they get all the stick they deserve.
Thankyou,
h
Patriotism is a virtue of the vicious
As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
This is also my final point of contention when people attack the security vulnerabilities in open source software.
I didn't pay $200 for it, I can assume responsibility for keeping it patched and secure. But jay-HEE-zus, if I pay $200 for something, I expect them to fix it before every script kiddie with a Google hit can poison it!
+++ATHZ 99:5:80
If anybody knows anything about sticky situations, it's gonna be this guy.
Real programmers can write assembly code in any language. -- Larry Wall
2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.
Although I have no familiarity with Mozilla's architecture, I have a suspicion that it was written using Microsoft's libraries that deal with the GDI. Sorry if I'm wrong, but if Mozilla exhibits a bug that's the fault of the underlying OS (or an extension/API/whatever thereof), would it be Mozilla's problem, or the underlying OS?
I pity the foo that isn't metasyntactic
Why would upgrading an application also upgrade a shared system library at the same time? If the application needs the later library version, then the system needs upgrading as well (and probably a good thing, too). Only the system vendor, or the user by direct action, should be messing about in the system directories. Applications shouldn't be fscking around in there at all. If they do, then the result is guaranteed to be a complete and utter mess. (This is obvious, right?)
Further, why would upgrading a shared system library break older applications? If the new library isn't backward-compatible, then the library vendor did The Wrong Thing. This can admittedly be a bit dicey when you've fixed a legitimate bug in the library, and dependent applications break. By definition, the applications were broken for relying on broken behavior, but sometimes pragmatism has to win out. However, if you have a well-designed method for establishing library entry points, you can mitigate this problem by just reassigning vectors (new apps bind to the new, fixed vector; and old apps get the old vector, whose bugs are emulated for no more than two major releases).
Schwab
Editor, A1-AAA AmeriCaptions
What does being a monopoly have anything to do with some vulnerability scanner? Tell me, what exact rules are "different?" You can't, because it was a vague, irrelevant statement that has nothing to do with this. You didn't refute any points.
Was it okay that Mozilla's bug was marked "confidential" for five years?
I read the letter. It still doesn't refute the point that Microsoft doesn't have to scan for every third-party DLL installed on the system. That's the same thing as blaming Microsoft when people don't patch their systems. Anything to bash Microsoft on this OSTG-owned website (interesting, isn't it?).
Incidentally, no, a company DOESN'T have to get permission to distribute a Microsoft DLL with their software. Get it? Hell, have you even used Visual Studio? It ships with almost all of them. But, why summon common sense and logic when we can post an emotive "open letter to Microsoft" on the front pages of an OSTG-owned geek site?
As for the "...but Mozilla is vulnerable too!" defence, Yes I imagine Mozilla on Windows certainly is.
No need to "imagine"--Mozilla on all platforms was vulnerable.
As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.
Who is "we?" Oh, I see, an implication that I'm a Microsoftie. That's not a very adult response, either. Incidentally, such a response is used constantly on Slashdot to justify OSS flaws. "At least we're not like Microsoft!"
Mozilla doesn't use Microsoft's DLLs. The Mozilla problem was their fault, and affected all platforms.
Can you write a tool to scan an entire drive for a particular, static DLL? Can it be replaced by a patched version in all instances?
Simple answer: "Yes".
I fail to see where you get the idea that this is a "third party" DLL. It is a DLL redistributed by a third party. It is still one static piece of code.
It is still owned by Microsoft not the ever evil "third parties" that link their programs to it.
Responsibility for this code lies with the owner, the same as it does for any code.
I, personally, don't care who runs the site.
If the facts are clear, the source is immaterial.
I frequently use info from the MSKB site. Does that make me "anti-linux" or "anti-Mac"?
No, that would give me a very narrow point of view.
is that Microsoft should have made this app look for and identify any copies of the vulnerable windows components (including GDIPLUS) stored anywhere on the system. Then there should be a simple way to get the latest version and replace the old copy with it.
:P
Course, that then results in dll hell because breaks with the new version which is why they shipped the old version in their app folder in the first place
nt
Try Corewar @ www.koth.org - rec.games.corewar
Scan all the DLLs ... dude, have you worked with DLLs at all? What exactly do you expect Microsoft to do ... scan the whole hard disk for anything matching *.DLL and try throwing JPEG at all the functions inside of it and see if exhibits the behavior matching the exploit?
mod parent up.
1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.
Yes, this makes perfect sense because the GDI detection tool and surrounding infrastructure as it stands now is so perfect that to enhance it one iota (say, by having it actually do something useful) would be to make it impossibly perfect.
Every time the darn thing runs it merely says you *may be vulnerable* and as far as I can tell it doesn't every do anything else. I've written "Hello World" applications with more pragmatic value. Not only that, but you run it on a Windows XP SP2 system, and then go to MS' website and find out that the tool can do you *no good* and should never have been downloaded because WinXP SP2 is not vulnerable to this problem!! (Or at least, not in a way fixable by this tool)
In my last WinXP SP2 full install, this was a major "head scratcher" I had getting the system up and running. Why would they ask me to download and run a tool that can't possibly do my version of Windows any good? (Only now am I beginning to realize this makes a twisted sense because the tool does my computer as much good as any other...none.) Or, perhaps there's more to the GDI exploit story. But where the heck is the more? Somebody at Microsoft really fell down on this one.
2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.
Fixed in Mozilla 1.4.1 In October of 2003. Not even a speedbump, just another patch in the quilt.
3.) When Mozilla's XUL bug was marked "Confidential" since 1999 only to be revealed earlier this year when exploits came out for it, that's okay too. There won't be any "open letters" to Mozilla over it, because it's Mozilla and not Microsoft.
Ya, that was a cover-up worthy of a major corporation... Not the greatest thing to do, but I don't see what this has to do with the current story. (Ie: What does keeping exploits secret have to do with really lousy exploit detection/resolution tools?)
What a totally worthless thing to do.
Let's write a completely nonpolitic letter to Microsoft and see if they respond.
Hello? The way to change things is to convince MS that their policies are incorrect, not blaspheme and curse at them. They'll just ignore such letters as hatemail, the same way you or I would.
Ok so MS's scanner, tells me I may be vulnerable ... run updates, run scanner again ... still tells me I may be vulnerable, and their "Tool" did nothing to help me. Great!
So now I run this scanner which actually tells me what files may be vulnerable, fantastic! Knowing is half the battle, but now what about the other half like actually fixing the problem?
How do I patch these files? Can I just copy over all affected gdiplus.dll's with good ones? What about the other files it detectes? Do I need to get patches? if so where from? each software manufacturer? If these all came from MS can't they just patch them all and not a few here and there ?
So in the meantime should I just avoid all jpg's and just duck and cover or what?
no slashdotters are windows users until a cool tool like that NASA world wind one comes up
Two words..
Employer Supplied
The truth shall set you free!
Bleeping Computer recently published a tutorial on how to use this program and interpret its results. You can find it here: http://www.bleepingcomputer.com/forums/topict3077. html
Any standard that imposes criminal penalties for software bugs will apply to open source just as it applies to closed source. So if you want criminal charges for a bug that goes unpatched for a certian amount of time or allows full access and so on, be ready to see OSS programers getting charged as well. OSS is NOT free of exploits. They crop up from time to time, even in seemingly safe places, like libpng. Firefox had a XUL venurability that allowed a fake webpage to be creatd that appeared real and secure (/. ran a story on it). It sat unfixed for over a year before someone finally made a practical demonstration of it.
The other problem is that basically every exploit results from using the software in a manner in which it was not designed. Well cars have MANY exploits like that. If you run your car in to a wall at 100kph, you will destroy it and likely kill yourself. This is a known problem with cars, and one that manufacturers take no steps to fix. However it is not how you are supposed to use a car. Coputer exploits are likewise. You are not supposed to send a large amount of meaningless data to an input in an attempt to overflow it's buffer.
So, really, trying to claim that exploits for software should be criminal is just silly and really would stick it to open source. People mistakenly think that because it's free the law wouldn't apply. Nope. If you buy bottled water that is harmful, the company that sold it to you is civily and perhaps criminaly liable. If I provide you with a free glass of water that is harmful to you I am also civily and perhaps criminaly liable. The fact that I'm one guy doing it for free changes nothing.
So if you advocate fines/jail for software bugs, just remember you are advocating it against OSS as well.
But the article clearly states, and the post, that they (ISC) have written a useful gdiscan tool.
He's pretty much stating that more intellegent information than "might be/might not, who knows, we don't" and then, certainly for the (hopefully) capable system administrators, something can be done. Better information for the novice even, other than "Wotcha".. something about how, why and should you be afraid, be very afraid?
He's simply remarking on the fear that this induces in a novice, and the lack of info and a decent solution for the more capable users. So if the non-microsoft guy (him/them) can write a better fix, surely the MS team should, given they wrote the DLL in the first place.
If you think you're some sort of modern version of the Renaissance Man, think again. No human being alive today can master more than a fraction of the knowledge available; the days of being a jack of all trades are long past.
And that includes you.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
What an absolutely asenine letter - The author addresses an inportant issue and clouds it with useless analogy - The style of the letter screams "please ignore me, these are the ramblings of someone who should not be taken seriously" - This is a shame, since he eventually makes a very good point - S/N ratio is way too low for this to be a useful letter
"When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you?"
No.
"Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll?"
No.
"Can you tell us what they are?"
You tell me....
Scan all the DLLs ... dude, have you worked with DLLs at all? What exactly do you expect Microsoft to do ... scan the whole hard disk for anything matching *.DLL and try throwing JPEG at all the functions inside of it and see if exhibits the behavior matching the exploit?
This is a joke, right? Do you think that's how virus scanners work, too? If they want to see if a DLL contains a copy of the JPEG code, they scan for a fingerprint. They pick a section of the binary JPEG library that is long enough to be useful to scan for, and they look for that. They could also scan for some known strings that appear in the library (like the version string).
It's even easier if the DLL is dynamically-linked to some known JPEG DLLs.
I Run GDIScan, I see: C:\Program Files\Macromedia\Dreamweaver MX 2004\gdiplus.dll Version: 5.1.3097.0 -- Vulnerable version I go to Macromedia, NOTHING THERE! So WTF am I supposed to do? It's all wonderful you guys want to throw bricks at M$, but perhaps someone can actually tell a poor, non-programmer, what the hell to actually do to protect my system. And the first one that says use Linux gets modded to -1000(asshat)
What I don't know I just fake...