Slashdot Mirror
GDI Vulnerabilities: An Open Letter to Microsoft
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Sooooo, how exactly is MS responsible for all 3rd party DLLs?
http://isc.sans.org//diary.php?date=2004-09-26
Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft
GDI Vulnerabilities: An open letter to Microsoft
Dear Redmond Folks:
When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."
And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.
Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.
MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.
Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.
[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]
What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)
When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?
Please stop treating your customers like idiots and give us information; information that we can use.
In other words: Turn on the lights and open the door. We're ready to come back upstairs now.
-TL
Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.
Bill
In my SUS server at my corporation, I disabled this stupid tool because all it does it pop up with some confusing error message that the end user does not understand. Then they would all just call me asking about a weird popup they got on their screen. I am deploying the windows patch via SUS and the office pack via scripts, so there is nothing for the end user to do anyways.
No, MS IS checking third party software, but not updating it, and still warning you about it. And warning you without telling you exactly what is wrong, the worst kind of error message, one that Windows is quite fond of.
My blog. Good stuff (when I remember to update it). Read it.
You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.
Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.
Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.
Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.
But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.
So, any VB program that does image manipulation may be poetentially vulnerable.
The funny thing is.. no slashdotters are windows users until a cool tool like that NASA world wind one comes up.. then suspiciously its slashdoted. .
Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.
Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.
I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.
Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
-dave
http://millionnumbers.com/ - own the number of your dreams
Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.
Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?
Not only would it be more interesting to read, but they might actually be more willing to consider it.
I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.
Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.
"Lawyers are for sucks."
- Doug McKenzie
Actually, according to TFA, your analogy should be:
"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"
"She's furniture with a pulse"
His letter might as well read:
For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Has anyone ever sent a closed letter?
Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did.
No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.
However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.
MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.
So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.
The Microsoft tool also misses several of Microsoft's own products, including the Office Viewers like Word viewer, Excel, Powerpoint, and Visio, all of which are vulnerable to the jpeg vulneraility.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
Uh, an extension cord perhaps?
Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux
... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".
Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
----- sXe
MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.
This sig under construction. Please check back later.
Anyone else getting this from the current version of Nero:
C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/
There's 10 types of people in this world, those who understand binary and those who don't.
Intentionally spreading FUD about their _own_ products?
Actually, I was trying to be Insightful, not Funny.
I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:
Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?
See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.
So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?
Schwab
Editor, A1-AAA AmeriCaptions
No, software should work AND look pretty. Just because form follows function doesn't mean it should be completely disregarded.
I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.
Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.
We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.
If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.
Kinetic stupidity has a new brand leader: Allen Zadr.
As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.