Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patch Train Leaves the Station

Posted by CmdrTaco on from the a-whole-lotta-security-going-on dept.

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

24 of 361 comments (clear)

  1. IE PNGs by Enigma_Man · · Score: 4, Insightful

    That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
    1. Re:IE PNGs by RaffiRai · · Score: 2, Insightful

      Transparencies appear grey in IE.

    2. Re:IE PNGs by Anonymous Coward · · Score: 5, Insightful

      The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

    3. Re:IE PNGs by LurkerXXX · · Score: 2, Insightful

      What's the incentive? It's one more thing for their tech support people to have to support.

  2. Reminds me of the JPG buffer overflow by Nos. · · Score: 5, Insightful

    After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

    1. Re:Reminds me of the JPG buffer overflow by Michalson · · Score: 3, Insightful

      After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

      For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

      Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

      Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos, the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.

  3. PNG??? by Anonymous Coward · · Score: 1, Insightful

    Okay, I'm not familiar with IE's internals. But I still cannot understand how you'd introduce a remote execution vulnerability into "get PNG bits, arrange bits for display system" unless you were *trying* for that. Yeah, I know you have to allocate memory for the PNG, and I understand the problem probably comes from an overflow of that, but still, it makes me wonder just how badly written this stuff must be.

    1. Re:PNG??? by LO0G · · Score: 3, Insightful

      The same way that a remote execution overflow was in libXPM.

      Google integer overflow vulnerability for more information.

  4. Re:Forgive my ignorance by Tarcastil · · Score: 4, Insightful

    You do realize the Linux kernel is heavily dependent upon patches.

  5. To bad by MemoryDragon · · Score: 2, Insightful

    I thought they might have fixed the png transparency bug, which was reported to them eight years ago... but no... just a buffer overflow.

    1. Re:To bad by HiredMan · · Score: 4, Insightful

      Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

      Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

      =tkk

      --
      Bill Gates - Creationist?!?
  6. Venture to guess? by AyeRoxor! · · Score: 3, Insightful

    exists due to the way the browser handles PNG (Portable Network Graphics) files."

    Hmm... Buffer overflow maybe?

    Buffer overflow is an amateur mistake. Check your god damn code.

    /frustrated by lazy programmers

    1. Re:Venture to guess? by bheer · · Score: 2, Insightful

      Given that everything from the Linux kernel to SSH to Apache to Firefox has had buffer overruns, I'd be wary of describing their authors as 'unprofessional'.

      Rather, buffer overflows are trivial to avoid in class assignments (and indeed, small projects). It's when the project grows larger, gets split into multiple program units and gets multiple authors that you really start scratching the surface of industrial strength development (something the armchair developers on /. have never really experienced).

      To top it all, code that is 'safe' can often be made 'unsafe' by running it under circumstances the authors never intended: there's a whole class of overflow attacks that use code/data injection to crack even supposedly secure programs (and no, not even Java/C# is safe from this).

      --
      Go somewhere random
    2. Re:Venture to guess? by Krenath · · Score: 2, Insightful

      I think it inadvertently proves yet another point as well:

      If people who've in most cases been using a language since shortly after birth still can't get all the details right when using it,

      1. How do you expect them to get all the details right in a language that
        1. ...they've only been speaking for a relatively small percentage of their lives, and
        2. ...wasn't even created for humans to communicate natively in.
        3. ...they haven't been formally trained in for at least a half-dozen years
      2. How do you expect them to respond to criticism of their use of a programming language when they've proven that their typical response to criticism of their native language consists of things like:
        1. "Shut up, grammar/spelling/punctuation nazi!"
        2. "You can still understand me! Who cares!?"
        3. "I meant to do it that way because I'm a 1337 h4xx0r!"
        4. "STFU, n00b"

      So, in conclusion, <sarcasm><irony>"STFU, buffer overrun nazis!"</irony></sarcasm>

      I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

    3. Re:Venture to guess? by Joe+Decker · · Score: 2, Insightful
      I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

      In my experience, you've got it backwards. Before I became a photographer I did embedded software for 20 years, shipping over 100M units and often having the final signature to begin fabricating my code into masked ROM. What I found was that overemphasis on "blame" instead of "results" was counterproductive. I seem to recall a discussion by Knuth on the point, but lack a citation.

      Where you and I agree is on the idea that caring about the quality of ones code matters. It matters enormously, I've had the opportunity to primarily work with engineers who really do want to ship good, quality product. In the environments I've worked in, the occasional snarking at a bug has been counterproductive. It makes programmers defensive about their code, rather than being open to review and criticism, and thereby reduces the quality of the final product. Your experience may vary.

      --
      I'm a nature photographer.
  7. Re:Sure glad I don't have to do this crap by ssj_195 · · Score: 3, Insightful
    What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

    The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

    I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

    Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

    Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.
    Ugh.
  8. the problem isn't what it appears to be by cahiha · · Score: 3, Insightful

    If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

    There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

    The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

    The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

  9. Re:Patches don't solve the problem on new installs by wiggys · · Score: 4, Insightful

    Yes.

    1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

    2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

    3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

    4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

    5) Download, burn and learn how to use Knoppix.

    6) ????

    7) Profit!

    --

    Sorry, but my karma just ran over your dogma.

  10. MS cant win by Anonymous Coward · · Score: 2, Insightful

    If MS doesnot patch you all say "MS wont patch their crappy stuff"

    if they do patch, you all say "Wow, it must suck really bad to have to patch it"

    As if Linux doesn't require constant patching either, hypocrites

  11. Re:Microsoft... again by MSTCrow5429 · · Score: 2, Insightful
    I'm still running SP1 and no anti-virus...

    ...my unpatched Windows not getting spyware/viruses...

    Without actually using AV software, you'd verify this how? Don't pretend that the tasklist command from the CLI (just a text version of the Task Manager) is going to save your ass. Most viri don't tend to show up in such a perfunctory fashion. I'd be willing to bet your box is in alot worse shape than you think it is. Don't be like those guys who have sex with random people wihtout protection because they have a false sense of immunity from what affects everyone else. Your Windows isn't special.

    --
    Slashdot: Playing Favorites Since 1997
  12. Re:Sure glad I don't have to do this crap by roystgnr · · Score: 2, Insightful

    I mainly practice safe networking with a Linksys router/firewall at work and an OpenBSD gateway at home.

    Does your firewall block outgoing HTTP connections and incoming email? If not, then it's not going to help against attacks like this PNG bug which are propagated through user-pulled data rather than attacker-pushed port connections. Such attacks exist for Linux, too. There is no such thing as "safe networking", and the only way to come close is to keep every connected computer up to date. I think Fedora still comes with up2date searching for updates in the background and displaying the results on a panel icon. Unless you use something else for security updates you ought to be clicking on that every time it finds something new.

  13. Re:Microsoft... again by freeweed · · Score: 2, Insightful

    Well, seeing as there's no 100% foolproof method of determining this anyway (your AV could be out of date, or just behind like some vendors seem to be, or you could have a new virus no one else has seen yet)...

    It's pretty easy to not get a virus in Windows. How? Well, there are 3 basic ways you get infected:

    1. Listening network ports with compromisable services. Solution: install a NAT'ing router with firewall. Paranoid solution: install Zonealarm or one of the dozen other competing offerings as well. Have fun remotely exploiting my machine when you can't connect to it.

    2. Opening infected executables. Solution: only install software from trusted sources. Paranoid solution: only use what the standard install comes with. Believe it or not, not everyone installs 50 pieces of extraneous software. On my last remaining Windows box, I think Winamp and a Citrix client for work is about it. These installers have long since been checked for viruses and are installed from known, good, read-only media. Good luck infecting me there.

    3. IE, Outlook, or other network-aware application exploits. Solution: turn off activeX, javascript. Paranoid solution: don't use these apps at all. Find small, niche apps that have never been exploited - yes, these do exist.

    This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection. Well, until virus writers become so sophisticated that they can fake out a TCP/IP stack entirely - in which case they can probably fool your AV software as well.

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  14. Re:Wow. You'd think they'd get all these by jayloden · · Score: 2, Insightful

    I was thinking at first that I agree with you, but then, how many holes have been found in sendmail since its inception. You'd think with armies of open source programmers and decades of time, they'd get this thing nailed down. Evidently not that easy, or maybe the fundamental design is just flawed and the only real solution is a ground-up recode (enter postfix or exim or qmail type stuff?)

    I don't presume to know it all, and I'm not pointing any fingers, it just seems to me like Microsoft is a victim of it's own legacy code and bad design. They designed windows as a single user, trusted system and then tacked on multi-user ability and unsurprisingly, have had problem after problem with untrusted code and exploits, etc. In much the same way, Linux and Unix apps even as old as sendmail can be a victim of a bad design decision (setuid binaries, too many weak points in the chain, etc)

    I'm not exactly defending Microsoft, but it's not a problem unique to them, either.

    -Jay

  15. The disturbing trend by Gary+W.+Longsine · · Score: 2, Insightful
    This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection.
    You're right, as far as you go.

    The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.

    Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.

    Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.

    Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.

    So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.

    By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.
    --
    If you mod me down, I shall become more powerful than you could possibly imagine.