Slashdot Mirror
Windows XP Flaw 'Extremely Serious'
scottott wrote to mention a Washington Post article with the news that the security hole we mentioned on Wednesday has widened. Computers can now be infected just by visiting infected web sites, or looking at images in the preview panel of older versions of Outlook. From the article: "At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests. Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said."
Have you been touched by his noodly appendage?
...is brought to you by http://update.microsoft.com/
Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.
Where do you send the money? And they aren't afraid of getting caught?
He who knows best knows how little he knows. - Thomas Jefferson
Those of us who use free operating systems shouldn't be too complacent. This exploit is serious because the WMF rendering library has full access to the user's data, and (at least on a 'home' setup where it's a single-user machine) access to the whole PC.
But it was really just bad luck that the bug happened to be found in the Windows WMF library and not, say, its Unix/X11 equivalent. Or libpng, or zlib, or whatever. Anyone who thinks otherwise is deluded. All software has bugs, and even if the quality of the free libraries is ten times higher (unlikely) there will still be plenty of memory tramplings and buffer overruns.
So, when the next vulnerability is found in a commonly used Unix library, will we be in any better position? Not really. Still the library is linked into the application and runs in the application's address space. It has access to all the files the app does, and traditionally on Unix that means everything the user has access too. Your email application may only need to read ~/.mail_settings and connect via IMAP to some host, but it runs with permission to overwrite any file owned by you and connect on any TCP/IP port it wants.
Why does the WMF rendering code need to run with any more permissions than: read a block of memory with the WMF file, and write a block with the rendered bitmap? (Or perhaps make display / GDI calls, if performance is a concern.)
What support is there in Unix operating systems for running common library code with only the privileges it needs? As far as I know Linux has no simple way to run a dynamically-linked library (.so file) in its own address space or without permitting it to make system calls. So when the next exploit is found in a common Linux library - and it will be found - the situation will be just as embarassing.
-- Ed Avis ed@membled.com
Well if you run a real OS, then the browser runs only with the permissions of a particular user. Windows which has some security is designed to bypass that secuirty to give users an edge. So your screwed.
Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone.
MSFT doesn't care about security. Vista is a step in the right direction but they are keep way to much of the old code base for it to be useful for this decade.
i thought once I was found, but it was only a dream.
My browser touches all sorts of things in the host OS, from the sound card to files that I upload and download. Luckily when I get AIM spam for foo.exe or some other sillyness I don't get far unless I type 'wine foo.exe', then even then ;-)
The true challenge is how to dial in the security to a reasonable level. Problem is getting all the millions of programmers to adopt more secure standards combined with the users, IT managers, etc.. that deploy the apps on desktops. Then, getting that out across the millions of home users too. Daunting task.
The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.
I hear there's rumors on the Slashdots
That would prove nothing as Unix OS's don't have near the Desktop marketshare of Windows, not do they have the same type of userbase.
Bull if that tired old BS was true then would you care to compare IIS to Apache?
Using the same criteria of course. Apache the market giant VS IIS the positions are almost reversed. But once again MS winds up with the lions share of the remote root exploits. Now how does that figure with the claim that market share = number of exploits?
You must be one of those people who dont believe that the outside world affects you. What you do doesnt make much difference, it is the other 10 billion idiots out there, having linux at home and in your business doesnt help you much when 80% of the world is down.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
What the hell are you talking about? If you're referring to the fact that default home users run as a Administrator or Poweruser by default, you're right, that's a mistake, but its a policy mistake, not a technology mistake. Windows lets you run as a lesser user, its just that by default you don't. Internet Explorer runs 100% in userland. There is no part of Internet Explorer which runs in the kernel. None. Although Internet Explorer certainly has more holes than Firefox, they are both limitted to the same order of magnitude of potential damage. The same as on other "real OSes".
It's the core security problem of Windows: the development culture doesn't respect security. Developers went for decades of DOS and Windows 3.1/9x without needing to worry about users and permissions. So they got used to assuming they could write whereever they wanted. When real user seperation and permissions became mainstream with Windows 2000 and XP, they weren't prepared to change. Because so much software required full access the easiest way to get stuff running is to run in an Administrator account. And since so many people (developers included) run as Administrator, why bother doing the right thing? Games are usually guilty, but there are piles of business and research software that is equally guilty. My brother is a sysadmin for a research lab. To keep Administrator access out of users hands, he has to bend of backwards to get the machines running the software his users need. A 2005 release of a $3,000 package that refuses to be placed in a directory with whitespace or a tilde, meaning it can't be installed in C:\Program Files. A $500 package that demands write access to a file in the C:\Windows directory.
This is one case where backward compatibility came at the expense of security. The development culture is moving too slowly. Bigger companies are starting to do the right thing and you get the occasional smaller development house following the rules. The killer is that huge mass of more specialized software. Apple bit the bullet when they cut over to Mac OS X; software had to do the right thing or it stopped working. Microsoft needs to make such a dramatic change or we'll be putting up with this bullshit for at least another five years.
Search 2010 Gen Con events