Two Unofficial IE Patches Block Attacks

Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."

Why doesn't Microsoft...

[irimi_00]

Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox? It would save them a hassle and a lot of work.

Re:Why doesn't Microsoft...

[ZiakII]

Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox? It would save them a hassle and a lot of work.

Maybe because they like money?

Re:Why doesn't Microsoft...

[Dante+Shamest]

Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox? It would save them a hassle and a lot of work.

Are you related to my girlfriend? Because she asks smart questions like you. =)

Re:Why doesn't Microsoft...

Actually, why doesn't Microsoft actually use their own built in software restrictions by default and setup a "non-competent" user interface for it.

If restrictions are turned on, and your logged in as a restricted user, that hole doesn't much mean a thing.

Re:Why doesn't Microsoft...

abandon IE, ship Forefox with Windows, and provide an independent utility for Windows Update?

Probably would save them tons of money.

Re:Why doesn't Microsoft...

[irimi_00]

Yeah, it sucks when the girl gains control, I know.

Re:Why doesn't Microsoft...

[Arandir]

Why not switch to Kubuntu and use Konqueror instead?

Re:Why doesn't Microsoft...

[X0563511]

True, it's not like they sell IE seperate. They have no real reason to be so die-hard about IE.

Re:Why doesn't Microsoft...

[Cromac]

True, it's not like they sell IE seperate. They have no real reason to be so die-hard about IE.

Microsoft views IE as a "rich client" and one more reason to tie people to Windows. MS may one day have a 100% standards compliant browser but I gaurentee they will also have another 20% worth of features that only work in IE as one more way to try and keep people using Windows.

It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.

Re:Why doesn't Microsoft...

[drsmithy]

Microsoft views IE as a "rich client" and one more reason to tie people to Windows.

There's also the rather significant problem of Firefox not being a drop-in replacement for IE.

It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.

OS X is a vastly greater "threat" to Windows than Linux is on the Desktop, but Microsoft are happy to make money selling Office for OS X. Your argument does not hold water.

Re:Why doesn't Microsoft...

[slick_rick]

I'd aruge that IE is a long ways from being a "drop in replacement" for Firefox. IE is in the stone ages functionality wise compared to Firefox. The only reason anyone is still using IE is because they have to (because site X only works with IE because the idiot web developer didn't test it with anything else)

Re:Why doesn't Microsoft...

[BrainInAJar]

But porting office to macos doesn't hurt their FUD about how anything that touches opensource is somehow corrupted by it.

Plus, I think they want to be seen as the only OS for commodity hardware. Eg, you *could* buy from apple, but you'll be paying twice as much for the hardware than it's worth, and it's an artist's workstation... not for "real work" (note to apple fanbois: I don't actually believe this, my problem with apple is the same problem i have with MS and it has nothing to do with quality)

Re:Why doesn't Microsoft...

Because Ubuntu sucks. Gnome sucks.

Re:Why doesn't Microsoft...

[discojohnson]

I'd argue that the reason people are using IE is because it's what came with their desktop, preloaded, as an OTTB solution. Also, to the great-grandparent: this has been rehashed a hundred times before--the MARKET dictates a standard, not a group of people that crowned themselves as the rulers of the standard. Think I'm lying? WS-R vs WS-RM, UMTS vs EDGE vs GPRS, etc? It's market driven. IE's implementation, though different, has a grossly disporportionate market share than all other competitors combined. Just look through server logs and see for yourself (not here at /. where the community is much more tech savvy and hence more apt to be running an alternative browser).

*not a fanboy, just an informed, non-generalization driven commentor.

Re:Why doesn't Microsoft...

[eonlabs]

"It IS faster, over Five Million..." -South Park: Bigger, Longer, and Uncut

Re:Why doesn't Microsoft...

OS X is a vastly greater "threat" to Windows than Linux is on the Desktop, but Microsoft are happy to make money selling Office for OS X. Your argument does not hold water.

Microsoft Office was originally written for Mac.

Re:Why doesn't Microsoft...

[zcat_NZ]

"It IS faster, over Five Million.." -South Park: Bigger, Longer, and Uncut

My favorite part of the whole movie. And why the hell didn't the navy actually do that when NT4 left their high-tech destroyer dead in the water?

Re:Why doesn't Microsoft...

[The+Cow+of+Pain]

Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox?

You wouldn't want that to happen. If everybody used Ubuntu and Firefox, malware creators would start finding the exploits and workarounds there, and suddenly you (assuming, perhaps incorrectly your post reflects your own setup) would be in harm's way as well. Microsoft probably has shoddy security and such, but the main reason their products are being attacked is their dominance.

Re:Why doesn't Microsoft...

[LordSnooty]

The only reason anyone is still using IE is because they have to

I'm not so sure, I know someone who works heavily with Linux yet still won't use Firefox on their Windows box, becouse IE is "so much faster". I don't understand either, I find IE quite slow to start up, there isn't much difference. Maybe it's slightly quicker at rendering once the program is loaded. This person seems to enjoy having "20 Internet Explorer..." in the taskbar. I don't use IE for three reasons - principle of supporting OSS, extensions, and security (not in that order).

Re:Why doesn't Microsoft...

[Hal_Porter]

It's because IT contractors get all misty eyed when the hear the phrase rich client.

We will need to do a lot of work enhancing our current standards only website? Wow, we'll need a task force, with a big budget. Also, we'll need to do a study of current best practices in Webpage design first.

I'll get right on that. It's a very big job though, we'll need unlimited overtime and consultation on deadlines. Still, if you want to be a Fortune 100 company, you need to take a longterm view of costs.

Hmm, I can already hear the 90's techno and taste the imported beer. Maybe we should have a team building snowboarding trip first.

Re:Why doesn't Microsoft...

[gorfie]

Not sure which exploit it was, but I've been using Firefox 100% of the time and I keep my system fully patched. NAV and MS Anti-spyware were also installed / updated. Monday MS Antispyware caught two instances of really nasty add-ins including PWS-Pinch. I traced it back to "trojan-downloader-ruin" but I had to download 6 different applications to even find that (I figured there was something putting these other apps in my system). Adaware didn't catch it either. Anyway, after lots of digging I figured it was best to reformat and turn myself into a LUA user (Least User Admin) in addition to having the other safeguards I had in place. I'm still not sure if it's safe so I'm avoiding visiting sites that I don't regularly visit. Now I'm wondering how much of my data got retrieved by a malicious hacker... :(

Re:Why doesn't Microsoft...

[Mouse42]

Wow, I find that so strange. The very first reason why I switched to FireFox was because it was faster. I just tested it out to see what it was all about... and quickly realized all of my pages were rendering faster. I did a comparison test, and found it to be true.

I got a couple of other people to switch when I told them, too.

Re:Why doesn't Microsoft...

[LordSnooty]

I forgot to mention, this person also got rooted on their Linux server via an sshd brute force attack on account name "tester", password "tester"... so maybe I should take the view with a cellar of salt.

Re:Why doesn't Microsoft...

[distilledprodigy]

(because site X only works with IE because the idiot web developer didn't test it with anything else)

I think what you mean to say is that the idiot web developer didn't care about the ~10% of the market that isn't IE. Perhaps because the idiot web developer understands that his website about flowers is not likely to interest the technical savvy group that cares enough about security to install firefox...

Re:Why doesn't Microsoft...

[drsmithy]

I'd aruge that IE is a long ways from being a "drop in replacement" for Firefox. IE is in the stone ages functionality wise compared to Firefox.

Certainly true. IE, however, is more than just a browser application and Firefox is not even a drop-in (let alone widespread) replacement for the other functionality it provides.

The only reason anyone is still using IE is because they have to (because site X only works with IE because the idiot web developer didn't test it with anything else)

Or because they're a developer who wants the functionality IE provides in their app, but can't assume anything more than IE is installed on an end users computer.

Re:Why doesn't Microsoft...

[drsmithy]

But porting office to macos doesn't hurt their FUD about how anything that touches opensource is somehow corrupted by it.

Far from FUD, the implications of using GPLed libraries are quite serious from a closed-source software developer's perspective.

Microsoft's problem isn't with Open Source, it's with the GPL (I'd imagine they aren't even *that* bothered by the LGPL) and the cascading effect of "using" GPLed code.

Plus, I think they want to be seen as the only OS for commodity hardware.

This would be a reasonable argument if:

a) more than a minority of people bought computers without an OS (or were even capable of understanding that the computer and its OS are independent); and

b) most people who *do* buy OS-less PCs weren't already aware of alternative OSes.

The vast bulk of consumers don't even understand there is a separation between the hardware and the OS.

Re:Why doesn't Microsoft...

[irimi_00]

I would encourage you mods to look at the times of the posts and see which was redundant.

Other patches:

[NilObject]

There's two other patches out there that work pretty damn well:

1 and 2.

Re:Other patches:

[Volanin]

1. [apple.com] and 2. [mozilla.com]

Yeah, but only number 2 "include source code for review."

Re:Other patches:

[Poltras]

does that mean it's less effective?

Re:Other patches:

Considering that #1 is an entire operating system as opposed to just a browser, yes, it's less effective.

Re:Other patches:

[chrome]

Yeah, but only number 2 "include source code for review."

Not entirely true. You can review the code for darwin, and you can review the code for WebKit.

The only thing you can't review is the UI drawing code in AppKit/Quartz/Cocoa etc.

Re:Other patches:

[defy+god]

*ahem* source code?

Re:Other patches:

[chill]

*ahem* almost, but not quite totally useless

Re:Other patches:

#1 isn't the best choice, because you can still run IE on it.

Re:Other patches:

[BrainInAJar]

and when I can review that, I'll concider Apple a viable choice. Until that point, it's Solaris, BSD and Linux

Re:Other patches:

[slapout]

Yes, but #1 includes free hardware with every purchase.

Re:Other patches:

[defy+god]

=)

the actual story has to do with internet explorer. the GP was pointing to mac os x and mozilla, but i think the more direct comparison is safari. while people love mozilla because of it's "openness," safari's webkit gives people almost the same luxury. you get to examine, tinker, and compile the backend to your delight. sure, you don't get to mess around with the interface, but people have created their own. pretty long winded explanation as to why i linked to webkit instead...

Re:Other patches:

[chrome]

Don't be silly. You wouldn't consider it because your a unix zealot :P

Re:Other patches:

[baadger]

Or IE users could install IE7 Beta 2 preview, which is immune.

Re:Other patches:

[ettlz]

Don't be silly. You wouldn't consider it because your a unix zealot :P

So what is OS X? A VMS offshoot? Grandparent is a total disclosure zealot. I don't condemn the grandparent for having this attitude.

Re:Other patches:

[jrockway]

Where is any code later than OS X 10.4.2? Oh, there isn't any. Apple has stopped releasing their code (since the code benifets evil hackers that want to install OS X on generic x86 hardware).

WebKit is still open source, but frankly, WebKit sucks. Gecko (firefox) is much nicer. (Safari has a prettier GUI, but it least Firefox doesn't crash hard when you do something "illegal" to the DOM tree!)

It's weird that I've had a Mac for a bit over two years now, and I've stopped using "mac" programs. Right now I am using Adium, Thunderbird, Firefox, and emacs. I still use iTunes for music, but only because it's convenient, not because it's a good piece of software. The latest version has decided that it is the OS, and locks 500M or so of memory when it's DRM-ing a file... making everything else on the system useless until the OS is "allowed" to page iTunes out. Of course, if you wanted to attach a debugger to iTunes to see what the fuck it's doing to your system, you can't, since Apple added a hook into their OS to prevent you from doing that. (Making OS X Good For The Content Industry is now Apple's focus. Curious hackers be damned.)

For me, the open source of the BSDs and Linuxes is worth more than the pretty GUI and convenient iPod integration... and I'm sure it's the same for most serious programmers.

Re:Other patches:

[Whiney+Mac+Fanboy]

"Where is any code later than OS X 10.4.2?"

Download it here: http://www.opensource.apple.com/darwinsource/

Apple has given back to the open source community more then any other company.

From making webkit open for the KDE developers to use, to financing key BSD developers, Apple has always been an Open Source friendly company.

Re:Other patches:

[bogado]

XXX has given back to the open source community more then any other company.

How many times I have heard this? And you know what, since it is quite hard to measure, quantitatively, what the fuck "given back back to the community", I will discard such statements as a marketing stunt.

Apple has DRM dirt all over, it's quicktime movies are a pain in the *** to make it work well in linux, I don't even know if the music you rent from their store can be played in linux, but I am not getting anywhere near that. And now is the OS that should not be ran in beige boxes, god forbid if apple software should be able to run on ugly hardware.

Apple is good in one thing, creating hype and selling overpriced hardware to fan-boys that fall for that hype. Don't get me wrong, I used like apple but lately they have done nothing that I can say good words about it.

Re:Other patches:

So...three stories or so in the last few days on this issue. Every story someone posts THE SAME STUPID JOKE. It was worth a chuckle the first time...please stop the karma whoring.

Re:Other patches:

[towsonu2003]

3. [distrowatch.com]

Re:Other patches:

[andreyw]

You realize the Sun hasn't OSSed all portions of their OS either?

Free as in...

[HolyCrapSCOsux]

Some folks would like you to believe that free as in beer software is a horrible thing.

The question is, would people patch if they had to pay for them?

Re:Free as in...

[monkaduck]

If they were told to, yes. Never underestimate the lemmingness of the human species.

Re:Free as in...

[Arandir]

In an old interview Bill Gates said, and I paraphrase, "people don't pay for bug fixes." This explains a lot.

Re:Free as in...

[m85476585]

1. Find IE hole
2. Write unofficial patch
3. Submit story to /.
4. Profit!

Re:Free as in...

[LardBrattish]

Yes, history proves this:-

Windows 3.1
Windows 98
Windows ME (Bwah ha ha)
Windows XP
and ultimately Vista.

People will pay for bug fixes if you market them well enough...

Re:Free as in...

[sumdumass]

You forgot Windows 95 a/b/c and Windows 98SE but who keeping track. Actualy Windows 95 might be stretching it because they m,ostly taunted new features and easier hardware instalations but i guess that would fix the old config.sys and having to get the IRQs correct and all.

Re:Free as in...

[baadger]

..but they're perfectly happy to pay for bugs >)

Re:Free as in...

[hairyfeet]

My networking teacher just gave us a good lesson on that.When a student asked why we network guys can warn people over and over not to fall for the same mistakes(Outlook attachments,"Free"spyware laden apps,etc)He had us do a little experiment.

He took a few of us to different street coners at lunch break and while the others watched he would have one of us just look up for a few minutes.Then we would walk away and count how many we "caught".I caught 17 and it kept going for nearly ten minutes.

People just follow the herd.It doesn't matter if it makes sense as long as the others are doing it.Try it some time when you are bored.It's funny!

Are there not risks even with official patches?

[El+Cubano]

As always, the advice is to weigh the risks before opting for an unofficial hotfix.

Is this not something that smart admins/companies so even with official patches and fixes? To me, the fact that the source was released shows that these people are quite serious about being taken seriously. I suppose that is better than MS assurances that they extensively tested the fix before release.

Re:Are there not risks even with official patches?

[Ravatar]

Without releasing the source, they have almost no credibility. If they hadn't released the source, slashdot would be packed with cries of "who would actually run this?!" "wtf, no source? no thanks".

Re:Are there not risks even with official patches?

[tshak]

I suppose that is better than MS assurances that they extensively tested the fix before release.

This quite far from the truth. Reading source code will not find the integration problems that can come up when you release a patch on millions of machines with different configurations.

Re:Are there not risks even with official patches?

Wonderful - modded as a troll. Glad to see the intellectually honest folks moderating tonight.

Re:Are there not risks even with official patches?

[gregarican]

Reminds me of back around 1997 or so when Microsoft released Windows NT 4.0 Server Service Pack 6. It was released and my company was one of the many larger ones to roll it out ASAP. Without proper testing we were bitten in the ass big time. This Service Pack broke TCP/IP. Hence Microsoft releasing Windows NT 4.0 Server Service Pack 6a. You would think that someone in the Ivory Towers of Redmond would have noticed it broke TCP/IP :-)

Re:Are there not risks even with official patches?

[bergeron76]

Heck yeah! Particularly when it's the virus/exploit that's applying the patches (or preventing them from being applied - that would be a nasty exploit).

I guess in some circles, IE isn't still considered a virus.

Re:Are there not risks even with official patches?

[whitehatlurker]

And yet, we will accept the same from MicroSoft without the assurance of source ;-)

Re:Are there not risks even with official patches?

[sumdumass]

In some circles IE is considered the same as Explorer with is considered windows. And the interweb is what happens when we push the powerbutton. But these people are usualy limited to citymanagers postions in little oklahoma cities so there aren't many of them.

Re:Are there not risks even with official patches?

You are a troll.

Re:Are there not risks even with official patches?

[Ravatar]

Although it seems you're joking, their credibility is known as 20+ years as an industry leader.

Re:Are there not risks even with official patches?

[jrockway]

> Although it seems you're joking, their credibility is known as 20+ years as an industry leader.

Leading the industry in patches that break the OS and introduce new security holes, yes.

Re:Are there not risks even with official patches?

[jrockway]

But when it doesn't work on *your machine*, you can make the necessary changes and then everyone that has a configuration like yours will work. Compare this to M$ who 1) didn't do anything about this, 2) won't give a damn if joe-slashdotter's computer doesn't work.

With the source, you're in control of your computing experience. Without the soure, you're M$'s bitch.

(Yeah, yeah, I used M$ instead of Microsoft. Habit.)

Re:Are there not risks even with official patches?

[Cro+Magnon]

Although it seems you're joking, their credibility is known as 20+ years as an industry leader.

*spews Coke out nose*

Re:Are there not risks even with official patches?

[tomjen]

It is a security feature. That way you would have a computer protected extreemly well from most malware.

Re:Are there not risks even with official patches?

[darkmeridian]

And yet, we will accept the same from MicroSoft without the assurance of source ;-)

Nice Slashdotty comment, but Microsoft has $40 billion in cash sitting around. That's great reassurance they'll be around to fix the problem.

Re:Are there not risks even with official patches?

"Being around" and doing things right are not even close to being the same thing. Fixing things is hardly their strongpoint.

Re:Are there not risks even with official patches?

[ArtStone]

Of course, now with this source released, the Script Kiddies can get to work on new projects using in-memory object code patching of DLL files.

Re:Are there not risks even with official patches?

[Ravatar]

SHHHH, logic isn't allowed here on slashdot.

How do they even write these patches???

[MoxFulder]

I don't even understand how they manage to *write* third-party patches. I mean, it must be hard as hell to do without the IE source code. I think they write a separate DLL which acts as an intermediary to the flawed insecure library or something, but it sounds like an enormous pain-in-the-ass process. Or do these companies have access to MS code through Shared Source program or something?

Yep, the more I watch the ills that befall the Microsoft-bound, the more I'm happy with my decision to go Linux-only a few years back.

Re:How do they even write these patches???

We certainly don't have access to Microsoft source code. I ran Internet Explorer in a debugger and traced through the execution of the exploit (which was publicly available at this point). Most memory corruption vulnerabilities result in an exception, which is caught by the debugger. Once you have the location of the exception, you can identify which function the vulnerable code is in.

Once I had the name of faulty function, I disassembled it using IDA Pro and found the bug by reading the disassembly. With enough reverse engineering experience reading disassembled code is not much harder than reading C source code. It just takes longer.

The IE vulnerability is caused by a funcion called with incorrect parameters which returns SUCCESS instead of an error code. The caller belives that the function suceeded and tries to use an uninitialized variable. The patch is a single byte change in mshtml.dll. The patched function now returns a valid error code and the vulnerability is stopped.

This free patch is just a demonstration of what we do every month as part of our LiveShield product. It is a lot more advanced, but the idea is similar. We use the vulnerability analysis techniques described above to create "shields" that detect and stop specific Microsoft vulnerabilities. The coolest part is that the shields can be inserted and removed at runtime, without having to reboot any of the running applications.

Alexander Sotirov
Security Research
Determina Inc.

Re:How do they even write these patches???

[romka1]

"The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key," Sotirov wrote in a message posted to security mailing lists. He said the DLL fixes the bug by patching a single byte in MSHTML.DLL when it is loaded in memory. "This change makes the 'createTextRange()' function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20," Sotirov explained.
from the article

Re:How do they even write these patches???

You better watch out :)

From the EULA:
"LIMITATION ON REVERSE ENGINEERING,
DECOMPILATION, AND DISASSEMBLY. You may
not reverse engineer, decompile, or disassemble the
Product"

Re:How do they even write these patches???

IANAL :-)

Alexander Sotirov
Security Research
Determina Inc.

Re:How do they even write these patches???

[roman_mir]

I am looking for a good Assembler reference, any recommendations? And also, are you using MS Visual Studio Debugger?

Re:How do they even write these patches???

[netsharc]

I read the original article where you mentioned this single byte change. Hah, Microsoft, what the hell are you doing, needing 2 weeks for a single byte change?

Re:How do they even write these patches???

Just how ANAL are you???

Re:How do they even write these patches???

[QuantumG]

You should do your work here in Australia. We have laws that guarentee our right to reverse engineer software to fix security issues.

Re:How do they even write these patches???

The man's pretty damn hard-core. You'd better watch out!

Re:How do they even write these patches???

[Duhavid]

I ran into something kinda similar a while ago.

It was an MFC app, so the source was available,
one of the members on the class I was having
trouble with called a Win32 function, then
ignored that function's return code and returned
TRUE.

Re:How do they even write these patches???

With enough reverse engineering experience reading disassembled code is not much harder than reading C source code.

I may have mentioned this previously, but I'll say it again, Amazon is hiring: http://amazon.com/jobs

Re:How do they even write these patches???

[dotgain]

It's the same here in New Zealand, only our chicks are much hotter.

Re:How do they even write these patches???

[qwp]

glad to hear you moved to linux..
btw.. your sites down. ;)

Re:How do they even write these patches???

[Darby]

It's the same here in New Zealand, only our chicks are much hotter.

They're cooler after you shear them ;-)

Re:How do they even write these patches???

I don't use debuggers as much as you'd think. I prefer to disassemble the code and read it until I understand what's going on, and then confirm it with a debugger. Some other people use debuggers as their primary tool, and resort to disassembers only when they are really stuck. I guess it's just a matter of personal preference and temperament.

When I do use a debugger, it's usually WinDbg. I like the command line interface and it has very good support for all versions of Windows. A lot of other security researchers use OllyDbg. For kernel debugging I use both WinDbg and SoftIce. SoftIce has the advantage of being able to follow code from user space to kernel space and back, which is very useful for analyzing kernel vulnerabilities.

Alexander Sotirov
Security Research
Determina Inc.

Re:How do they even write these patches???

[Sledgy]

Having recently moved to Australia (from NZ), sorry but Aussie chicks are hotter. =oP

Re:How do they even write these patches???

Although I have not personally verified this, it sure sounds reasonable. It also puts the lie to anybody who yells "but you can't test the interaction with every other software" because, from the sound of it, every piece of software that fails with this patch is potentially another vulnerability waiting to happen!

Now, the obvious question: with thousands of programmers, $billions and every other resource known to Man, what the hell keeps Microsoft from doing exactly this? And doing it in a timely manner?

Re:How do they even write these patches???

You should do your work here in Australia. We have laws that guarentee our right to reverse engineer software to fix security issues.

... but apparently none requiring you to write the Queen's English (it's guarantee).

Re:How do they even write these patches???

[BrainInAJar]

Just guessing, but they probably don't care until the mainstream press picks up on it. People still buy their crap-ware regardless

Re:How do they even write these patches???

[igny]

But you can reverse engineer, decompile, or disassemble the exploit.

Re:How do they even write these patches???

[QuantumG]

as we say in Australia, fuck the Queen!

Re:How do they even write these patches???

[MoxFulder]

But will they date /.'ers?

Re:How do they even write these patches???

[MoxFulder]

Oops, dead sig, I let my domain expire 2 months ago :-P Anyhoo, I've fixed the link in my sig!

Re:How do they even write these patches???

[Gentlewhisper]

as we say in Australia, fuck the Queen!

Ewww...

Re:How do they even write these patches???

5 minutes to change single byte ... 2 weeks of patching of other MS applications, which never expected an error code from that function and their error handling is broken...

Re:How do they even write these patches???

Actually that's what a usual cracker does everyday.

Re:How do they even write these patches???

[Antique+Geekmeister]

Wow. I haven't had to do that kind of debugging in years: you have my respect, sir.

But wouldn't it have been nicer to run it in gdb with the source code, or in ddd, and been able to find the broken source and patch it for the future?

And as "Trusted Computing" takes off, and starts doing cryptographic signing of system binaries like MS-Office and core system files like Internet Explorer's dll's, isn't your patch going to be detected as a gross security violation and cause the security tools to start shrieking about it? Or will you be able to get the signatures needed to authenticate your changes?

Re:How do they even write these patches???

Sir,

Whilst I admire your skill and ingenuity surely you waste your efforts ?

Why don't you just write a patch that completely removes IE from the system and prompts the user to install a modern browser instead ?

IE is simply unfit for use with the internet (maybe it's o.k. for a tightly controlled intranet which has no external access). IE is a stale, jaded, bug riddled, badly designed, poorly implemented, steaming pile of ordure that needs taking out and shooting.

Putting your skills to work patching this *piece of shit* is a waste of your time and undoubted talents.

Re:How do they even write these patches???

In a free society, you wouldn't need a law to "allow" you to engage in any act of voluntary association. The very notion that acts of voluntary association need to be enumerated (in order to be "justified") is an attack on freedom.

Re:How do they even write these patches???

In a free society, you wouldn't need a law to "allow" you to engage in any act of voluntary association. The very notion that acts of voluntary association need to be enumerated (in order to be "justified") is an attack on freedom

Can I still get fries with that?

Re:How do they even write these patches???

[Scarletdown]

And even more important than whether or not they date /.'ers...

Do they run Linux?

Re:How do they even write these patches???

[CrankyOldBastard]

Are these the chicks that jumped into the Boiling Mud Pools? Seriously, Kiwi chicks are interesting in that they don't seem to have any concpet of "un-natural act", which can be a lot of fun (and can also cause a lot of guilt - think very carefully before you try some of the things they suggest, it might just be a bit more than you can handle).

But due to the inbreeding, unless you like that particular look (2m high and wide), and the simplicity of communication (they only have 2 vowels - "ugh" and "eh"), or unless you want a live act for a novel pay-per-view website, I'd strongly suggest you try Aussie chicks.

Re:How do they even write these patches???

Shut up already, asshole.

I know I read through each and every article concerning Linux. If you are so enlightened, why bother to read about us tortured souls?

I'm waiting for the official IE patches

[WillAffleckUW]

Of course, I'll probably be retired before they're out.

Re:I'm waiting for the official IE patches

do you work at GM tech center or Milford proving grounds?

weigh the risks

[enrevanche]

Certainly you should weigh the risks with any patch but since an "official" patch would come from the originators of the flaw (and numerous others) why should it be considered any better than an "unofficial" patch? At least these patches can be scrutinized by the outside world for problems. A MS patch will be forever hidden. The perils of closed source!

Re:weigh the risks

[Ravatar]

Because if an official patch breaks your OS, you can get help for it from Microsoft. More people call MS for support than you'd think.

Re:weigh the risks

[tonyr60]

Are you serious? Have you ever actually called Microsoft to see what happens when one of their patches break... One or more of the following:
  - Reinstall windows with no 3rd party apps. Install patch, still broken - refer to your dealer for a hardware issue
  - The above and it breaks after 3rd party app is installed - refer to the 3rd party vendor
  - etc. etc.

Re:weigh the risks

[ElleyKitten]

>>Because if an official patch breaks your OS, you can get help for it from Microsoft.

Yeah. I called microsoft tech support after Windows decided not to boot after I upgraded IE, and they told me I could pay them $200 for help. I'm thinking that relying on MS to help you if somehting breaks is a bad plan.

Re:weigh the risks

[sumdumass]

I have never called microsoft outside an install issue. I have had bad CDs out of the box, had to get new product numbers because windows XP wouldn't activate, and old NVIDIA drivers causing the install to crap out.

You get free install support but have to pay after a certain time. Everything else can be fixed by searching the interweb thought. You some times have to go deep into the search before you find somethign usefull. There seems to be alot of incomplete errors out there in a seach were someone either decided to reinstal or buy another dell to fix thier problem. There also seems to eb alot of problems that get rediculous replies. you sort of have to use your best judgment on some of these things.

Re:weigh the risks

[whoppers]

You're speaking to the choir. Anyone who truly wants to push open source software (specifically operating systems) should track down vendors who don't write platform independent software and lean on them. I deal with two that I always harrass their support folks/vendors/marketing folks.

One (Constructware) used to be Netscape/IE and finally stopped supporting Netscrape and is now IE only.

The other (Primavera) has always kept users on the MS side even though it's nearest competitor is written by microsoft (MS Project). And no, there is no substitute to Primavera's P3 for scheduling/project controls, everything else is just a bar chart. I'd switch careers before trying to do my job using MS Project regardless of what the folks at PMI want you to believe.

But how many would install them?

[E+IS+mC(Square)]

Given the fact that the average IE user would not even be aware of the flaw, how would he even know such third party patches even exist?

Most of them are going to be patched only when MS releases the patch, AND they have selected to be updated automatically.

Its a horrible situation.

Re:But how many would install them?

[ClamIAm]

Better question: how many of them know that Microsoft releases patches?

For my own edification....

[irimi_00]

Wikipedia says the following about trolls:
http://en.wikipedia.org/wiki/Internet_troll
"The term troll is highly subjective. Some readers may characterize a post as trolling, while others may regard the same post as a legitimate contribution to the discussion, even if controversial."

While you may not percieve what I said as funny. I was sincere in what I said... Well not about the use Ubuntu part.

I guess the only valid reason for Microsoft to continue the development of IE is for:
1. Branding purposes.
2. And so that they can claim Windows is a totally integrated package.

Re:For my own edification....

[larry+bagina]

as sad as it is, there are a lot of applications that are designed for IE/Active X.

Re:For my own edification....

[sumdumass]

Whats even more sad is that I have a few of them. I have even gotten them (parts of them) to run on linux but they refuse install without IE 6 or above. I guess some feature I never use requires it or something. That or else it is just the programers way of saying they are too lazzy to support different browsers.

Re:For my own edification....

[larry+bagina]

At a previous job, they developed a web-based app using IE and a lot of Active X. It probably could have been done in a browser-neutral way with Ajax and java applets, though it would have been a lot more work. The IE solution was an update to a VB-based program, which was a complete mess... dll hell, difficult to support, difficult to maintain. The IE solution was a vast improvement.

Of course, this was started before Firefox/mozilla were viable alternatives, before Ajax was a buzzword.

Fat, slow, and lazy

[dtfinch]

If third parties can regularly patch your bugs before you do, without access to the source, after giving you a generous head start... Well, I guess that could mean a lot of things. They're definitely lazy, to say the least.

Re:Fat, slow, and lazy

[Ravatar]

If by "lazy" you mean "they need to test every single change made to their software extensively, and don't have the luxury of being able to throw out third-party hacks with no long-term support requirements", then sure they're being lazy. You'll notice that they're fixing both these issues with their monthly updates on April 11th(I think?) if you look around.

Re:Fat, slow, and lazy

[dtfinch]

If it was just a testing thing, they wouldn't wait until the 2nd Tuesday of the following month. Minor patches can wait, but delaying critical patches is inexcusable.

Re:Fat, slow, and lazy

[tshak]

... or they run through rigorous tests since they have to answer to millions of customers on millions of different system configurations. I'm not saying that MS shouldn't be faster about patching, but they have improved their turnaound and there's only so much you can do if you care about rigorous quality assurance.

Re:Fat, slow, and lazy

[MP3Chuck]

Hopefully it's not the same Quality Assurance that gets us these Fine Microsoft Products in the first place!

Re:Fat, slow, and lazy

[Trogre]

...since they have to answer to millions of customers on millions of different system configurations.

Unfortunately, as has been shown time and time again, Microsoft answers to no one.

Re:Fat, slow, and lazy

[MrFlannel]

A few posts up, the author of one of the patches describes this bug and the fix. It fixes a function, makes it do exactly what it was supposed to do, instead of returning an inappropriate value.

If this breaks existing functionality in some application, then those existing apps are using the function incorrect (or put another way, exploiting the bug, whether maliciously or otherwise), and any fix to the function will break them.

But later

[Filiks]

Are there likely to be any conflicts or issues when Microsoft issues official patches that overwrite or only partially overwrite changes the patch made?

Re:But later

No, both our and Eeye's patches don't overwrite the actual files on disk. Eeye redirects the file to a patched copy, Determina fixes the bug by applying the patch when the faulty DLL is loaded in memory. When Microsoft releases the official patch, it will replace the file on disk and the Determina patch will not apply any more. I am not sure if you have to uninstall the Eeye patch or not, but it won't cause any catastrophic failures either.

Alexander Sotirov
Security Research
Determina Inc.

Re:But later

[baadger]

No, the unofficial patches load themselves into IE (actually every application) at runtime and overwrites MS code in memory.

Re:But later

[TommyAquinas]

Our patch uninstalls itself when you apply the MSFT patch, whenever it shows up. And the eEye patch isn't a memory patch, but a patch to a copy of the JScript.DLL file that prevents passing of the exploit to the vulnerable component in MSHTML.DLL.

70,000 downloads so far and no reported bugs...Just for the record, Derek Soeder is the best coder I've ever seen.

RB

How do they even write these cracks???

"I don't even understand how they manage to *write* third-party patches."

Ask the people who do this. I'm certain they managed fine without source code.

This is good but.....

[leereyno]

Who exactly is going to be using these patches? Think about it for a moment, since when did security savvy computer users, let alone experts, use IE?? True they may fire it up to go to a specific site or two that requires it or works better with it, but for general surfing? I don't think so. Anyone with the good sense God gave the common radish is using Mozilla, Firefox, Opera, or in the case of Macs Safari.

I can see a use for these patches in a corporate environment where (for whatever reason) IE is a necessary evil, but even then you're running the risk of getting smacked (if not sacked) by management if the patches break something.

These patches are realy useful for one thing, showing up Microsoft and making them look like incompetent boobs whose code is such a mess they can't fix it. Given the delays on Vista I'd say this perception is pretty accurate.

Lee

Re:This is good but.....

[whitehatlurker]

Anyone with the good sense God gave the common radish is using [...] Opera

I am ... Radish!

Damn, I wish I had mod points for your post. 'Course it would be modded funny, but hey ...

Re:This is good but.....

[beheaderaswp]

Who exactly is going to be using these patches? Think about it for a moment, since when did security savvy computer users, let alone experts, use IE?? True they may fire it up to go to a specific site or two that requires it or works better with it, but for general surfing? I don't think so. Anyone with the good sense God gave the common radish is using Mozilla, Firefox, Opera, or in the case of Macs Safari. I can see a use for these patches in a corporate environment where (for whatever reason) IE is a necessary evil, but even then you're running the risk of getting smacked (if not sacked) by management if the patches break something. These patches are realy useful for one thing, showing up Microsoft and making them look like incompetent boobs whose code is such a mess they can't fix it. Given the delays on Vista I'd say this perception is pretty accurate.

Actually, it's going to help my clients. I regularly announce things like this to people who use my services whether it's hosting, or consulting... and in some cases I'm asked to make the announcement to the customers' clients also. So the announcement gets made to about 1000 people. And 90 percent of them are not geeks. Your view of how this information gets out and is used by the general public appears rather myopic.

MS patches may take a while...

because their Security division is too busy criticizing Apple's security problems rather than writing IE patches (or writing secure code in the first place).

eEye patch IS recommended

[xamomike]

I have installed the eEye patch and it does fix the IE ActiveScript hole temporarily, however it is recommended to disable Active Scripting anyways. Now, it is still undetermined how serious this threat actually is, or if it's a big marketing opportunity for eEye's products. I'll assume the former until further notice. The number #1 solution is to simply not use IE.

Re:eEye patch IS recommended

Yeah I don't trust eEye anyway.... they are a very shady organisation

MOD PARENT +1 INFORMATIVE

I mean, it's written by the guy who wrote the patch!!! How much of a better post can there be???

Tested and deployed

[ninja_assault_kitten]

I had our IT department test and deploy the silent installation this morning. We're a web-based software company and there's been zero reported impact to our development staff as 6pm EST.

While it's clearly not the best solution, it does work and provides a much needed layer for the vast majority of corporations who simply cannot and will not disable active script.

Re:Tested and deployed

eEye or Determina?

Re:Tested and deployed

Illegal to reverse engineer. Its an illegal patch. Illegal to deply too. What's the name of your company? :)

Re:Tested and deployed

Actually, there are provisions in the DCMA that allow for reverse engineering for security testing. Reverse engineering with the motive to duplicate IP is illegal. RE to inspect and repair is a protected act.

Re:Tested and deployed

[Scarletdown]

I think the GP was referring to the EULA. But, and if you will pardon my gratuitous usage of the "fuck word", when it comes to protecting your system and/or network, fuck the EULA. Do whatever you need to do since your OS vendor won't take responsibility for their product.

Re:Tested and deployed

[ninja_assault_kitten]

eEye.

Applying Patches Is Not Free

[patio11]

Microsoft releases one patch day a month because their corporate customers, the lion's share of their market, demand it. And they demand it because "release a million little patches as soon as that individual patch is done" is unworkable in a corporate environment. You can plan around one big patch a month -- the magic word is "scheduled downtime". It is less bad for some customers to be periodically marginally more vulnerable for a period of two weeks or so then to be continusouly vulnerable to unscheduled downtime due to patching. "Publish early and often" works well with an enthusiast running one machine but when you've got an IT department overseeing a cast of thousands spread over 14 time zones things get a little more dicey.

Re:Applying Patches Is Not Free

Haha.

I prefer Linux.

I'll set up a patch to get applied.. now. For instance. No downtime.

Even a kernel patch.. no down time. Install the new kernel, when the person logs out and shuts off the computer then they log back in the next day. That's it. patch applied.

Of course you test patches before deploying them.

but thank god I don't have to actually reboot machines manually. That would ruin my day. God forbid having to deal with 'scedualed downtime'. That is insane.

Re:Applying Patches Is Not Free

[Adam9]

Isn't that what Windows SUS is for?

Re:Applying Patches Is Not Free

[dtfinch]

If a company wants to wait to install patches on a fixed schedule, long after the patches have been released, nobody can stop them. There is some benefit to patching unpublicized vulnerabilities on a schedule, but if the details of a vulnerability is already public knowledge, then there's nothing to be gained by any of Microsoft's customers by delaying the availability of a patch.

Re:Applying Patches Is Not Free

[apoc.famine]

I'm missing the part where the sense is....If MS released all patches as soon as they were ready, everyone who wanted to patch right away could. If large corporate IT depts still want to patch every 2nd tuesday, they still can! Scheduled Downtime is Scheduled Downtime is Scheduled Downtime. I see no connection between when MS releases a patch and when an IT department schedules their downtime to roll that patch out. (Well, other than the fact that the patch has to come first. ;)

This whole "scheduled patching" bit really is BS. All it does is leave critical problems unpatched longer than necessary, so that managers can point to MS when bad shit happens to the network. "Well, we couldn't patch until two days after patch-day, because we needed to test the patches." works lots better than "We got fucked because I decided that it wasn't critical enough to test and deploy right away."

While I can see where it would make a lot of people more confortable to know that there is patching every third Wed or something, I just don't see the value in withholding critical patches because "they aren't scheduled yet". At the very worst, let the IT departments decide if they want to schedule additional downtime, because ultimately, they know whether it will affect their systems or not. But then again, MS knows best, all the time, doesn't it?

Re:Applying Patches Is Not Free

No, applying patches is not free. But you are missing the point. If patching was a fairly rare occurrence, then it would not be nearly the problem that it is. release a million little patches as soon as that individual patch is done - you probably thought that was an overstatement; it is not. Microsoft just patches far too much to make updating their products anything but a continual hassle.

From descriptions of the fix elsewhere here, it is a stupid mistake that never should have made it through any kind of testing that I routinely run my code through. So why the hell did it make it through Microsoft's superior testing that they have guaranteed since making security "job one" [just a hint of sarcasm there].

Perhaps the problem is really one of testing and verifying the code before it sold to a trusting customer base in the first place! That's right, you heard me; I too am blaming the customer: they fscked up! they trusted Microsoft to actually do something about making their code more secure!

Re:Applying Patches Is Not Free

[BrainInAJar]

Vserve everything with 2 or 3 real servers, you can handoff transactions to two of them, apply a kernel patch or whatever, online it, offline one of the bad machines to fix, then offline the final one.... no service interruption at all

Re:Applying Patches Is Not Free

Patches are a roadmap for exploit code. It's an arms race the moment a patch is released - will the blackhats reverse engineer the patch and craft exploits faster than people install the patch?

Said another way, releasing a patch that won't be installed makes those customers LESS safe.

Re:Applying Patches Is Not Free

You are right, but that's not how the industry looks at it. The time to patch after a patch is released is more of an audit issue. Most companies can cram in a patch outage once a month, but not more then that. Waiting a month on a critical vulnerability that has a patch is not acceptable by most security standards published. However, if there wasn't a patch released for 3 weeks for that vulnerability, and then you patch one week after (same amount of time vulnerable), then you're compliant.

It's stupid, but that's how it seems to work. I'd say that it doesn't work, because security organizations end up spending a lot of extra hours attempting to mitigate the risks. (AV/IDS/Reg hacks/etc..).

For this exploit, I've deployed an IDS signature in IPS mode (drops the exploit packet) for all non-SSL traffic in my company, and rely on content filtering and anti-virus to do the rest. After all this testing and effort on the side of security, and we still have a risk.

Re:Applying Patches Is Not Free

[naelurec]

The *theory* is most exploits occur AFTER a patch is released by Microsoft (reverse engineer the patch). As a result, by scheduling a time the patches are released, it allows IT departments to schedule time to review and deploy the patches in a timely manner.

The issue arises when exploits are known in the wild before the patch is available. When is a suitable time to release the patch? How big of a risk does a exploit need to be before it is considered critical enough to justify an out-of-schedule patch release (and thus interupt set IT patching schedules)? If the theory holds true that *most* exploits occur AFTER the patch is released then by doing an out-of-schedule patch can put customers at risk (longer mean time from patch released to patch applied to the network).

Re:Applying Patches Is Not Free

[Tim+C]

But then again, MS knows best, all the time, doesn't it?

It doesn't matter what MS does or doesn't know, their customers have demanded it.

Re:Applying Patches Is Not Free

[miffo.swe]

" Microsoft releases one patch day a month because their corporate customers, the lion's share of their market, demand it."

The customers demanded less security holes that demanded patches, not less frequent updates of critical security fixes. It also helps polishing the statistics if you lump several patches together and release them all at one day every month. Big corporations dont use Windows Update without testing the patches either. Even if Microsoft release all the patches fast when they are ready big mofo corps can still patch once a month. One does not rule out the other.

Re:Applying Patches Is Not Free

[Antique+Geekmeister]

Yes, but it's hard to predict what patches require reboots and what patches will subtlely change certain services. And Windows Software Update Services normally isn't applied to personal machines and personal laptops and production services managed by third parties: scheduling one day a month to risk important services and make sure your IT staff is ready to stay late and roll things back out if they break is pretty important.

Re:Applying Patches Is Not Free

[just_another_sean]

I beleive, although I don't really buy into this argument, that the typical response to your very sensible line of reasoning would be something like this:

"If we release the patch before corporations are ready then we're giving people a chance to create an exploit based on data that can be gleaned from the patch."

While I do beleive in responsible disclosure I think that MS has a bad track record when it comes to releasing patches based on known availability of exploits. There are a number of unpatched flaws that have been around for a while now and there are plenty of exploits for them, these two being prime examples.

If they want to schedule around corporate IT departments needs, fine, let them. But as soon as a patch is available for something that's being actively exploited it should be released. Immediately.

Re:Applying Patches Is Not Free

[GWBasic]

I think is one of the cases where MS can learn from open source. I've seen open source projects that allow the user to select from different builds:

• The fully-tested stable build, which is highly-reccomended.
• The latest beta, which has had some minor testing and probably has bugs.
• The latest up-to-the-minute build, which is untested and not garunteed to run at all.

In cases like this where a horrible flaw is detected, I think MS could release "untested" patches. Such patches would not be part of an automatic update. After a few days of testing to identify most of the bugs, Microsoft could move the patch into a class of patches that only get automatically deployed to customers who would rather risk instability instead of security.

With such an early patching system, the majority of customers who prefer patches deployed at regular intervals will be uneffected.

Re:Applying Patches Is Not Free

[sumdumass]

While that sounds good and all in theory, I find it totaly falls apart when the security holes is already known and availible. A google search will turn up enough information to exploit this flaw that reverse engineering would only be done by the extreamly stupid.

This may be a case of people shouldn't inform the public before the patch is ready but we don't realy know how long microsoft has known about it or if they even cared to do anyhting about it before this release. Lets give them the benefit of doubt nd say they just found out, There isn't a threat of reverse engineering becuase the hole is already publicaly know- so by sticking to the schedule on this they have open up systems that do have the time to patch.

BTW, a good majority of problem are known and exploited befor ethe patch is released. I'm not sure howmany holes microsoft finds on thier own and decide to fix. Generaly there is a security bulitin that gives enough information out that anyone smart enough to exploit one of these holes can find the information needed thru various search engines and forums before the patch is released.

well

[Trailer+Trash]

As always, the advice is to weigh the risks before opting for an unofficial hotfix

Anybody who has the ability to weigh risks is already using firefox.

Re:well

...or another browser.

Re:well

[Faltargan2006]

"Anybody who has the ability to weigh risks is already using firefox."

And Linux! :)

First party patches

[QuietLagoon]

As always, the advice is to weigh the risks before opting for an unofficial hotfix.

Of course, Microsoft and other vendors always get their patches correct the first time.

Re:First party patches

[jofi]

MS is held to a different standard than the rest. I think that is what you would call a double-standard.

Does anyone on /. even use IE anymore?

[Cainjustcain]

Seriously... anyone?

Re:Does anyone on /. even use IE anymore?

Would anyone on /. admit to using IE, even in a pinch?

Re:Does anyone on /. even use IE anymore?

[McGiraf]

about 30% based on my weblogs (and 75% windows) , but i'm sure the have a good excuse ....

Re:Does anyone on /. even use IE anymore?

[Darth_brooks]

Not in a pinch, but regularly. You can't monitor a WSUS server without it.

Of course, IE on that particular network has a proxy server of 127.0.0.1 pushed out via group policy, with an exemption for the intranet. You could sneak around that by installing a proxy server on the machine you're using, but most of my users aren't that sharp. I've got Firefox 1.5.whatever running on everything now, so I can let my users off the leash a little.

The only thing I miss about IE is the ability to push settings to the browser via group policy. It's nice to be able to centrally manage an application like that. I haven't found a way to do that for firefox (HINT HINT).

Re:Does anyone on /. even use IE anymore?

[z0idberg]

"but i'm sure the have a good excuse ...."

I would say that 29.9% are like me and reading this from a windows/IE only work PC.

Re:Does anyone on /. even use IE anymore?

[Nosklo]

"...and reading this from a windows/IE only work PC."

There is no such thing as IE only PC. You can always install Firefox, even if its on your personal folder. You don't need administrative access to install Firefox. You don't even need to install it, you can run it directly from USB pendrive.

Re:Does anyone on /. even use IE anymore?

[Scarletdown]

Seriously... anyone?

I am for now. But that is because IE is what the DoD has standardized on here in the Sandbox.

However, I did notice recently that we do have Firefox 1.5 sitting in our Workgroup Managers' directory. So, I am going to install it soon for my general browsing and use IE only for stuff here on base that requires it.

Re:Does anyone on /. even use IE anymore?

[biraneto2]

Firefox is worse than IE. It's just safer. If it wasn't safer I would not even have it installed. Sad but true.

In memory fix

[roman_mir]

the patch fixes the affected DLL in memory by overwriting a byte that is stored in RAM for MSHTML.DLL this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL? I believe the patch needs to be installed from an administrator account, but even then, this doesn't mean that it is good design decision, to allow an arbitrary application to overwrite in memory code of another application. Of-course if that wasn't possible this specific patch couldn't exist, but still, the OS allows questionable application behaviour to say the least.

Re:In memory fix

[v1]

this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL?

Rememer please, this is windows we are talking about. How would anyone write viruses and pervasive spyware without this feature?

(lets all say it together, this is not a security hole / bug, it's a feature )

Re:In memory fix

[Zenki]

Then how do you expect debugging to work? Pretty much all OS's offer an API to let the debugger read/write bytes from program memory. A similar hack could be done on Linux by writing into /proc.

Re:In memory fix

[roman_mir]

Then how do you expect debugging to work? Pretty much all OS's offer an API to let the debugger read/write bytes from program memory. A similar hack could be done on Linux by writing into /proc. - debugging could be done in read only mode, but if necessary it could be done in a simulated (virtual machine) environment without such security restrictions. You cannot insist that this 'feature' is a good thing for application security.

Re:In memory fix

[evilviper]

this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL?

OpenBSD has W^X built-in, which, in-fact, elminates this. Each segment of memory is exclusively marked as either WRITE or EXECUTE, to prevent security exploits.

Linux can also get somewhat similar security features using PaX or ExecSheild.

Re:In memory fix

[guet]

If someone untrusted has admin access to your machine, it's really game over for security. They can replace applications, dlls, run programs and change settings at will, they don't need to go to the trouble of replacing a running dll with a specially patched version via this API.

Re:In memory fix

[baadger]

This 'patch' isn't accessing or modifying the memory of 'another application'. What these vendors have created is a DLL that can be loaded by an application to patch the mshtml dll instance in memory for the application in which it is loaded.

Next they use the AppInit_DLL registry key, which essentially forces the Operating System to load this DLL into all applications that link against user32.dll (I think), hence no hackery is going across address space boundaries, there is nothing wrong with self modifying code.

Next you will be asking why this little DLL injection key exists, well it's useful, for making unofficial application patches for one thing, and it has other legitimate uses as well although I believe the key is now depreciated in favour of cleaner methods :P

Re:In memory fix

[Bunyip+Redgum]

Surely the safest way would be to only support debugging via optional code compiled into the kernel.

Re:In memory fix

[rs232]

> This 'patch' isn't accessing or modifying the memory of 'another application'.

Excuse me for butting in here but what he actually said was:

"should a modern OS even allow some application to modify behaviour of another application"

If application A alters DLL B that causes changes in the behaviour of application C then ipso facto application C has been hacked by A.

Invocations of 'AppInit_DLL registry key` and `DLL injection key' are merely an attempt at `strawman' and distraction from the root cause, DLL hell.

Re:In memory fix

Sigh... This sort of crap makes me feel truly jaded. As an old ex mainframe computer programmer I still can't understand why all these toy x86 operating systems haven't learnt some of the most basic design principles that were running on operating systems like VME in the 1970s.

Re:In memory fix

Uh, Windows supports that too, but normally it only has it enabled if it is supported by the processor (any new x86 processor made in the past few years supports it). I believe the BSD W^X does not rely on processor support.

Re:In memory fix

this begs a freaking question

Actually, it doesn't beg a question at all. It might raise a question.

Re:In memory fix

[evilviper]

No, Windows has a really crippled and crappy implimentation.

http://woct-blog.blogspot.com/2005/01/dep-evasion- technique.html

Re:In memory fix

[TommyAquinas]

Actually, that's the way the Determina patch works. Our patch works differently than a memory patch; it actually makes a copy of the JScript.dll file and prevents it from passing the malicious code to MSHTML.DLL.

The source code is available at www.eeye.com if you want to review it or have any questions about the approach, send a note to alerts (at) eeye.com for the research team to respond.

RB

Re:In memory fix

[baadger]

Thats the penalty you pay for shared libraries, goes for other platforms as well.

Re:In memory fix

[rs232]

> Thats the penalty you pay for shared libraries, goes for other platforms as well.

If they stuck to using DLLs for just that purpose, sharing functionality, we wouldn't be in this mess. Installing or upgrading an application usually involves replacing a system DLL which alters/breaks the functionality of another application.

Why MS designed Windows in such a way is open to question. For instance there is no need to mixe browser functionality with the system help files. The only effect is to make it impossible to remove Internet Explorer. Also you make Windows a moving target so as third party developers have to keep playing catch up.

The hack of having two or more versions in memory is just that, a hack.

"I doubt they will be able to clone Windows. It is very difficult to do technically, we have made it a moving target and we have some visual copyright and patent protection.."

Bill Gates (May 18, 1989)

Re:In memory fix

[baadger]

Linking the system help files and the IE engine (using a HTML like format for help files) makes perfect sense.

The help files are linked together in a complex way, not just a hierarchical manner. Navigation of help documents would be a total pain without hyperlinks, just think about having to read a passage and then figure out the document it refers to and then navigate to find it. Nobody would ever use help.

Anyone remember?

[WalterGR]

Does anyone remember the previous third-party patch to IE? This is from December of '03.

Slashdot: "Open Source Firm Releases Patch for IE Bug [UPDATED]"

An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer... Update: Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code. (link)

Leave it to Microsoft...

[netguardianii]

...to let others clean up the messes it has made.

Can't be any worse....

[surfdaddy]

...than the code written by the Windows Vista team.

opensource?

[sumdumass]

It would be interesting to see microsfts official patch when it becomes availible and attempt to see how close it is to these unofficial patches.

Maybe the code would be completley different but would it achieve its goal by going about the same ways as the unofficial patch? Or would it be patched on a level deeper then we could access. I guess the most interesting part would be that a third party without access to the source code could actualy come together with a solution before microsoft. What would be more interesting is seeing how close those solutions match match each other. Sort of a test to how these third party programers can predict the neccesity or orders of different code they only have limited access to.

Re:opensource?

[Zarel]

From the article:

"The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key," Sotirov wrote in a message posted to security mailing lists. He said the DLL fixes the bug by patching a single byte in MSHTML.DLL when it is loaded in memory. "This change makes the 'createTextRange()' function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20," Sotirov explained.

Re:opensource?

[TommyAquinas]

They will be different - the patch we created at eEye actually is quite different from the Determina patch. The eEye patch generically fixes the JScript.dll file to prevent the exploit from being passed to the MSHTML.DLL file, while the Determina patch injects a memory patch into every process calling the vulnerable DLL. Microsoft's patch will most likely be a correction to the actual vulnerability in the MSHTML.DLL file (or so we hope...)

Full Disclosure - I work at eEye

Assembler and debugging references

[AltControlsDelete]

For x86 assembler, Intel is a good source of information: http://www.intel.com/design/Pentium4/documentation .htm#manuals. You'll want to check out volumes 2A and 2B at a minimum for reference material.

I would be surprised if Alexander used the Visual Studio debugger; more likely he used SoftICE or one of the Windows debuggers (NTSD/CDB/KD/WinDbg). SoftICE is a commercial product sold by Compuware and provides both user-mode and kernel-mode debugging. A version of the NTSD debugger comes with Windows, but is less useful than the one that comes with Debugging Tools for Windows. NTSD and CDB provide user-mode debugging, the only difference between the applications being that NTSD opens a new console window and CDB does not. KD is the kernel debugger. WinDbg provides the same functionality as NTSD/CDB/KD but with a (spartan) Windows interface.

Re:Assembler and debugging references

[roman_mir]

Thanks for the reference idea. I used SoftIce six years ago on NT, but couldn't get it running on Win2K. I guess I should look into a newer version.

Re:Assembler and debugging references

I would be surprised if Alexander used the Visual Studio debugger; more likely he used SoftICE

He says he used IDA Pro. Right there in his post.

.

Re:Assembler and debugging references

[AltControlsDelete]

Yep, he sure did. I glossed right over that as it's not something I was previously familiar with. Thanks for pointing that out. Looks like an interesting product.

What risk?

[bunhed]

Does no one remember this whole MS mess just a series of patches on DOS anyway? What risk when you've already gone this far?

Bug fixes

[Z34107]

Wowzorz. Newer operating systems are not "bug fixes" for older ones. Believe it or not, Windows XP has a few more features over 3.1...

Re:Bug fixes

[LardBrattish]

XP has relatively few new features over Windows 2000 which is why I didn't list Win 2k (Or Windows NT for that matter)

Win 3.1 was an (admitedly significant) upgrade of 3.0 which they charged for.

Similarly 98 was incremental on 95, 98SE on 98, Me on 98SE all of which you had to pay for yet none of which offered significantly more than bug fixes & drivers.

That's my point.

Re:Grammar Tip

Just a little Grammar Tip: "affect" and "effect" can both be nouns or transitive verbs.

Risk management

[VincenzoRomano]

As always, the advice is to weigh the risks before opting for an unofficial hotfix.

Well, I'd rather balance between going on with a security hole in my PC and running an unofficial patch to close it.

Re:Patch! Patch on what?

[HaydnH]

"There is NO such thing as patching binary."

Haven't you ever used a decompiler or a hex editor???

Lots of unofficial patches...

[mortrek]

It is kinda sad when a multi-billion dollar company needs unofficial companies/people to make up for their inadaquecies... Oops, almost forgot about anti spyware, anti virus, system rescue, etc products...

Source code

[LoonyMike]

These patches might include the source code, but it's the source for the code that modifies mshtml.dll (or whatever). It is NOT the source for the updated mshtml.dll.

Re:Patch! Patch on what?

[Antique+Geekmeister]

Heck, I've patched libraries with sed and edited binaries with Emacs. It's certainly possible, although I did have root priveleges to do it, and this predates SSH. It even predates ddd and X-Windows!

Not really, no

[Sigg3.net]

slashdot would be packed with cries of "who would actually run this?!" "wtf, no source? no thanks".

It would actually be more like:
- Yes, but does it run on Linux?
- I, for one, welcome our undocumented overlords.
- In Soviet Russia sources release You.
- In North Korea, only old people patch IE vulnerabilities.

If "Snow White" taught me nothing else...

[elrous0]

...it's don't eat apples unless you know for sure what's in them.

-Eric

Re:Patch! Patch on what?

[remembertomorrow]

And how do you propose that warez groups released patched "no-cd" versions of game executables?

Do you think they hack the developer's intranet and steal the source code?

Read up: http://en.wikipedia.org/wiki/Reverse_Engineering#B inary_software

Meh

[post.scriptum]

I certainly won't get unofficial patches if I'm not even using IE. I mean, I download the official patches just in case, but I'd have to be pretty desperate to install an unofficial patch.

Anyone else see a trend here?

[g0bshiTe]

I wonder how this makes Microsoft feel, and imagine the embarassment from having 3rd parties release hot fixes (work arounds, or patches) before your release cycle.

It's like the security community is slapping them in the face and saying that their current model of using patch cycles is not good enough for threats on todays internet.

In my opinion this makes Microsoft look very bad, this is that I know of the second time a patch has been released for an MS product before an official fix release.

And they even produce sourcecode for community scrutiny/review.


To eEye and others making these patches for MS products, thanks guys for making sure my parents don't get inundated by malware.

Politics

[freeweed]

Others have mentioned the normal reason, that being the issue with patches being reverse-engineered in order to generate an exploit. Of course, that doesn't apply in a situation such as this, where we ALREADY HAVE AN EXPLOIT.

Work in a large enough company and you'll find the real reason: politics.

If Microsoft sticks to their once-a-month patch schedule, and your network gets hosed before the patch comes out, you can use the excuse "but there wasn't a patch available!". Everyone calms down, knowing that there simply isn't anything that could have been done.

If Microsoft releases patches immediately, and you don't patch THAT SECOND, your arse is on the line. If you wait until your monthly outage window (or whatever), and something nasty happens in the meantime, you're the bad guy. No matter what SLA you've set up, no matter what testing routine has been agreed upon, no matter what the business will and won't let you do: IT'S YOUR FAULT.

IT departments, and buyers, used to scream at Microsoft because of this. Microsoft switched to a regular, infrequent patch release schedule as a result. It's stupid, it's childish, and it's the way many (if not most) large corporations run.

True story: Zobot whacked us, hard. We knew about it, we had the patch, but weren't able to test and deploy in time. Regular maintenance windows, etc. The cost in terms of downtime was enormous. EVERYONE pointed at IT, saying we should patch ASAP from now on.

A few weeks later, a similar patch was released, with similarly dangerous implications. Tried to rush a patch cycle in that night, and were flat out refused. We even pointed to Zobot, and the clear written requests from management TELLING US TO PATCH ASAP next time. Still, they refused, as we didn't want to inconvenience users. Fortunately, no one brought an infected laptop in during the next week or two.

Needless to say, I'm overjoyed to not have to maintain Windows machines anymore ;)

Re:Another possibility

Extracted from a blog I was reading at http://www.hackdot.org/ (related to slashdot?)

over the past months, I've noticed a trend: A vulnerability is disclosed publicly, usually with PoC exploit code, without informing the vendor, usually Microsoft. Then, all of a sudden, some security company is releasing a 'patch' for this vulnerability that they coded in-house. Said security company gains "the ovation of the people", and lots of free publicity. I'm not sure, but I've got a hunch that the costs associated with anonymously leaking a 0day vulnerability with exploit code and then subsequently releasing a patch for said vulnerability through official, commercial channels, is significantly less than placing an ad on the front page of several major newspapers.... So, financially speaking, it would be a cost-effective marketing strategy to employ, if one were in the position to do so...

Food for thought, anyhow.

Re:Another possibility

[g0bshiTe]

Now that truely is interesting!
It reaks of conspiracy theory, but is it so far fetched?

Thanks for the link, I'll have to read that.

Such technical savvy...

[SanityInAnarchy]

...like my mother? She uses Firefox for everything she can. Unfortunately, she still has to use IE-in-a-tab every now and then.

Re:Such technical savvy...

[distilledprodigy]

Would she be using FireFox if it wasn't for you?

Desperate times call for desperate measures...

[argent]

I'd have to be pretty desperate to install an unofficial patch.

After almost 10 years without a fix for the cross-zone attack problem, desperation is only rational.

Re:Desperate times call for desperate measures...

[post.scriptum]

I'm not sure if these patches fix the "cross-zone attack problem" or not.

Re:Desperate times call for desperate measures...

[argent]

I'm sure they don't, the point is that if Microsoft's leaving design flaws unfixed for 10 years then trusting Microsoft seems more desperate than trusting third parties.

Re:Desperate times call for desperate measures...

[post.scriptum]

Then let's just say I don't trust both.

Re:Desperate times call for desperate measures...

[argent]

Hrm. But you wrote "I download the official patches just in case".

Re:Desperate times call for desperate measures...

[post.scriptum]

Just means I like to sleep at night "thinking" my computer is safe if somebody uses IE because I patched it with the official thing. I guess you could call it denial.