Slashdot Mirror
MS Mulling Changes to Thwart .ANI-type Attacks
Scada Moosh writes "ZDNet has a story about the lessons Microsoft learned from the recent animated cursor (.ani) attacks and some of the broad changes being made to flag this type of vulnerability ahead of time. The changes include a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools. '[Michael] Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added. Two other Windows Vista security mechanisms -- ASLR and SafeSEH -- were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.'"
Just get rid of them.
There's nothing like remoting into a clients pc and trying to figure out which end of the dancing dinosaur i'm supposed to use as the pointer.
Nothing is new with the Vista security model. Check out boot kits and how they are able to do things like elevate command.com to system, open telnet servers and other goodies from 1500 bytes in the boot sector. Forever Pwned.
Friends don't help friends install M$ junk.
Does the banning of an API call mean that the call is still there, it just can't be officially used? Couldn't it still be used deviously to exploit it? Shouldn't we just remove the function from the API, not prevent the compiler from compiling code with that function being used?
They should concentrate on better design, coding and testing methods rather than blaming the compilers.
While risking being out of sync with Slashdot's schizophrenic stance on Microsoft-bashing, let me lower my hammer on this one:
"The changes include a possible addition to the list of banned API function calls"
That's exactly the problem with security under Windows! (okay, there are other problems as well)
Microsoft needs to apply a "default deny" policy to all aspects of Windows' security and this sort of thing wouldn't be a problem in the first place. There shouldn't be a list of BANNED calls, there should be a list of safe ALLOWED calls.
I'm not saying that other operating systems couldn't do a better job too, but security is one (huge) area where Microsoft really and truly sucks - and it isn't something they can solve overnight, either. It seems ingrained in their philosophy and permeates all aspects of Windows (and other products).
Old Bill's Livery and Horse Trading post announced that they have decided to strengthen the windows of the stable because horses were being stolen with surprising regularity. When the reporters queried the wisdom of strengthening the windows while the door is wide open and unlocked, Old Bill's assistant Steve threw the straw bales he was sitting on at the reporters.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
In this context, I hope what you mean by mulling is: slapping forehead exclaiming "that was dumb!"
Some years ago, hackers were just challenging the system, and it was a cool thing to find an exploit, but today, big money is involved here and there are large criminal associations working on this.
So if the cursor is fixed, tomorrow it could be the wallpaper or the system sound...
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
This incremental approach will eventually result in operating systems that are secure to all but the most sophisticated local attacks. You can't stop the attack where someone just downloads something and blindly runs it. Unlike most people, I don't think computer OS's and apps will always be as insecure as they have been for the last 15 years since the explosion of the Internet to the masses.
It may take another 5 years, but I think we're getting there. Vista isn't perfect, but it's a step closer.
Don't allow IE to load a cursor with a .jpg extention....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
You know if Bill Gates was any kind of leader, he would call for his programmers to scrutinize their code for these kinds of security issues. Oh wait! He did 5 years ago. It's great to know that MS has spent the last 5 years innovating such features.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Write it the right way once, call it often, and it's fixed. Please outlaw code that reinvents insecure versions of routines for basic data structure.
In this day and age of OOP and libraries, there's no excuse but negligence for crappy code.
Two wrongs don't make a right, but three lefts do.
Always remember to practice SafeSEH by using the CON dev. :)
...so this means that Windows will be even more bloated and slower than it already is? Very nice.
Wouldn't it be simpler to just get rid of animated cursors?
...Is re-evaluate what the true purpose of the operating system is, and stick to it instead of tacking so much nonsense to the abomination that today we call Windows.
Microsoft made a big to-do about "focusing on security" in the development of Windows Vista, but instead spent all this time A) spackling over the screwball security holes that the superfluous bits of the last version of the operating system created, and B) bolting on more superfluous bullshit.
The pattern of flagrant Windows/Microsoft security breaches has traditionally involved the fracal-like fuzz of superfluous features surrounding Windows. It simply tries to be too much. How many times have we heard about some hole in Internet Explorer that lets l33t h4xx0rs walk in and screw with your OS? Animated cursors opening security holes. ET-phone-home Windows Media player opening security holes. IIS subsystems on home user's computers opening security holes... Ad infinitum.
You want a web browser on your PC? Install a web browser. It shouldn't be your OS'es job. You want animated cursors? Install a cursor manager. It shouldn't be the OS'es job. You want media players? Install a media player. It shouldn't be the OS'es job. Are we seeing the fucking pattern here, yet? If Microsoft could focus on the core of the operating system, making it the platform and the framework that the rest of your computing experience happens on instead of trying to make it the damn "multimedia/computing experience" itself I'll wager a significant portion of these stupid, smack-on-the-forehead sort of problems would go away. And if and when they did crop up, users affected could just patch or uninstall the affected browser/media player/cursor manager/whatever instead of having it permanently tied into their OS for the rest of time (heaven forbid, for example, users reinstalling Windows into it's stock, unpatched state).
Howard said that the vulnerable code happened to be wrapped in a very general try/catch block.
This try/catch block, which was in the vulnerable code already, and not injected by the attackers, potentially allowed the attackers to repeatedly try different memory locations looking for system call addresses that were randomized by ASLR.
Without this try/catch, the process would have crashed after the first failed attempt.
In other words, liberal try/catch policies can potentially expose security vulnerabilities by giving bad guys more than one chance to do their bad deeds.
Also, there were no reported instances of Vista being compromised. It is doubtful that the engineers of the various exploits targeted Vista, and therefor didn't take advantage of the try/catch issue to overcome ASLR since XP doesn't have ASLR. In addition, Protected Mode IE would have thwarted the attack even if they had.
Thanks, I'm not half as organized with my Slashdoting as you are!
Friends don't help friends install M$ junk.
So what did they do here? Rewrite the .ANI handler by re-implementing the same bug as before?
Or were we just lied to again, by Microsoft?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I still can't get over why generating "safe" code is the job of the compiler, anyway. What's wrong with checking lengths and buffers before using them? What's wrong with paranoid programming?
/GS? Pathetic.
Did Microsoft's new focus on security from the ground up with Vista really just amount to compiling all its system components with
More Twoson than Cupertino
Flagging the vulnerability is not the problem, MS has shown that they knew about the problem as early as two years ago. It's actually fixing it instead of just marking it "WONTFIX" or "CANTFIX".
Clowns.
And since those attacks are For Sale for $3000 to $5000 on the Internet, everyone with intent to do serious, widespread damage will still be using them.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
MS just don't get the security bit anyway - never will. 99% spam comes from MS boxes. Let alone a mouse cursor that lets the crackers do it.
Wow. I'm nearly speechless. If something breaks in testing and you just slap a try/catch around it to keep it from crashing, then you're just putting a bandaid on a gushing wound.
I subscribe to the school of thought that says all data is malicious unless proven otherwise. That means you don't just assume some random file contains an animated cursor -- you have to verify that it contains an animated cursor. If the file format is somehow impossible to verify, then the format itself is broken and should never be used.
Prior to Vista, you could drag files from Explorer to cmd.exe to have it type in the filename for you, exactly like on Mac. However, due to overzealous security changes by Microsoft, this does not work in Vista.
In NT, console windows are actually owned by the most privileged user-mode process in the system, csrss.exe. One of Vista's big security changes is that processes cannot send window messages to windows owned by processes of higher security clearance. This means that Explorer cannot send a message to console windows telling them that there is a file being dragged to it. Starting Explorer as Administrator does not help, because csrss.exe runs with higher privilege than that.
Rather than fix the insane design issue of csrss.exe owning console windows, they decided to leave it the way it is. Never mind that there have been exploits against csrss.exe through the console system in the past.
To give you an idea of how bad of a hack the console implementation is, kernel32.dll's WriteFile detects console handles, which are fake handles, and translates the call into an RPC call to csrss.exe. This breaks all kinds of stuff.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
An AC pest taunts,
By the way twitter, how do you feel about how "M$" enjoyed a 60% jump in revenue on Vista and new office sales in the last quarter? Looks like Vista is doing well!
They stuffed their channels and I don't expect the next quarter to look very good. Studies that show that only one in ten people are planning to use Vista better and that a large percentage of businesses never plan to move to Vista are more in tune with reality. The fact that M$ has not and will not fix their security model makes me think those numbers will go south. Give the channels another quarter of crappy sales and all hell will break lose for M$ as they are forced to admit they overbought Vista. The partners have been starved for six years, this is supposed to be their best year ever. Their investors will demand better and 2007 will be the year of Linux.
Taunts like that are fun. Keep it up, M$ marketdroids!
Friends don't help friends install M$ junk.
so what you are telling me here is that if I allow my operating system to be compromised, it will be compromised?
Yes, but there will be no trace of it on your hard drive, anti-virus writers don't check BIOS, so you will never know people are logging into your system and taking what they want. Ha ha.
But no, what your AC sock puppets have claimed is not true - this won't work on gnu/linux. It only works for Vista by exploiting M$ specific flaws. Those flaws were originally designed to lock you out of your kernel and it looks like they have done exactly that. Show me the gnu/linux demonstration and I might believe you. Right now, all claims of such are the usual FUD. "... but, but M$ is the best, every thing else must suck as badly," all the M$ turds always cry but it never comes to pass. It sucks to be you, dedazo.
Friends don't help friends install M$ junk.
It's the PC heritage, going back to the days when no-one in the non-Unix PC world gave the slightest thought to security, because you could get away with it back then.
They did not get away with it. Macro viruses blew out computer labs and people's systems and caused all manner of havoc.
Worse, M$ knew better and everyone told them so. They had Xenix, they helped make OS/2, they knew what they were doing, they just decided to hold on their DOS legacy. It was then and still is a matter of negligence. Other people did not and still don't have the same kinds of problems. Xenix, Minux, Linux, BSD, even Apple and Palm did better. People are still telling them so.
The only reason there's a perception that these are "computer" or "PC" problems is that M$ runs a billion dollar a month marketing program. That billion bucks includes astroturf, public corruption, bribes and everything they can think of to get people to tell you that M$ is the best, it has all the features everything else does and everything else has all their problems. This is a tremendous disservice to the public.
Friends don't help friends install M$ junk.
I think the FSF trollards are out in force because they just realized that blabbering about how "M$" sucks and Vista was going to "fail" for over a year accomplished exactly nothing.
Damn, how it must hurt that after all those late-night "M$ WINDOZE SUXXORZ LOLOL" sessions you have absolutely nothing to show for it. RMS promised you paradise and 70 virgins... but all you have is your basement and your imaginary $15/month girlfriend. Ouch.
When did Microsoft ever claim to have rewritten Windows from scratch?
They used to do it regularly. NT stood for "New Technology." I can't tell you how many times they declared the "death of DOS" even while they were using the same old 16 bit functions. ME, W2K and XP were all billed as radically new but were all more of the same rehashes.
Vista is more of the same. The wikipedia entry, which they pay people to write, claims, "hundreds of new features; some of the most significant include an updated graphical user interface and visual style dubbed Windows Aero, improved searching features, new multimedia creation tools such as Windows DVD Maker, and completely redesigned networking, audio, print, and display sub-systems." In short new everything, which clearly is not true. They go on to boast about security improvements that, once again, do nothing real for the user.
Friends don't help friends install M$ junk.
I thought I remembered a specific Solaris telnet exploit not too long ago that was incredible oversight by Sun. I guess that must have really been a Microsoft telnet daemon?
The clash of honour calls, to stand when others fall.
Another pointless discussion that doesn't acknowledge the depth of complexity of backwards compatability, and its commercial necessity.
NT 3.0 was written from scratch. Please provide proof to the contrary, if you have it. Then, provide proof that *Microsoft* has claimed Vista is rewritten from scratch. And I said Vista, not Longhorn or anything else.
I'd calculate that about the same number of times you've declared "M$ Winblows" was "dead".
But I could be wrong.
Please provide proof of this. If true, it means that Microsoft has subverted the WP editorial controls, because for a closely-watched topic like that one, no matter how many times you edit it, someone will put your changes under the microscope. The vast majority of the Microsoft articles on WP are closely watched and by definition maintained free of harmful edits.
So, let's see some proof of your claim.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Comment removed based on user account deletion
What's purple and commutes? An Abelian grape.
I thought I remembered a specific Solaris telnet exploit not too long ago that was incredible oversight by Sun.
You win! I give up and admit the equality of Solaris and Windoze security models. Swarms of Sun powered bots will soon take down the internet.
Friends don't help friends install M$ junk.
What's purple and commutes? An Abelian grape.
Proof, flocktard. You were asked for proof. Semantic nitpicking of your own posts doesn't count. Prove that the contents of that WP entry are provided by "M$". Go ahead, we're all waiting. Just like those inexistent Linux botnets, the lawsuits that "destroyed" the Zaurus, your "job" at a "Fortune 100" company and all our other FUD.
Fortunately people like you who are incapable of adapting to new technology and get emotional about operating systems get weeded out. Face it, brother, you're a dinosaur.
Hire people who know that it's a really, really, really bad idea to drop a structure onto the stack, especially if said structure is to be filled by user data. That should take care of the issue.
Instead of fixing the underlying problem, MS tries hard to "fix" the world around it. It's not an issue with the compiler, it's not an issue with API calls that can be "abused", it's an issue with badly written API functions. Grab the source of those friggin' libs and move the structures that you moronically created on the stack onto the heap. Yes, this would still allow a malformed structure filler (i.e. some file with bogus information to fill) to mess with your heap and possibly cause the program running it to crash, but it would make absolutely CERTAIN that such a malformed data file cannot be used to execute code contained within.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Nothing is new with the Vista security model. Check out boot kits
So while M$ contemplates fixing ancient flaws, the virus writers have discovered brand new ways to 0wn Windoze. Great, they are running circles around them.
Look at what they did to Twitter. I count no fewer than 10 modpoints blowing him off the discussion within 12 hours. He must have struck a nerve.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You're still the same person. Whether it's MPD or just idiocy, I don't really care.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Erris is Twitter's sockpuppet account.
This sig intentionally left blank.