Microsoft's Urgent Patch Precedes Black Hat Session

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

Imagine.

[rolfc]

There are still people that think ActiveX is a gift to humanity.

Re:Imagine.

[bstreiff]

So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

Guess what? There are upgrade fees to go from XP to Vista to 7, too.

Re:Imagine.

[TheRaven64]

Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29, and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

Re:Imagine.

[hairyfeet]

Which brings me to something I've asked several times and never gotten a real response too: Why is it so damned hard for Apple guys to admit Apple is expensive? I mean you don't see Ferrari owners going "well if you figure in all the external factors its a great value for the money" because its not. Its exotic, its fast, but it sure as hell ain't cheap. Same thing goes with Apple.

As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.

Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you. But please stop with the bullshit, okay? It makes you sound delusional or like a koolaid drinker when you sit there and try to jump through all these logic hoops trying to justify how that $2200 you paid for your laptop isn't high, when we can buy the same gear for $900-1100. You don't see the Ferrari owners trying to justify with logic hoops how they are "value for the money" compared to Ford, do you? Hell no! So just accept you have a Ferrari and be happy. But trying to come up with all these crazy hoops to try to prove that Apple computers aren't expensive just ends up with a pile of bullshit as big as MSFT's with their "get the facts" campaign, okay?

If you want to spend that extra $$$$ on OSX, just do it and be happy already. Trying to justify it with these totally crazy "value for the money" arguments just makes you sound crazy or desperate to prove you didn't get ripped off. If you think OSX is worth the hundreds or even over a thousand you spend, then just spend it and be happy with your purchase.

Re:Imagine.

If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

Which is close to the cost of an anti-virus subscription.

Re:Imagine.

[ehrichweiss]

VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".

Re:Imagine.

[jonadab]

> I bought a Mac with 10.4 and haven't spend
> a dime since then for OS updates. i.e. Cheap.

Alright, I am now officially tired of this "whose upgrades are cheaper" argument between the Mac and Windows folks, so listen up:

I got a CheapBytes Debian CD in 1998, and updates are always free. That makes my total cost something like six bucks, including shipping, in eleven and a half years, which averages out to fifty-some cents per year.

So everyone who spends more than a dollar a year on software can just SHUT UP about how cheap their option is, okay?

sensationalist much?

[timmarhy]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

damned if they do damned if they dont?

Re:sensationalist much?

[mortonda]

You missed the part where they knew about the flaw 18 months ago. That's just... sad.

Re:sensationalist much?

[Fred_A]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

Not only that but they patch it urgently for the 175th time. If that isn't urgent I don't know what is.

I don't know of any other OS company that's that focused on security that it patches the same kind of thing that many times : "We have to make sure, the security of our users is important to us !".

Now that's dedication !

Re:sensationalist much?

[commodore64_love]

I thought the weridness came from using a "killbit" solution. Any spybot programmer will easily be able to override that.

Re:sensationalist much?

[mcgrew]

"Sad" isn't the word for it. Evil comes close, though. The fact that the flaw was introduced by their own development tools is what's sad. The people who get exploited by this flaw will be sad.

Re:sensationalist much?

[WD]

Sure, it's easy to disable killbits if you have the ability to run code on a windows system. But if you've already reached the point of running arbitrary code on a windows system, why would you go through the trouble of disabling a kill bit and then hope that the ActiveX control gets exploited so that you can... run code on a windows system? Think about it.

Cone of Silence?

[eldavojohn]

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Standard Operating Procedure

[Drakkenmensch]

1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"

2. Secretly prepare emergency patch and bury it in driver update patches

3. ???

4. PROFIT!!!

Re:The real mystery

[plague3106]

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

Re:Kill ActiveX

[click2005]

Doesn't Windows Update (via the webpage) use ActiveX?

Re:The real mystery

[commodore64_love]

>>>Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot.

In the 1980s the C language was the best option. There wasn't anything better. And since Windows/DOS and Windows/NT were developed during the 80s, we still live with the legacy. Simple as that.

It's the commonality.

[tjstork]

The thing about Active X is that is just a way to put an object oriented wrapper around a DLL. So really, its just a DLL.

The problem with DLLs is that they are good for process re-use on a desktop but not the kind of thing you want to be shoving into a browser. However, if Microsoft closed off Active X entirely in browsers, they would break Flash and third party OpenGL and movie plugins... and probably would wind up getting ripped for it.

The thing to keep in mind is that Firefox and other browsers that allow for DLLs to be loaded as plugins are going to have these problems as well. It's just that, there are less firefox plugins than there are activex controls out there, so the universe of the problem is smaller.

Re:It's the commonality.

[neonsignal]

There is truth in your argument that third party additions to a browser pose a security problem, but you are comparing coffee and fish.

Plugins pose a security risk because you are running software from unknown sources as part of your browser. However, you don't need to install the plugins in order to enjoy the browser functionality.

Active X on the other hand was always intended to be integrate with web pages, which means that in many cases you would not even have been able to view the content without downloading a COM object of dubious origin. Fortunately this has largely failed, and most web content is still accessible without it (though there are a number of commercial services on the other hand that require Active X to work).

The better comparison with Active X is other dynamic web code, such as scripting languages like javascript, and of course Java, which have been used for similar purposes. There are clear differences, because Active X is running native code, and so is notoriously difficult to sandbox effectively. It is obviously a matter of degree; no system is fully secure. But whereas exploits of Active X tend to often be total (access to the host machine), exploits of systems such as javascript often revolve around more subtle issues such as masquerading.

I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues. I don't think the solution is merely to improve the containment of the downloaded code (indeed, that only makes it harder for the plugin to do anything useful). The problem is one of trust: how do I know if the binary code is trustworthy (Microsoft rubberstamp certification just doesn't do it for me!); and why do most sites need Active X at all (shouldn't we just be trying to agree on some browser standards like video formats so that typical functionality can be built into the browser!).

Re:It's the commonality.

[DavidTC]

Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

Oh, look. Have to issue a killbit for that also.

The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser

Re:It's the commonality.

[hairyfeet]

As a Windows repairman, I'll let you in on a little secret: You wanna know why Windows gets exploited and Linux don't? You really wanna know why? The answer is simple: PEBKAC, that's why. Linux guys just aren't gonna run email spam attachments, Hot_Lesbos.mp3.sh, or any of the other truly fucking dumb things Windows users will do. Since I believe in good story telling examples, I'll tell you a true story. Meet Velma.

This is little Velma, who works at an insurance company. Say hi Velma (Hi Y'all!) isn't she sweet? Everybody just loves little Velma. But here in the Windows repair biz we have a name for little Velma, and it is....dum dum dum....The disaster area! Because you see, little Velma has a BFF Kim, who is what we in the Windows repair biz call a "click whore" in that she will click on ANYTHING. Spam attachments, dubious screensaver programs, adware, you name it Kim will click it. And Velma trusts her BFF Kim, because they go on vacation together and anything bad from kim must be a trick, because Kim wouldn't do that. So lets see an actual interaction between the gruff but lovable local repairman hairyfeet and Velma, shall we?

/feet/ Velma, that is a password protect email attachment. That is a virus, do NOT open and run that! /Velma/ Ohh...you worry too much. It is from my BFF Kim, see here name on there? And it says it is happy puppy pictures. Who doesn't like puppies? /feet/ Velma it is telling you to turn off the AV before running and the file is happy_pup.jpg.exe. Do NOT turn off the AV and run that or you will bone the machine! It is a bug! /Velma/ Ohhh you....go drink some decaf. My BFF Kim would never do that to me.../turns off AV, runs program. Porn popups start spewing and network crashes/ /Velma/....Oops.....but it must be a trcik! My BFF Kim wouldn't do that! /feet/..........

And there you have it, an actual infection of an actual Windows user. Could MSFT have done anything to stop it? Short of giving Velma a thin client with no install capability no. And don't worry, Linux guys! If you manage to lure Velma and all her PEBKAC friends to your OS, I'm sure your friends at the Russian Business Network and their friends in China and Nigeria will be cooking up "Happy_pup.jpg.sh" with nice easy to follow instructions so Velma and her friends can turn Linux into a virus laden whore, just like Windows! Won't that be nice?

Re:The real mystery

[mcgrew]

I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".

Considering all the exploits it's made possible, I call it hActive-X.

Re:The real mystery

[VGPowerlord]

I thought Vista was supposed to be built with .NET, only to have those plans scrapped. If MS isn't building their OS with C# and .NET, there must be a reason.

I think you're confusing Vista with Singularity.

Re:The real mystery

[recoiledsnake]

No, significant parts of Vista were supposed to be rewritten in C# but due to performance(or other) reasons, the plan was ditched in 2003/2004 and a normal C++ upgrade to XP was started. This was one of the big factors in the delay of Vista's release.

You DO NOT have to reboot if you install manually

[dobedobedew]

I'm not going to get into why having automatic updates on is generally a bad idea, that subject has already been beaten to death here.

WindowsXP-KB972260-x86-ENU.exe /quiet /norestart

That is the one for XP with IE6, the filenames are different for the other flavors. The list of all of the different patches is at:
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx/

Re:The real mystery

[cyberdrop]

The reason was not performance. It was an compability issue.
Currently there can only one version of the CLR be loaded into a process. The CLR version of the first .NET DLL is used in the process.

This is also the reason why you should not make shell extensions in .NET. The Windows Explorer would load the shell extension dll in unknown order. If the first one is a .NET 1.0 Dll all .NET 2.0 Dlls would not load.
If a Programm delay loads the CLR a simple call to the Open File Dialog would cause the .NET 1.0 CLR to be loaded into the process.

This problem will finally be solved in .NET 4.0. I think we will see the use of .NET in Windows 8...

Re:The real mystery

[DavidTC]

I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE.

ActiveX was never a browser-only technology. It was just they referred to the embedding of COM controls in web pages as ActiveX, and eventually started renaming everything 'ActiveX'.

For people who don't know what we're talking about: COM started as a way to embed DLLs that provided specific functional in programs, essentially, 'plugins' that program builders could use that all operated much the same way. I.e., a lot of them you could mark out part of the application and have them responsible for drawing it, and receive signals when they part was active, etc.

Developers could go out and license, for example, a nice TIFF control to embed a picture in their application, or whatever. All the 'common controls' soon moved to this format. They contained all their 'header' information and whatnot inside them, so developers could take a COM file and see what was exported and whatnot in a consistent manner.

Like I said, it's like shared libraries, except all the functions are named and accessible via consistent means. They all use the same way to do things, so you can load them into your application without knowing what they are. (And hand over part of your document to them, or whatever.)

Creators could even do things like license these controls, where people could redistribute them, but not program using them.

ActiveX essentially is COM and OLE2. This were .ocx controls, the successor to .vbx controls, which is where the X in ActiveX comes from. (For those of you who remember your history, the very first version of this was called OLE, Object Linking and Embedding.)

All in all, this not a bad idea. In fact, most OSes have something like it...OSes start off with something like DDE or shared memory, and then end up with higher level functionality built on that to allow you to consistently embed parts of applications in others. Linux has something called, I believe, DCOP.

The problem came about when Microsoft started letting those DLLs be embedded in its web browser, instead of making people write DLLs with customer entry points and functionality, like Netscape had done. (And then it started renaming everything to ActiveX.)

I can see why it did it, in fact, using the COM format to embed controls makes sense, it's letting it use the existing controls that was the problem.