Devastating bug effects all recent versions of IE.

[Elledan]

Sounds like a rather serious problem: linky

I wonder why MSFT choose to ignore this bug?

[edit]: the /. article is pretty interesting as well: Linky #2

 

[n0cmonkey]

Microsoft OSes are secure though. Its a good thing they keep their desktop OSes and their server OSes seperate or we would see this kind of problem on their servers too

 

[TegSkywalker]

I always knew bundling both Internet Explorer into the OS kernel and as a web browser was going to be a big problem since they started integrating it in Windows 98 with Internet Explorer 4.0.

I don't use IE anymore. Mainly just Opera 6 (stellar browser) and sometimes Netscape 6.2.

Btw.. all of you should try the latest Opera. It rocks!

 

[Nothinman]

I wonder why MSFT choose to ignore this bug?

Because it's a design problem and they can't just redesign the way IE or the OS handles files without breaking a lot of stuff.

 

[Elledan]

<< I wonder why MSFT choose to ignore this bug?

Because it's a design problem and they can't just redesign the way IE or the OS handles files without breaking a lot of stuff. >>

I'm well aware of that fact, but people would have found out about this bug anyway, so why try to hide it?

 

[Psychoholic]

<< I'm well aware of that fact, but people would have found out about this bug anyway, so why try to hide it? >>


What good would it do to mention it until the patch was available??? If the deadbolt is broken on the front door to your house, do you put a sign in your front yard saying so before you run to Home Depot???

 

[Elledan]

<<

<< I'm well aware of that fact, but people would have found out about this bug anyway, so why try to hide it? >>


What good would it do to mention it until the patch was available??? If the deadbolt is broken on the front door to your house, do you put a sign in your front yard saying so before you run to Home Depot??? >>


Alright, you got a point there

 

[Nothinman]

What good would it do to mention it until the patch was available??? If the deadbolt is broken on the front door to your house, do you put a sign in your front yard saying so before you run to Home Depot???

Because there are work arounds other than a patch from MS. And my door isn't used by millions of people (if it was someone would notice the broken lock eventually, like they did this). When your software is used by that many people and it's breakage affects companies as much as this can you have a duty to let the unsuspecting people know there's a potential problem.

 

[Saltin]

I'd have to agree with MS's "tight lip" policy, or "security through obscurity" as they are calling it now. Giving details on a security flaw just does not make sense. It's not like anyone is going to come up with a patch any quicker because of it.

I noticed an article on this at Slashdot. They stated that Microsoft wouldnt even confirm that they were working on a patch...then they linked to an article that said MS WERE in the process of working on it... those guys at Slashdot just like to talk crap about MS. Damn elitists.

 

[Elledan]

<< those guys at Slashdot just like to talk crap about MS. >>


And you're surprised because...?

 

[Psychoholic]

<< those guys at Slashdot just like to talk crap about MS >>


Slashdot, <rolleyes> I know where the "slash" in their name comes from...the slanted journalism.

Releasing the information won't help resolve the problem any faster, it just gives anyone with malicious intent the tools they need to carry out their objectives. When the patch is released then the exact details of the security flaw should be published at that time. People, including me, complain about Administrators being lazy in general. You think if they are too lazy to apply the patch once it's available they are going to look for, or try to establish a workaround???

 

[Nothinman]

Releasing the information won't help resolve the problem any faster, it just gives anyone with malicious intent the tools they need to carry out their objectives.

But it will also give me, as the user of the f'd up software, a chance to protect myself but without any knowledge of the problem I just crank along like nothing is wrong. The malicious people will have the information, whether they post it to bugtraq or not, so not telling anyone about the problem helps noone and only makes the chances for a surprise attack better.

You think if they are too lazy to apply the patch once it's available they are going to look for, or try to establish a workaround???

Not my problem, if you can't hire someone competent then you deserve what you get.

 

[CTho9305]

IE6 is harder to exploit... AFAIK nobody has been able to find a way to do it. anyway... I wrote a couple of perl scripts and couldn't get IE6 to behave incorrectly.

 

[n0cmonkey]

<< I'd have to agree with MS's "tight lip" policy, or "security through obscurity" as they are calling it now. Giving details on a security flaw just does not make sense. It's not like anyone is going to come up with a patch any quicker because of it. >>



And this right here is my problem with people. They talk and talk, but dont understand. Security through obscurity (an OLD term) is not a good thing. Full open disclosure is what we need to keep everyone safe. If MS came out and said "Everyone should use netscape until we come out with a patch for a big problem" we would not have a story here. Everything would be fine until Microsoft got off their butts, used a standard or two, and made the patch. Keeping the secret means that anyone who finds the hole can use it to exploit machines without anyone being the wiser. Knowing this exists I will definitely not be using IE for a while. That means 1 saved computer. Its a start.

If you need links of more important people talking about full dislosure, let me know, Ill point atleast 1 recent one out.

 

[Saltin]

<< And this right here is my problem with people. They talk and talk, but dont understand. Security through obscurity (an OLD term) is not a good thing. Full open disclosure is what we need to keep everyone safe. >>



Geeze N0c. It works for the US government, why shouldnt it work for MS?

I just don't believe in advertising the specifics of security flaws. Commone sense dictates not advertising weaknesses. I don't know how you or the "more important people" (more important than who BTW) can refute this.
They havent denied the flaw's existance. They arent trying to sweep it under the rug and pretend its not there!
They are dealing with it internally. They wrote the fukcing code, I think they are best equipped to do what needs to be done. I also cannot believe that they arent taking the threat seriously........
People talked the same crap when the "cookies" flaw was discovered some weeks back. People assumed that because MS didnt want to talk about the specifics they didnt want to deal with it. Wrong. There was a patch available shortly afterwards, and all the critics were stifled.

Now, I think maybe they should try to find a method of letting people know what they can do in the meanwhile to circumvent or hotfix the shortcoming, sure. Can they do this in a manner that does not give away the actual flaw? Who knows? I guess it would be a case by case call.

Don't assume I don't understand just because you disagree with me. I just happen to see things a different way.

 

[n0cmonkey]

<<

<< And this right here is my problem with people. They talk and talk, but dont understand. Security through obscurity (an OLD term) is not a good thing. Full open disclosure is what we need to keep everyone safe. >>

Geeze N0c. It works for the US government, why shouldnt it work for MS?I just don't believe in advertising the specifics of security flaws. Commone sense dictates not advertising weaknesses. I don't know how you or the "more important people" (more important than who BTW) can refute this.They havent denied the flaw's existance. They arent trying to sweep it under the rug and pretend its not there!They are dealing with it internally. They wrote the fukcing code, I think they are best equipped to do what needs to be done. I also cannot believe that they arent taking the threat seriously........ People talked the same crap when the "cookies" flaw was discovered some weeks back. People assumed that because MS didnt want to talk about the specifics they didnt want to deal with it. Wrong. There was a patch available shortly afterwards, and all the critics were stifled.Now, I think maybe they should try to find a method of letting people know what they can do in the meanwhile to circumvent or hotfix the shortcoming, sure. Can they do this in a manner that does not give away the actual flaw? Who knows? I guess it would be a case by case call.Don't assume I don't understand just because you disagree with me. I just happen to see things a different way. >>



1. The US gov is all messed up already, they dont help your arguement

2. More important than me, which isnt hard.

3. I did not see anything from Microsoft saying there was a problem with IE. So, to me, it looks like they were hiding any possible bugs. I think all of the information should be out there, so we as users know what we need to do to protect ourselves. Knowing what MS messed up will help me know what I should be doing with their OS and what I should not be doing. Without that information, I know there is a problem, but with what? What do I need to watch out for? What do I need to be wary of? And what do I need to avoid? I get this information from OpenBSD when they release patches, and they are free, I expect MORE and BETTER service from a company I give money to.

EDIT: I didnt say you dont understand because you do not agree with me, I said you do not understand because you are wrong

Cryptogram

 

[Psychoholic]

<< I get this information from OpenBSD when they release patches >>


You get the information from MS when they release patches as well, right???

n0c, where are you going with your article??? It proves one side just as much as the other???
Then it ends with....


<< Neither full disclosure nor secrecy "solve" computer security; the debate has no solution because there is no one solution. >>


So are you saying that neither you, I, Saltin, Nothinman or any others here are "wrong". So I guess this means we do understand and we're not wrong.

I also like this part:


<< Phase 3 is after the vulnerability is announced. Maybe the announcement is made by the person who discovered the vulnerability in Phase 2, or maybe it is made by someone else who independently discovered the vulnerability later. At that point more people learn about the vulnerability, and the risk increases. >>

 

[Saltin]

I'm not wrong, noc. It's just a matter of opinion. I don't think specifics should be released, because, in a case like this, short of knowing exactly what code you need to modify, there is likely nothing you can do. Maybe I am wrong and I'm the only one who doesnt have an expert knowledge of the NT kernel. In the meanwhile, countless other kiddie would be crackers surfing well known sites that would otherwise be describing the specifics of the flaw have no clue as to how the flaw works. Sure the real cracker community likely knows and is passing the info around amongst themselves. That's unavoidable. What is avoidable is inadvertantly teaching others how to make the flaw work to thier advantage.

If you really want to secure things, just disable IE's ability to download files until the patch arrives. Problem solved. None of my users, short of those who really need it, can download files now.

As for standards, etc, give this a look. They seem dedicated to finding some standard in regards to how these things are handled.

 

[Thor86]

Wouldn't a download managed Anti-Virus software detect any of this if it was serious enough?

 

[Nothinman]

Wouldn't a download managed Anti-Virus software detect any of this if it was serious enough?

Really, only if it was a known virus.

 

[n0cmonkey]

<< You get the information from MS when they release patches as well, right??? >>



What information they do have up there when I check for patches. I dont run Windows at home right now so I dont have to do this often



<<

<< Neither full disclosure nor secrecy "solve" computer security; the debate has no solution because there is no one solution. >>


So are you saying that neither you, I, Saltin, Nothinman or any others here are "wrong". So I guess this means we do understand and we're not wrong. >>



No one is wrong. I said he was just to be an ass, or I hadnt thought about it enough this morning. Take your pick.

I prefer full disclosure. It can help companies get off their butts to make a patch. I also like to know what the problem was. Im wierd like that.

Saltin, without teaching the script kiddiots how to crack flaws, the people interrested in becoming white hats will not have the knowledge to help find and fix these flaws. The information is out there whether you release it or not. When you dont release it, it is harder to find, but still can be found. Why not let the white hats and the people that want to know as much as they can (like myself) have that information? Why limit the number of people that have it, by getting rid of the least of the worries? Script kiddiots are not the biggest problem as far as cracked boxes go (DDoS is another question). The knowledgable black hats are. When the blackhats have more information than the white hats there is definitely a problem. Anyhow, sorry for my assholish posts earlier.

Oh, and Linux does not release all of their security information because of the DMCA. Thanks to all of the government officials that voted for it.

And yes, this was posted from Netscape 4.7x

 

[Saltin]

<< When the blackhats have more information than the white hats there is definitely a problem >>



Im not sure, in this case, that they do. The exploit was found by a "good guy", the same fellow who discovered the cookie exploit. He notified MS directly. I believe thier first response to him was "this is not an issue". That was a bad response which MS later recanted, they do stupid stuff like that sometimes. Too proud to admit a problem. In the meanwhile however, I think the fellow who made the discovery got PO'd at MS's initial reaction to his findings and let the info leak. He shouldnt have, that was very irresposible.

I see it like this.
1) White hat finds exploit, white hat quietly reports to the appropriate body.
2) Appropriate body is actually willing to consider the issue
3)Appropriate body works on a patch and releases it, fully disclosing the now patched exploit.
4)White hat is given due credit.

This is tight lipped. This is a solid method. The problem is, most of the white hats who find these exploits cant keep thier mouth's shut for any period of time. It's only human, they HAVE to tell someone and show off. I'd probably do the same thing. That said, it's very irresponsible behaviour.


Now, when the bad guys get thier hands on something, well, who knows. I guess it's safe to assume the knowledge is in the wrong hands already. Might as well tell everyone........

 

[Psychoholic]

<< The problem is, most of the white hats who find these exploits cant keep thier mouth's shut for any period of time. >>


That and most of the White Hats expect a security hole to be fixed at the snap of a finger. If they see a delay longer than a few days it seems they envision some grand conspiracy, and decide to release the information.

 

[n0cmonkey]

Saltin, I will agree with that to a point. If the white hat gives the information to the proper authority, and that company does not release a patch in a timely manner he should bring it out for everyone to know. What is a good amount of time to wait? No clue. Id think anything more than a month after they got the information. 2 months at the most. Then when the information is released to the public the company has to either deal with a bunch of angry customers that got fscked over because of incompetance or release a patch. If the company uses up their month and asks you to keep the information secret for a little longer as they test a patch it would be worth your while to give them more time. Testing is important and should be given a reasonable amount of time. If the company releases a patch, then the white hat should be able to release information on it. Give people a week or two to apply the patch of course.

This is, in my "not so humble" opinion, the proper way of going about these things. Plenty of companies have decided to ignore problems like this, even companies like CheckPoint. Its rediculous, especially if you are spending thousands of dollars for a fix.

 

[n0cmonkey]

<<

<< The problem is, most of the white hats who find these exploits cant keep thier mouth's shut for any period of time. >>


That and most of the White Hats expect a security hole to be fixed at the snap of a finger. If they see a delay longer than a few days it seems they envision some grand conspiracy, and decide to release the information. >>



I touch that topic in my next post (above this one), but there are plenty of white hats that do keep the information secret for a while. I was browsing bugtraq a couple weeks ago and saw an email from someone that kept a vulnerability between himself and the company responsible for over a year. There have also been cases where CheckPoint has told someone to keep their mouth shut until the next release. That is unacceptable to me, and I hope to you all too. Something as bad as the FW1 vulnerability should not wait till the next release.