Posted on 01/16/2002 9:20:35 AM PST by AFreeBird
Microsoft Investigates Alleged Flaw in Browser
Experts say standard security rule ignored
By JAIKUMAR VIJAYAN
(January 14, 2002)
Microsoft Corp. is investigating an alleged flaw in recent versions of its Internet Explorer (IE) browser software that could allow attackers to spoof legitimate Web sites, steal content from browser cookies and gain access to certain types of files on a victim's system.
The alleged flaw, which affects IE Versions 5.5 to 6, was first reported to the company on Dec. 19 by an independent security researcher who refers to himself as ThePull.
The vulnerability is the result of Microsoft's failure to abide by an industry-standard browser security rule known as the same-origin policy, said David Ahmad, moderator of Bugtraq, a mailing list on which ThePull first posted details of the alleged flaw.
The same-origin policy was established to prevent malicious Web sites from interacting with and stealing sensitive information left in cookies set by other sites on a user's computer. In other words, when one Web site is used to open another Web site in a separate pop-up window, script code from the first site shouldn't be able to affect the information or properties of the other site.
In an e-mail sent to Computerworld Jan. 8, a spokesman for Microsoft's Security Response Center said the company is investigating the issue "just as we do with every report we receive of security vulnerabilities affecting Microsoft products."
"At this point in the investigation, we feel that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the spokesman wrote.
Even so, said Ahmad, Microsoft's failure to abide by the industry standard in recent IE versions has resulted in severe security vulnerabilities.
"If you use the document.write method in the correct manner as stated by Microsoft's own documentation, you are able to spoof sites, read cookies from other sites and read local files on a user's system," ThePull wrote in an e-mail to Computerworld. "This means that someone could send you an e-mail from security@microsoft.com to download an important update with a link?upon clicking that link, you could be brought to a Web page with a Trojan [horse] on it."
Because of the flaw, attackers could potentially construct Web sites that steal cookies, perform actions on different sites through script code and transmit the content of text files to attacker-controlled Web servers, warned an advisory by San Mateo, Calif.-based SecurityFocus.com.
Perhaps the most serious consequence is that trusted Web sites can be replaced with "attacker-created HTML," the advisory said. The best way for users to handle the problem is to turn off JavaScript, said ThePull.
Meanwhile, security firms last week reported the first virus directed at Microsoft's .Net platform. Called W32.Donut, the virus isn't likely to be a major threat because of the small installed base of .Net users, according to an advisory by Sunnyvale, Calif.-based McAfee.com Corp.
Again.
Gotta stick with what you know, I guess.
CRYPTO-GRAM January 15, 2002 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at . To subscribe, visit or send a blank message to crypto-gram-subscribe@chaparraltree.com. Copyright © 2002 by Counterpane Internet Security, Inc. ** *** ***** ******* *********** ************* In this issue: Windows UPnP Vulnerability Crypto-Gram Reprints News Counterpane News Password Safe 2.0 The Doghouse: AGS Encryptions Comments from Readers ** *** ***** ******* *********** ************* Windows UPnP VulnerabilityThe big news of late December was a security flaw in Microsoft’s Universal Plug and Play system, a feature in a variety of Windows flavors. On the one hand, this is a big deal: the vulnerability can allow anyone to take over a target computer. On the other hand, this is just one of many similar vulnerabilities in all sorts of software—Microsoft and non-Microsoft—and one for which there is no rapidly spreading exploit. There are several lessons from all of this.
One, the amount of press coverage is not indicative of the level of severity, and the press is the only way to get the news out to the public. This thing got Nimda-like press, but there was no exploit. While it is a critical patch to install, it’s not severe enough to trigger the “wake up, drive to work, and install this patch now!” reflex. Unfortunately, the public will have patience for only so many of these stories before their eyes glaze over. The rate of patch installation is decreasing, as people simply stop paying attention.
Two, Microsoft still sacrifices accuracy for public relations value. Here’s a quote from Scott Culp, manager of Microsoft’s security response center: “This is the first network-based, remote compromise that I’m aware of for Windows desktop systems.” I was all set to write a longish rant, calling the statement a lie and listing other network-based remote Windows compromises—Back Orifice, Nimda, etc., etc., etc.—but Richard Forno beat me to it. Read his excellent commentary on Microsoft and security.
To combat this, open and public discussion is important. In the first days of the vulnerability, there was a lot of debate in the press: which systems were vulnerable by default, how best to fix the problem, etc. Even the FBI got into the act, albeit with wrong information they later adjusted. The importance here is a multitude of voices and a multitude of views, something that secrecy won’t provide. As Greg Guerin commented, when there’s a fire in a theater, you want as many audience members as possible to shout “Fire!” rather than sitting around waiting for the theater manager to say it. The theater manager is going to put his own spin on the news, and it’s not likely to be an unbiased one.
Three, bug secrecy hurts us all. According to reports, eEye Digital Security told Microsoft about this vulnerability nearly two months before Microsoft released its patch. What’s with the two-month delay? It’s a simple buffer overflow, and should be patched within days. Delays just increase the likelihood that someone will exploit the vulnerability. (To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right.)
Four, Microsoft still pays lip service to security. This vulnerability is a buffer overflow, the easy-to-use low-hanging-fruit automatic-tools-to-fix kind of security vulnerability. It’s not new or subtle; buffer overflows have been causing serious security problems for decades. It’s an obvious, stupid-ass programming mistake that ANY reasonably implemented security program should have caught. Remember Microsoft’s big PR fuss about their Secure Windows Initiative? If it can’t catch this simple stuff, how can it secure software against the complex attacks and vulnerabilities? This is a software quality problem, pure and simple. And the real solution is better software design, implementation, and quality procedures, not more patches and alerts and press releases. And five, complexity equals insecurity. UPnP is a complex set of protocols to support ad hoc peer-to-peer networking. Even though no one uses it, it’s installed in a bunch of Microsoft OSs. Even though no one needs it turned on, sometimes it’s turned on by default. This kind of “feature feature feature” mentality, without regard to security, means this kind of thing is going to happen again and again. Until software companies are held liable for the code they produce, they will continue to pack their software with needless features and neglect to consider their associated security ramifications.
This vulnerability also illustrates why Microsoft is so keen on bug secrecy. The industry analysts at Gartner issued a warning, urging companies to delay upgrading to Windows XP for “three to six months,” lest more of these kind of vulnerabilities surface. If Microsoft had learned of this vulnerability in secret, and fixed it in secret, Gartner would not make any such statements. No one would be the wiser. (But, of course, if Microsoft learned of this vulnerability in secret, what impetus would they have to fix it quickly? Wouldn’t it be easier on everyone if they just rolled it into the next product update?)
Honestly, security experts don’t pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft’s poor products are one of the reasons we’re in business. We pick on them because they’ve done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products’ security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn’t going to make this OS safer.)
Nothing see here, move along.
It does a H*LL of a lot more than that!!!
Whether it is the UPnP flaw, or this new exploit, my Win ME system has been "taken over" by a "DNS SPOOF" attack three times in the last two weeks!! The attacker installs a Second MASTER Boot Record on a machine with only ONE physical hard drive and only ONE partition, namely C.
This second Master Boot Record then reserves 2 GIGABYTES on the drive for God only knows what!
MS is, IMHO, writing LOGIC TIME BOMBS!
ENOUGH ALREADY!!!
No, that was an article about the 'HoneyNet' project that was used as 'disinformation', Clinton-style. It was put here by an MS worker.
That was a 3 year old known bug that was patched quite a while back.
The machine was a 'honeypot' machine, left unpatched with an old known exploit to catch a hacker on purpose. Which it did.
There was a thread here that provided all the relevant links . . .
The actual point of the article in my mind is that hackers target other OS's every day, disproving the theory that MS has so many exploits because hackers target it.
The *update* was posted January 14, 2002. A certain MS employee linked to an *update* of an old bug and called it a new exploit, for obvious reasons.
You'll notice the first line there says, The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583.
You click on CA-2001-31 and notice it says This vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) X-Force. .
The Clintons would be proud! Ya'll have an MS employee trying to snow you big-time! You should be happy that we rate this kind of effort from MS.
IMHO, each successive release of Windows is little more than a cumulative PTF for the last release.
Posting an 'update' as a new exploit . . . Geez.
That's what they do.
The MS people are just feeding you the update about the HoneyPot and claiming it's a new exploit.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.