Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft Investigates Alleged Flaw in Browser (First virus for .Net reported)
Computerworld ^ | Jan. 14, 2002 | By JAIKUMAR VIJAYAN

Posted on 01/16/2002 9:20:35 AM PST by AFreeBird

Microsoft Investigates Alleged Flaw in Browser

Experts say standard security rule ignored

By JAIKUMAR VIJAYAN
(January 14, 2002)

Microsoft Corp. is investigating an alleged flaw in recent versions of its Internet Explorer (IE) browser software that could allow attackers to spoof legitimate Web sites, steal content from browser cookies and gain access to certain types of files on a victim's system.

The alleged flaw, which affects IE Versions 5.5 to 6, was first reported to the company on Dec. 19 by an independent security researcher who refers to himself as ThePull.

The vulnerability is the result of Microsoft's failure to abide by an industry-standard browser security rule known as the same-origin policy, said David Ahmad, moderator of Bugtraq, a mailing list on which ThePull first posted details of the alleged flaw.

The same-origin policy was established to prevent malicious Web sites from interacting with and stealing sensitive information left in cookies set by other sites on a user's computer. In other words, when one Web site is used to open another Web site in a separate pop-up window, script code from the first site shouldn't be able to affect the information or properties of the other site.

In an e-mail sent to Computerworld Jan. 8, a spokesman for Microsoft's Security Response Center said the company is investigating the issue "just as we do with every report we receive of security vulnerabilities affecting Microsoft products."

"At this point in the investigation, we feel that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the spokesman wrote.

Even so, said Ahmad, Microsoft's failure to abide by the industry standard in recent IE versions has resulted in severe security vulnerabilities.

"If you use the document.write method in the correct manner as stated by Microsoft's own documentation, you are able to spoof sites, read cookies from other sites and read local files on a user's system," ThePull wrote in an e-mail to Computerworld. "This means that someone could send you an e-mail from security@microsoft.com to download an important update with a link?upon clicking that link, you could be brought to a Web page with a Trojan [horse] on it."

Because of the flaw, attackers could potentially construct Web sites that steal cookies, perform actions on different sites through script code and transmit the content of text files to attacker-controlled Web servers, warned an advisory by San Mateo, Calif.-based SecurityFocus.com.

Perhaps the most serious consequence is that trusted Web sites can be replaced with "attacker-created HTML," the advisory said. The best way for users to handle the problem is to turn off JavaScript, said ThePull.

Meanwhile, security firms last week reported the first virus directed at Microsoft's .Net platform. Called W32.Donut, the virus isn't likely to be a major threat because of the small installed base of .Net users, according to an advisory by Sunnyvale, Calif.-based McAfee.com Corp.


TOPICS: Business/Economy; News/Current Events
KEYWORDS: techindex
Navigation: use the links below to view more comments.
first 1-2021-23 next last

1 posted on 01/16/2002 9:20:36 AM PST by AFreeBird
[ Post Reply | Private Reply | View Replies]

To: tech_index
Ping a ling.
2 posted on 01/16/2002 9:25:09 AM PST by Dominic Harr
[ Post Reply | Private Reply | To 1 | View Replies]

To: AFreeBird
Experts say standard security rule ignored

Again.

3 posted on 01/16/2002 9:25:53 AM PST by Dominic Harr
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dominic Harr
Again. ?

Gotta stick with what you know, I guess.

4 posted on 01/16/2002 9:30:19 AM PST by AFreeBird
[ Post Reply | Private Reply | To 3 | View Replies]

To: AFreeBird
Here's what Bruce Schneier has to say about Microsoft:


CRYPTO-GRAM
January 15, 2002

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com


A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.
Back issues are available at 
.  To subscribe, visit  or send a blank message to crypto-gram-subscribe@chaparraltree.com.
Copyright © 2002 by Counterpane Internet Security, Inc.

** *** ***** ******* *********** *************

In this issue:
Windows UPnP Vulnerability
Crypto-Gram Reprints
News
Counterpane News
Password Safe 2.0
The Doghouse:  AGS Encryptions
Comments from Readers


** *** ***** ******* *********** *************

Windows UPnP Vulnerability
The big news of late December was a security flaw in Microsoft’s Universal Plug and Play system, a feature in a variety of Windows flavors. On the one hand, this is a big deal: the vulnerability can allow anyone to take over a target computer. On the other hand, this is just one of many similar vulnerabilities in all sorts of software—Microsoft and non-Microsoft—and one for which there is no rapidly spreading exploit. There are several lessons from all of this.

One, the amount of press coverage is not indicative of the level of severity, and the press is the only way to get the news out to the public. This thing got Nimda-like press, but there was no exploit. While it is a critical patch to install, it’s not severe enough to trigger the “wake up, drive to work, and install this patch now!” reflex. Unfortunately, the public will have patience for only so many of these stories before their eyes glaze over. The rate of patch installation is decreasing, as people simply stop paying attention.

Two, Microsoft still sacrifices accuracy for public relations value. Here’s a quote from Scott Culp, manager of Microsoft’s security response center: “This is the first network-based, remote compromise that I’m aware of for Windows desktop systems.” I was all set to write a longish rant, calling the statement a lie and listing other network-based remote Windows compromises—Back Orifice, Nimda, etc., etc., etc.—but Richard Forno beat me to it. Read his excellent commentary on Microsoft and security.

To combat this, open and public discussion is important. In the first days of the vulnerability, there was a lot of debate in the press: which systems were vulnerable by default, how best to fix the problem, etc. Even the FBI got into the act, albeit with wrong information they later adjusted. The importance here is a multitude of voices and a multitude of views, something that secrecy won’t provide. As Greg Guerin commented, when there’s a fire in a theater, you want as many audience members as possible to shout “Fire!” rather than sitting around waiting for the theater manager to say it. The theater manager is going to put his own spin on the news, and it’s not likely to be an unbiased one.

Three, bug secrecy hurts us all. According to reports, eEye Digital Security told Microsoft about this vulnerability nearly two months before Microsoft released its patch. What’s with the two-month delay? It’s a simple buffer overflow, and should be patched within days. Delays just increase the likelihood that someone will exploit the vulnerability. (To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right.)

Four, Microsoft still pays lip service to security. This vulnerability is a buffer overflow, the easy-to-use low-hanging-fruit automatic-tools-to-fix kind of security vulnerability. It’s not new or subtle; buffer overflows have been causing serious security problems for decades. It’s an obvious, stupid-ass programming mistake that ANY reasonably implemented security program should have caught. Remember Microsoft’s big PR fuss about their Secure Windows Initiative? If it can’t catch this simple stuff, how can it secure software against the complex attacks and vulnerabilities? This is a software quality problem, pure and simple. And the real solution is better software design, implementation, and quality procedures, not more patches and alerts and press releases. And five, complexity equals insecurity. UPnP is a complex set of protocols to support ad hoc peer-to-peer networking. Even though no one uses it, it’s installed in a bunch of Microsoft OSs. Even though no one needs it turned on, sometimes it’s turned on by default. This kind of “feature feature feature” mentality, without regard to security, means this kind of thing is going to happen again and again. Until software companies are held liable for the code they produce, they will continue to pack their software with needless features and neglect to consider their associated security ramifications.

This vulnerability also illustrates why Microsoft is so keen on bug secrecy. The industry analysts at Gartner issued a warning, urging companies to delay upgrading to Windows XP for “three to six months,” lest more of these kind of vulnerabilities surface. If Microsoft had learned of this vulnerability in secret, and fixed it in secret, Gartner would not make any such statements. No one would be the wiser. (But, of course, if Microsoft learned of this vulnerability in secret, what impetus would they have to fix it quickly? Wouldn’t it be easier on everyone if they just rolled it into the next product update?)

Honestly, security experts don’t pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft’s poor products are one of the reasons we’re in business. We pick on them because they’ve done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products’ security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn’t going to make this OS safer.)

5 posted on 01/16/2002 9:30:56 AM PST by WriteOn
[ Post Reply | Private Reply | To 1 | View Replies]

To: AFreeBird
Microsoft would have so much more credibility if they didn't have so many security problems like these. That said, I just read a report this week about a Solaris security hole.
6 posted on 01/16/2002 9:33:38 AM PST by freedomcrusader
[ Post Reply | Private Reply | To 1 | View Replies]

To: AFreeBird
According to Microsoft, Windows XP is the "Most Secure Operating System Ever!". According to certain Freepers, since it is the most popular operating system, it has to be the best!

Nothing see here, move along.

7 posted on 01/16/2002 9:42:06 AM PST by toupsie
[ Post Reply | Private Reply | To 1 | View Replies]

To: toupsie
Microsoft Corp. is investigating an alleged flaw in recent versions of its Internet Explorer (IE) browser software that could allow attackers to spoof legitimate Web sites, steal content from browser cookies and gain access to certain types of files on a victim's system.

It does a H*LL of a lot more than that!!!

Whether it is the UPnP flaw, or this new exploit, my Win ME system has been "taken over" by a "DNS SPOOF" attack three times in the last two weeks!! The attacker installs a Second MASTER Boot Record on a machine with only ONE physical hard drive and only ONE partition, namely C.

This second Master Boot Record then reserves 2 GIGABYTES on the drive for God only knows what!

MS is, IMHO, writing LOGIC TIME BOMBS!

ENOUGH ALREADY!!!

8 posted on 01/16/2002 10:11:45 AM PST by Lael
[ Post Reply | Private Reply | To 7 | View Replies]

To: AFreeBird
I recently contracted a malignant virus through Microsoft's notoriously crappy "Outlook Express" email application. This revelation doesn't suprise me...Microsoft is not on my good side right now.
9 posted on 01/16/2002 10:43:44 AM PST by Frances_Marion
[ Post Reply | Private Reply | To 1 | View Replies]

To: freedomcrusader
That said, I just read a report this week about a Solaris security hole.

No, that was an article about the 'HoneyNet' project that was used as 'disinformation', Clinton-style. It was put here by an MS worker.

That was a 3 year old known bug that was patched quite a while back.

The machine was a 'honeypot' machine, left unpatched with an old known exploit to catch a hacker on purpose. Which it did.

There was a thread here that provided all the relevant links . . .

The actual point of the article in my mind is that hackers target other OS's every day, disproving the theory that MS has so many exploits because hackers target it.

10 posted on 01/16/2002 11:50:58 AM PST by Dominic Harr
[ Post Reply | Private Reply | To 6 | View Replies]

To: freedomcrusader
Here's the CERT link about the Solaris hole. It was posted January 14, 2002. Some people on this thread would like you to believe this stuff doesn't happen in the Unix world and, worse, deny it when it does. Otherwise, they'd have a hard time saying that only MS has security issues...
11 posted on 01/16/2002 12:57:40 PM PST by Bush2000
[ Post Reply | Private Reply | To 6 | View Replies]

To: Lael
IE v.6.0 is especially dangerous and should not be used unless patched.
12 posted on 01/16/2002 1:04:11 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 8 | View Replies]

To: All
Here's the CERT link about the Solaris hole. It was posted January 14, 2002.

The *update* was posted January 14, 2002. A certain MS employee linked to an *update* of an old bug and called it a new exploit, for obvious reasons.

You'll notice the first line there says, The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583.

You click on CA-2001-31 and notice it says This vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) X-Force. .

The Clintons would be proud! Ya'll have an MS employee trying to snow you big-time! You should be happy that we rate this kind of effort from MS.

13 posted on 01/16/2002 1:16:31 PM PST by Dominic Harr
[ Post Reply | Private Reply | To 11 | View Replies]

To: Bush2000
And here's an advisory from RedHat dated yesterday... you're right -- it happens to everybody.
14 posted on 01/16/2002 1:16:56 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 11 | View Replies]

To: Dominic Harr
It's not a flaw; it's a feature.
15 posted on 01/16/2002 1:19:29 PM PST by Redcloak
[ Post Reply | Private Reply | To 3 | View Replies]

To: toupsie
According to Microsoft, Windows XP is the "Most Secure Operating System Ever!"...

IMHO, each successive release of Windows is little more than a cumulative PTF for the last release.

16 posted on 01/16/2002 1:25:49 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 7 | View Replies]

To: Redcloak
The thing that gets me is the outright disinformation.

Posting an 'update' as a new exploit . . . Geez.

17 posted on 01/16/2002 1:26:43 PM PST by Dominic Harr
[ Post Reply | Private Reply | To 15 | View Replies]

To: TechJunkYard
That exploit dates back to 1999. The 'HoneyNet' project left that server open on purpose, with a 3 year old known exploit unpatched on purpose, "to catch a thief".

That's what they do.

The MS people are just feeding you the update about the HoneyPot and claiming it's a new exploit.

18 posted on 01/16/2002 1:28:17 PM PST by Dominic Harr
[ Post Reply | Private Reply | To 14 | View Replies]

To: TechJunkYard
And here's an advisory from RedHat dated yesterday... you're right -- it happens to everybody.

Thanks for the comment.
19 posted on 01/16/2002 2:44:46 PM PST by Bush2000
[ Post Reply | Private Reply | To 14 | View Replies]

To: TechJunkYard
That exploit dates back to 1999. The 'HoneyNet' project left that server open on purpose, with a 3 year old known exploit unpatched on purpose, "to catch a thief". That's what they do. The MS people are just feeding you the update about the HoneyPot and claiming it's a new exploit.

Whether it's a new or old exploit is irrelevant to me. The fact of the matter is that it is currently being exploited. If Harr wants to laugh it off as an old bug, fine. It exists today. Now. Here's the text from the new advisory: I don't know what's worse: The hackers trying to exploit the Solaris hole or those on this thread who are trying to laugh it away. It's a bug. Sun should fix it. And we should all move on. Let's not deny the obvious.
20 posted on 01/16/2002 3:08:26 PM PST by Bush2000
[ Post Reply | Private Reply | To 16 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-23 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson