Security Watch

An IE Vulnerability Report Gone Wrong

A security researcher gets his 15 minutes of fame on a mixed signal of confusion.

• By Russ Cooper
• 09/26/2005

Hacking/Denial of Service
Yet another twist in the way security vulnerabilities are being reported: An alleged security "researcher" has informed the media that he’s discovered "a blatant access validation crash" that can result in malicious code, delivered from a Web site, running on the victim system "without them even knowing about it." While providing no details whatsoever to the public, the "researcher" suggests people consider using a different browser until Microsoft releases a patch. Meanwhile, Microsoft has been informed of the details by the "researcher" and is investigating.

Stories like this just make you want to walk up and shake the "researcher" by the shoulders. OK, so somebody -- not someone we know and trust, but just some guy -- says I should switch browsers until I get a patch. Yeah, right, let me see, where’s my installation of Firefox again? Imagine if the only person talking about evacuating Houston was some guy running up and down the streets … and when you asked someone authoritative or trustworthy, all they could say was, "Yeah, I heard that guy, too!"

People typically either switch browsers or they don’t -- very few use both, even when their companies force them to use a browser that might not be their first choice. It’s not that it’s impossible to use both, but it’s just cumbersome. Whether you look at the way file associations are tied to browser installation, or just the excess disk space that two browsers (and their cache) take up, you’d have to be very competent to be comfortable with multiple-browser usage.

So one has to ask the researcher, "Just who are you warning?" If the masses aren’t going to pay much attention to your warning, or if your workaround advice is just unrealistic for them, you’re simply telling those folks who would really love to find another way to attack the masses. Of course, we can’t overlook the fact that the researcher gets his 15 minutes of fame out of this, but come on, who would do that?

With so many "security warnings" or advisories coming out so frequently, the public is tuning out -- it's almost impossible to keep the attention of the average consumer. That’s why Microsoft created Windows Update in the first place, and even more so its Automatic Updates addition to Windows XP SP2. People don’t want to have to think about the advisories, rightly or wrongly, as they’re just too difficult to decipher and even harder to absorb into your daily routine.

Also, if I switched to some browser other than IE, as the research recommends, then why would I care when Microsoft releases a patch for it? If I switched because of this vulnerability, why would I switch back? The messaging is just too convoluted; ergo, it’s not intended for the average consumer. If the researcher’s reasoning for announcing anything to do with the vulnerability is to allegedly help people protect themselves, then giving them confusing or next to impossible to adopt advice is just plain counter-productive.

As if it hasn’t been said enough already, vulnerabilities need to be discussed with vendors and vendors only, until there’s a patch or until the vendor says there’s no issue. Everything else is for your ego, and I should know.

First there was a report that extremely long registry entries were not showing up in graphical user interface (GUI) tools that access the registry. Now Microsoft has released a Security Advisory (897663) stating that the Windows Firewall user interface will not show malformed exception entries -- entries which are stored in the registry.

The GUI handles malformed registry entries differently than the command-line interface does, largely because they use different programming techniques to retrieve the information. The GUI uses libraries that are more frequently vulnerable to buffer overflows, and so greater restrictions are placed on the length of entities GUI tools look at and how malformed results are returned to the program. The command-line tool is more explicit in how it handles such instances, and therefore can be more robust when the entries are malformed.

This is the type of issue that malware may use in an effort to hide themselves from anti-virus and anti-spyware programs, some of which rely on the results returned by GUI routines to determine if malware is present. However, it must be remembered that these malformed registry entries are put in place by malware "that has been run," meaning after an attack has already occurred. If proper protection is in place and accepted best practices adhered to, malware isn’t going to get to the point where it can write malformed entries in the registry, thereby minimizing if not eliminating the potential for this problem to be abused. One other thing to remember is, for the most part, when a program reads a malformed entry it doesn’t simply ignore it -- the application typically crashes and generates a fault notification that the user will, or should, pay attention to.

Symantec has sent an alert to some of its customers regarding Microsoft’s MS05-043 Security Bulletin. That bulletin pertained to the Spooler service, which contained a buffer overflow that could be exploited remotely via the RPC interface (typically via TCP135.)

This makes no sense. Any exploitation of this vulnerability is via the same path of attack that is currently being exploited by tens, if not hundreds, of pieces of malware. The advice might make sense if you chose not to use firewall or router default deny, or if you thought that patching and AV alone would be sufficient security for a device hung out on the Internet. As we all know, or should know, this type of security is simply inadequate in today’s environment. If you are protecting yourself against attacks by the malware that’s already out there, you have protected yourself against some new, and as yet never seen, piece of malware that might try to exploit MS05-043.

Governance
Based at least in part on information provided by Microsoft, authorities in Morocco and Turkey arrested two men suspected to be responsible for the Mytob and/or Zotob worm(s). The Moroccan was allegedly paid by the Turk to write both the Zotob worm and the Mytob worm in February. Each will be prosecuted in their own country.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

While it might look like arrests are coming quickly following an event, the reality is that these investigations take months, and more often years, of extensive effort. Further, often the countries where the individuals are prosecuted lack decisive laws and penalties to dissuade these criminals from future attacks. If there’s one place the United Nations can play a role in the Internet’s development, it may be in gaining consensus across the world’s countries in what laws need to be in place and what penalties are appropriate for malware authors and their conspirators.

The U.S. Federal Communications Commission (FCC) has extended the August 28, 2005, deadline by 30 days to give VoIP customers more time to acknowledge the limitations of Enhanced 911 emergency call service available over VoIP.

One has to wonder what good this will do. If consumers haven’t recognized the limitations already, what is going to happen over the next 30 days to make them fully comprehend them? Maybe a public awareness campaign would be more appropriate than more time, assuming the limitations are actually dramatic enough to warrant it. I’d argue that most VoIP customers are already aware of the technical limitations in being located.