An IE Vulnerability Report Gone Wrong
A security researcher gets his 15 minutes of fame on a mixed signal of confusion.
Hacking/Denial of Service
Yet another twist in the way security vulnerabilities are being reported: An
alleged security "researcher" has informed the media that he’s
discovered "a blatant access validation crash" that can result in
malicious code, delivered from a Web site, running on the victim system "without
them even knowing about it." While providing no details whatsoever to
the public, the "researcher" suggests people consider using a different
browser until Microsoft releases a patch. Meanwhile, Microsoft has been informed
of the details by the "researcher" and is investigating.
Stories like this just make you want to walk up and shake the "researcher"
by the shoulders. OK, so somebody -- not someone we know and trust, but just
some guy -- says I should switch browsers until I get a patch. Yeah, right,
let me see, where’s my installation of Firefox again? Imagine if the only
person talking about evacuating Houston was some guy running up and down the
streets … and when you asked someone authoritative or trustworthy, all
they could say was, "Yeah, I heard that guy, too!"
People typically either switch browsers or they don’t -- very few use
both, even when their companies force them to use a browser that might not be
their first choice. It’s not that it’s impossible to use both, but
it’s just cumbersome. Whether you look at the way file associations are
tied to browser installation, or just the excess disk space that two browsers
(and their cache) take up, you’d have to be very competent to be comfortable
with multiple-browser usage.
So one has to ask the researcher, "Just who are you warning?" If
the masses aren’t going to pay much attention to your warning, or if your
workaround advice is just unrealistic for them, you’re simply telling
those folks who would really love to find another way to attack the masses.
Of course, we can’t overlook the fact that the researcher gets his 15
minutes of fame out of this, but come on, who would do that?
With so many "security warnings" or advisories coming out so frequently,
the public is tuning out -- it's almost impossible to keep the attention of
the average consumer. That’s why Microsoft created Windows Update in the
first place, and even more so its Automatic Updates addition to Windows XP SP2.
People don’t want to have to think about the advisories, rightly or wrongly,
as they’re just too difficult to decipher and even harder to absorb into
your daily routine.
Also, if I switched to some browser other than IE, as the research recommends,
then why would I care when Microsoft releases a patch for it? If I switched
because of this vulnerability, why would I switch back? The messaging is just
too convoluted; ergo, it’s not intended for the average consumer. If the
researcher’s reasoning for announcing anything to do with the vulnerability
is to allegedly help people protect themselves, then giving them confusing or
next to impossible to adopt advice is just plain counter-productive.
As if it hasn’t been said enough already, vulnerabilities need to be
discussed with vendors and vendors only, until there’s a patch or until
the vendor says there’s no issue. Everything else is for your ego, and
I should know.
First there was a report that extremely long registry entries were not showing
up in graphical user interface (GUI) tools that access the registry. Now Microsoft
has released a Security Advisory (897663)
stating that the Windows Firewall user interface will not show malformed exception
entries -- entries which are stored in the registry.
The GUI handles malformed registry entries differently than the command-line
interface does, largely because they use different programming techniques to
retrieve the information. The GUI uses libraries that are more frequently vulnerable
to buffer overflows, and so greater restrictions are placed on the length of
entities GUI tools look at and how malformed results are returned to the program.
The command-line tool is more explicit in how it handles such instances, and
therefore can be more robust when the entries are malformed.
This is the type of issue that malware may use in an effort to hide themselves
from anti-virus and anti-spyware programs, some of which rely on the results
returned by GUI routines to determine if malware is present. However, it must
be remembered that these malformed registry entries are put in place by malware
"that has been run," meaning after an attack has already occurred.
If proper protection is in place and accepted best practices adhered to, malware
isn’t going to get to the point where it can write malformed entries in
the registry, thereby minimizing if not eliminating the potential for this problem
to be abused. One other thing to remember is, for the most part, when a program
reads a malformed entry it doesn’t simply ignore it -- the application
typically crashes and generates a fault notification that the user will, or
should, pay attention to.
Symantec has sent an alert to some of its customers regarding Microsoft’s
Security Bulletin. That bulletin pertained to the Spooler service, which
contained a buffer overflow that could be exploited remotely via the RPC interface
(typically via TCP135.)
This makes no sense. Any exploitation of this vulnerability is via the same
path of attack that is currently being exploited by tens, if not hundreds, of
pieces of malware. The advice might make sense if you chose not to use firewall
or router default deny, or if you thought that patching and AV alone would be
sufficient security for a device hung out on the Internet. As we all know, or
should know, this type of security is simply inadequate in today’s environment.
If you are protecting yourself against attacks by the malware that’s already
out there, you have protected yourself against some new, and as yet never seen,
piece of malware that might try to exploit MS05-043.
Based at least in part on information provided by Microsoft, authorities
in Morocco and Turkey arrested two men suspected to be responsible
for the Mytob and/or Zotob worm(s). The Moroccan was allegedly
paid by the Turk to write both the Zotob worm and the Mytob worm in February.
Each will be prosecuted in their own country.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
While it might look like arrests are coming quickly following an event, the
reality is that these investigations take months, and more often years, of extensive
effort. Further, often the countries where the individuals are prosecuted lack
decisive laws and penalties to dissuade these criminals from future attacks.
If there’s one place the United Nations can play a role in the Internet’s
development, it may be in gaining consensus across the world’s countries
in what laws need to be in place and what penalties are appropriate for malware
authors and their conspirators.
The U.S. Federal Communications Commission (FCC) has extended the August
28, 2005, deadline by 30 days to give VoIP customers more time to acknowledge
the limitations of Enhanced 911 emergency call service available over
One has to wonder what good this will do. If consumers haven’t recognized
the limitations already, what is going to happen over the next 30 days to make
them fully comprehend them? Maybe a public awareness campaign would be more
appropriate than more time, assuming the limitations are actually dramatic enough
to warrant it. I’d argue that most VoIP customers are already aware of
the technical limitations in being located.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.