Microsoft Zero Day security holes being exploited

[imhotep]

Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around the way
that the Internet Explorer browser handles a particular form of graphics
known as vector graphics.

A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the latest
security updates showed attackers installing a huge amount of spyware and
other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

 

[imhotep]

Replying to the MS blog
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right
now there are limited sites that host these attacks but, what does tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying that
your customers might have to wait up to a month? Why is it a third party
had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if you
are the Entertainment Industry, MS will take care of you by releasing a DRM
patch in record time (3 days). Really, one must question where Microsoft's
priorities are....

Imhotep

 

[imhotep]

Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
To think that the World's richest software company can't fix a serious
patch in a reasonable amount of time is inexcusable (not doubt Roger will
try though). To think that a third party can release a patch in 2 days but
the World's richest software company can't is inexcusable. To think that
Microsoft can patch a DRM security hole in a record 2-3 days leads one to
believe that Microsoft's priorities are somewhere other than their users
and that is inexcusable. The fact that Roger Abell is trying to defend the
obvious ineptness of Microsoft is well, hilarious.

Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Imhotep

 

[Roger Abell [MVP]]

No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
To think that the World's richest software company can't fix a serious
patch in a reasonable amount of time is inexcusable (not doubt Roger will
try though). To think that a third party can release a patch in 2 days but
the World's richest software company can't is inexcusable. To think that
Microsoft can patch a DRM security hole in a record 2-3 days leads one to
believe that Microsoft's priorities are somewhere other than their users
and that is inexcusable. The fact that Roger Abell is trying to defend the
obvious ineptness of Microsoft is well, hilarious.

Talk about verbose !!

I am defending nothing.

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

PS. can you not control your newreader and its use of followups?

 

[imhotep]

Talk about verbose !!

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

....and I thanked you. As you did the right thing.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

Time to patch is most definitely relevant to all security holes especially
when the code to do exploit the security hole is all over the 'net...

Now as I stated before, it is shamefull that the DRM patch was 3 days but it
seems that people will have to wait a month (maybe more?) for this security
hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
must be a little angry at how the Entertainment Industry gets taken cared
of while users and corporations are getting substandard attention....

Imhotep

 

[imhotep]

Is there any reason why you trust these reports more than Microsoft's
reports? Time and time again, Microsoft's assessments have proven more
accurate than the chicken littles in the security industry who profit from
pointless fear.


Browser vulns are highly overrated and overreported. You make the problem
worse by hyping and trumping it up here.

Trend Micro's numbers for people infected worldwide by VML exploits:
zero.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL_EXECOD.A&VSect=S&Period=All

This is entirely consistent with what we know about the number of people
infected by Download.ject and Qhosts, two other similar browser vulns.



You have zero basis in fact for assuming that the DRM patch being released
in 3 days has something to do with Microsoft's priorities. What it tells
me
is that the DRM patch had little to no possibility of breaking things.
You are arguing that Microsoft releasing patches in three days is a good
thing and the best for everyone, but you have not proven this to be the
case.


If it bothers you enough, there is a registry value that disables VML.
Most people won't find it necessary to enable this workaround.


Yes, all zero of them.


You really don't.

I guess this shoots your theory to crap, eh? Oh yea, I bet they are lying
too...

"Hackers gained access to HostGator's servers late Thursday and began
redirecting customer sites to outside web pages that exploit an unpatched
VML security hole in Internet Explorer to infect web surfers with trojans.
The existence of the new "0-day" exploit of cPanel leaves a large number of
hosting companies vulnerable to similar attacks until they install the
patch. The risk is mitigated somewhat by the fact that it is a local
exploit, meaning any attack on a host must be launched from an existing
account with cPanel access."

From: HostGator: cPanel Security Hole Exploited in Mass Hack
http://news.netcraft.com/archives/2...nel_security_hole_exploited_in_mass_hack.html

Imhotep

 

[Guest]

Think we'll only achieve secure computing when C is dropped in favour of a
better language. The list of buffer-overflow exploits in every single major
software-package gets monotonous.

After all, nobody ever got prosecuted for 'Not realising that guy was going
to do something silly.' But people do get prosecuted for driving cars with no
brakes.

 

[Roger Abell [MVP]]

...and I thanked you. As you did the right thing.


Time to patch is most definitely relevant to all security holes especially
when the code to do exploit the security hole is all over the 'net...

Now as I stated before, it is shamefull that the DRM patch was 3 days but
it
seems that people will have to wait a month (maybe more?) for this
security
hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
must be a little angry at how the Entertainment Industry gets taken cared
of while users and corporations are getting substandard attention....

If you feel so , then start a thread on that
Do not try to take a thread on a specific threat OT

ra

 

[Karl Levinson, mvp]

PS. can you not control your newreader and its use of followups?

He's probably using some crappy open source newsreader. ;D

 

[imhotep]

I'm getting tired of explaining this to you over and over. Microsoft's
~45 days to test and release patches has nothing to do with being cheap,
inept
or dishonest. It's just a fact of the Windows architecture that you have
to accept if you choose to use Windows.

Karl, I am getting tired of explaining my point but I will one more time. So
here it goes: Why did DRM patch NOT GO THROUGH THE SAME 45 DAYS TO TEST????
Total time to patch for the DRM holes was 3 days. Again, it seems Microsoft
priorities here was to "protect" the Entertain Industry. Please address
this point should you decide to reply...

Please, go ahead and do that, and then go away. I care nothing about how
many people switch to Mac or Linux, as long as they don't pester the rest
of us by running at the mouth about it.

Again, you are trying craftfully to NOT ANSWER the question. Sorry but, I
will not let you off the hook:

Again:

You claim it takes 45 days to test a patch in Windows. Again, why did
Microsoft break patching records to produce the DRM patch (3 days). This is
the contention point here.

A secondary contention point would be why 45 days (unless you are the
Entertainment Industry!). If Microsoft needs more programmers/Managers/Code
Debuggers hire them. Afterall they have what 60 billion in the bank? Why
can everyone else get a patch out sooner (Apple, Red Hat, Novell, Open
Source) as well as have an overall better track record of patch successes?

Now either answer those questions *or* go away yourself...

Imhotep

 

[imhotep]

He's probably using some crappy open source newsreader. ;D

Ya, one the never gets viruses and one where patches work all of the
time....image that safe computing does exist (well for some platforms)!

;-)

Imhotep

 

[imhotep]

Talk about verbose !!

I am defending nothing.

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??

I also posted it. Again, for the record you did the right thing, for this I
thank you.

Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

Again, you did the right thing. An informed user can make logical
decisions...and because Microsoft takes so long to produce patches the
brunt of the load unfortunately lies on the users to do something while
Micrsoft produces a patch...

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

Not at all. The point being made is the time to patch. Again, why can the
Entertainment Industry get a patch in a record setting 3 days but this
patch, for a highly critical security hole, will probably take a month and
a half????

Again, my point is that clearly, Microsoft views protecting copy righted
entertainment as being more important. THIS IS WRONG!!! Securing their
swiss cheese platform for their users should be their highest priority!!!

PS. can you not control your newreader and its use of followups?

The news server I go through will trash your post if your post goes to more
than 4 to 5 newsgroups. So, if you are posting to more than that you have
to break it up in to multiple duplicated posts going to groups of
newsgroups...it does suck but their is no work around. This is a policy of
the news server administrator.


Imhotep

 

[imhotep]

If you feel so , then start a thread on that
Do not try to take a thread on a specific threat OT

Not a bad idea...

Imhotep

 

[imhotep]

Not really. Trend Micro's numbers for the VML exploit are still at zero.
The same "mass hackings" of web sites also happened with Download.ject and
Qhosts, and yet those infected very few hosts. You just aren't getting
the message that browser vulns are widely overrated as a means for
infecting or
compromising systems. Even if there is no patch for a particular browser
vuln, people running antivirus are largely protected anyways.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL_EXECOD.A&VSect=S&Period=All

No, that article just doesn't say what you think it says. It doesn't say
that large numbers of people are being infected by this.

The fact of the matter is this. Nobody knows for sure how many people have
been infected by this. Nobody knows for sure how many will be infected by
this tomorrow...and the day after that and so on. How does anyone know? How
does Trend Micros know? What do they do scan .01% of the web sites out
there and make a judgment? This is foolishness.

Clearly secure holes need to be addressed and evaluated by their severity.
Clearly this security hole is quite severe. Clearly there needs to be a
patch in record time (like the DRM patch)...

Imhotep

 

[imhotep]

Think we'll only achieve secure computing when C is dropped in favour of a
better language. The list of buffer-overflow exploits in every single
major software-package gets monotonous.

As a C programmer (one of many languages I know) that is one of the most
foolish statements I have heard all year. Buffer-overflows are not caused
by the programming language. They are caused by bad programmers!!!!!!!!!!!!

The problem here is that some people want a language to cover up their lack
of programming skills!!!!!!! Utter foolishness!!!

After all, nobody ever got prosecuted for 'Not realising that guy was
going to do something silly.' But people do get prosecuted for driving
cars with no brakes.

If you do not possess the skills to drive a car, why are you attempting to
drive it??? Driving a car requires a skill set, if you do not possess it,
don't drive...in either case don't blame the car for your ineptness.


Imhotep

 

[imhotep]

Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser

[snip]

Workaround:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
I've done that and tested successfully (see below).

A non-Microsoft fix: <http://isotf.org/zert/download.htm>.

To test, see (at your own risk) <http://www.isotf.org/zert/testvml.htm>.

Nice job...

Imhotep

 

[Roger Abell [MVP]]

As a C programmer (one of many languages I know) that is one of the most
foolish statements I have heard all year. Buffer-overflows are not caused
by the programming language. They are caused by bad
programmers!!!!!!!!!!!!

The problem here is that some people want a language to cover up their
lack
of programming skills!!!!!!! Utter foolishness!!!





If you do not possess the skills to drive a car, why are you attempting to
drive it??? Driving a car requires a skill set, if you do not possess it,
don't drive...in either case don't blame the car for your ineptness.

If you are a skilled car driver why would you choose to use only an
inferior, cheaply made, sardine tin of an auto that could not meet the
safety standards of many governments of the day ?

Why did safe sting classes come about?

Would you choose to go back to GO TO based programming?

Use of a language that enforces safe code is a good thing.

Remember Dijstra? The set of 4 constructs proved sufficient for
any general purpose language? Remember the arguably academic
language Pascal (Wirth?) designed to show this? Remember how
that ushered in a new era in programming and vastly simplified
software lifecycles?

Are you saying that languages designed to not allow major problems
plaguing the sofeware industry are worth naught ?

You surely do sound to be doing so.

 

[imhotep]

I assure you, a crap load of people will NOT be infected by this or any
other IE vuln in the future. IE vulns just don't do that.

So, your guarantee means what? Will you personally pay for damages to user's
PCs? Will you pay for the IT departments cost at rebuilding/removing
spyware, viruses, etc?

If you are going to make such a guarantee back it up, like most
guarantees...You see it is pretty easy to make such a statement when you
have no direct possibilities caused by the repercussions of such foolish
statements.

No.

Then how do you explain the record breaking time to patch Microsoft's DRM
hole? Three days to patch? Please explain (no propaganda necessary).

Imhotep

 

[Roger Abell [MVP]]

Karl, I am getting tired of explaining my point but I will one more time.
So
here it goes: Why did DRM patch NOT GO THROUGH THE SAME 45 DAYS TO
TEST????
Total time to patch for the DRM holes was 3 days. Again, it seems
Microsoft
priorities here was to "protect" the Entertain Industry. Please address
this point should you decide to reply...


Again, you are trying craftfully to NOT ANSWER the question. Sorry but, I
will not let you off the hook:

Again:

You claim it takes 45 days to test a patch in Windows. Again, why did
Microsoft break patching records to produce the DRM patch (3 days). This
is
the contention point here.

A secondary contention point would be why 45 days (unless you are the
Entertainment Industry!). If Microsoft needs more
programmers/Managers/Code
Debuggers hire them. Afterall they have what 60 billion in the bank? Why
can everyone else get a patch out sooner (Apple, Red Hat, Novell, Open
Source) as well as have an overall better track record of patch successes?

Now either answer those questions *or* go away yourself...

Enough of this Im.
It IS off-topic.

Besides, contrary to your claim Karl DID answer you.

In my initial post I also indicated this fact of life to you.

But, here goes again, one last time.

An impacted piece of code has a dependency tree, and test coverage
must be directed by that.

When a piece of code has few uses, and especially when those uses
are not complex relative to internationalization, regression testing is
a much smaller task.

When a code is a general library, the dependency tree itself can be
difficult to determine, and coverage testing larger and hence longer.

You have a comp sci background so I would assume you can see
those facts quite clearly (should you decide to).

But, this part I feel you have no real clue about, especially if the code
can impact visual renderings, then the internationalization becomes a
very real part of testing. Once a code change might start changing the
sizes of things it can start changing them differently in the 45 or so
supported locales, and there are a lot of interfaces that need to have
designed sufficiently for the possible size changes.

Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.

This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.

Regards,
Roger

 

[David H. Lipman]

From: "Roger Abell [MVP]" <[email protected]>

< snip >

| Please, take the conspiracy theorist motivated part of this discussion
| to alt dot something.
|
| This thread should be about the present risks, workarounds, and
| degrees of exposure in the wild - that is, keep to YOUR subject.
|
| Regards,
| Roger
|

I totally agree.