Viral ramblings...

[Jeff Cook]

It seems that the Scob outbreak has prompted (or at least urged) a mass
migration from IE to <insert alternate browser name here>. Please forgive
what may be an indication of my gross ignorance, but if "trusted" websites
are serving malicious scripts, wouldn't that impact on any browser that ran
the scripts?? Are the scripts exploiting a flaw in IE, or is their presence
due to the fact that another component has been exploited further up the
food chain?

I have had no problems with anything at all downloading onto my PC without
my permission. I run XP Home with limited privileges (how many Linux users
routinely log in as root?). The system is well and truly patched, and I use
IE6 in combination with Zone Alarm Pro to keep the scripts at bay. Some
sites I visit need to run code, and they can run whatever they like. Other
sites want to run code for whatever purpose, and they can get stuffed. I
have that control at my fingertips (despite the fact that one is almost
missing after an accident on Friday).

I actually downloaded and installed Firefox 0.9, and I reckon that it is
pretty damn good. It seems to have some good features (the Tabbed Pages for
instance) although it is ultimately just another browser. I'll continue
using it just to broaden my horizon, but that's all it is as far as I can
determine.
The Microsoft bashing, while appearing warranted, is actually misguided when
you consider that ALL operating systems have vulnerabilities that require
patches. Mac OS and the various flavours of Linux seem to pump them out
with startling regularity, although without the avalanche of publicity
surrounding similar band-aids on Windows. It is sheer volume of users that
makes Bill look like the bad guy, however all OS manufacturers on all
platforms are wearing exactly the same hat.

I guess the problem really stems from the fact that MS Windows is for the
masses - people who wouldn't know which end of a computer to blow in. Mac
and Linux users are a bit thinner on the ground, and generally have a better
handle on what makes their machines tick - particularly Linux users. As a
result, exploits targeting these OS's are less likely to succeed, and
consequently less likely to propagate to other users. Microsoft has been
pilloried in most part because of its success. If Mac OS X, Linux and
Microsoft concurrently had the same flaw and exploit, only one of them would
make the news.

I guess the upshot is that userland has to take some responsibility for
outbreaks such as Sasser, Scob etc. They simply can't attack a patched
system. As far as I understand, Scob was only able to penetrate servers
that were not patched against the IIS vulnerability. If I ignore Ford when
they recall vehicles due to a flaw, I can't very well turn around and blame
them when my car careers off a cliff!!

Was that only 2 cents worth?

Jeff

 

[Will Dormann]

It seems that the Scob outbreak has prompted (or at least urged) a mass
migration from IE to <insert alternate browser name here>. Please forgive
what may be an indication of my gross ignorance, but if "trusted" websites
are serving malicious scripts, wouldn't that impact on any browser that ran
the scripts??
Nope.


Are the scripts exploiting a flaw in IE, or is their presence
due to the fact that another component has been exploited further up the
food chain?

Yes. It targets a flaw in Internet Explorer. Other browsers are not
affected.

The Microsoft bashing, while appearing warranted, is actually misguided when
you consider that ALL operating systems have vulnerabilities that require
patches.

Of course, any system needs to be kept up to date with patches and
security updates. The thing about this bug is that there currently is
*no* fix for IE. That's right, you can hit windowsupdate until you're
blue in the face but you won't be protected.

It is sheer volume of users that
makes Bill look like the bad guy, however all OS manufacturers on all
platforms are wearing exactly the same hat.

Sure, IE is a nice big target but that's not just because of the number
of users. It's inherently insecure, and its track record has shown
this. I'm not sure whether it's apathy or masochism that makes people
continue to use it.


-WD

 

[Al Smith]

The Microsoft bashing, while appearing warranted, is actually misguided when

you consider that ALL operating systems have vulnerabilities that require
patches. Mac OS and the various flavours of Linux seem to pump them out
with startling regularity, although without the avalanche of publicity
surrounding similar band-aids on Windows. It is sheer volume of users that
makes Bill look like the bad guy, however all OS manufacturers on all
platforms are wearing exactly the same hat.

I see what you are saying, but I take the opposite view. I think
it is nothing short of criminal that Microsoft sells, at a very
high price, an operating system that, out of the box, with its
default settings, is immediately prey to dozens of viruses,
trojans and other malicious programs.

They are selling to people who don't have a clue, just as you say.
But shouldn't that place the onus on them to insure that when you
load Windows XP and go on the Internet with the default settings,
you are not immediately infected? Microsoft *knows* damn well that
if you use its OS in default mode, you haven't got a chance of
avoiding sypware, malware and viruses. Yet they keep selling it
that way.

 

[leslie]

Jeff Cook ([email protected]) wrote:
:
: The Microsoft bashing, while appearing warranted, is actually misguided when
: you consider that ALL operating systems have vulnerabilities that require
: patches. Mac OS and the various flavours of Linux seem to pump them out
: with startling regularity, although without the avalanche of publicity
: surrounding similar band-aids on Windows. It is sheer volume of users that
: makes Bill look like the bad guy, however all OS manufacturers on all
: platforms are wearing exactly the same hat.
:

Other operating systems are doing better than Microsoft's. But security
and quality cannot be applied after the design and coding...

http://www.theinquirer.net/?article=11108
Microsoft cerebrates fifteen years of poor security

"Microsoft cerebrates fifteen years of poor security
Augmented by the Infernet

By EURuromole: Tuesday 19 August 2003, 11:53

THAT THE Blaster worm should spread as rapidly as it did was testament
to one thing only, the poor security in Microsoft's software.

In the first few months of last year Microsoft spent about eight weeks
in what was reportedly an intense effort to improve the security of
their software. And what a joke that turned out to be, because within
a just few months we were seeing security alerts about Microsoft
products that had supposedly been thoroughly checked and corrected.

These statements of 2002 were not the first time that Microsoft has
declared the problem solved and buffer overflow banished. Back in
September 2001 Jim Allchin, a Microsoft vice president, declared that
this problem had been stamped out in Windows XP. Supposedly Microsoft
had made a complete code review of its operating system and removed
all the buffers which could overflow.

Microsoft has had more than 15 years to get it right and it still
cannot create a secure operating system. In fact in 2002 Windows had
the dubious honour of accounting for 87% of all virus infections
reported to the Australian office of the Sophos anti-virus group. This
came on top of about 130 vulnerabilities that were reported for
Windows during the year 2000, which is an average rate of more than
one every three days.

Given this kind of track record from Microsoft I am quite surprised
that in jurisdictions with strong consumer laws there has never been a
class action against Microsoft for selling poor quality software.
Other operating systems have achieved far better security and have
done so since their very early releases, so why is Microsoft unable
to?

As for secure operating systems, ask IBM users about the security of
their operating systems prior to AIX which itself introduced the usual
Unix problems. Or ask OpenVMS users about its security. Its bug list
is still in the low double digits after about 30 major and minor
versions in its 25 years, which is a sharp contrast to Microsoft's 130
problems in year 2000 alone!

OpenVMS is even more relevant to Microsoft because about 1989 it
acquired about 20 software engineers from Digital's cancelled Prism
project which was developing an operating system called Mica. These
engineers were the designers for Microsoft's NT and borrowed a large
number of concepts from OpenVMS, but unfortunately the security
concepts were not included. Was it a matter of meeting release
deadlines, potential breakage of other code or keeping third party
software houses happy? We will probably never know.

Microsoft relies on the users to apply the stream of patches for
Windows but many users are unaware of the patches or where to find
them, and they are often reluctant to download large patches which can
take hours over a dialup line. The frequency can be overwhelming and
some users just ignore any problems that do not directly affect them.
Microsoft's attitude seems to be so what if the virus mail bombs other
users, so long as no damage happens to my system.

And wrapped around all this is the quite reasonable argument that if
Microsoft cannot produce secure product releases then its ability to
produce secure patches just as suspect.

In recent years Microsoft has had the gall to receive an award for its
security from the Department of Defense (perhaps the first award for
"lowering the bar" in many years) and another reward for the manner in
which it created tools to allow users the ability to automatically
patch their software versions. It is simply beyond a joke.

In my opinion, the fundamental problem is that the basic architecture
of Windows has two fatal flaws in its memory management and while
these remain in the software the ad hoc patches will never be enough
to make Windows a secure operating system.

Fundamental Problems with the Stack

The first problem is the same as that which has bugged the Unix world
for many years, the notorious "buffer overflow problem".

This occurs when a program attempts to write data into a space that is
not large enough for it. Within a routine there may be references to
an array that actually point beyond the end-point of that array and
point at some other data. Using this data at some point in the
processing would be invalid, and writing new data into those memory
locations would corrupt any data that exists there.

[snip]

Problem of Controlling Access to Memory

This problem with stack handling would be an irritation rather than a
real danger if it all it did was cause the software or the operating
system to crash. Unfortunately the second problem turns this into a
very nasty vulnerability, one that can permit viruses to execute and
cause havoc.

This second problem is the crude manner in which Windows - and indeed
some forms of Unix - fail to properly control access to memory. In
both systems it is very easy to write data into memory and then
execute it. In early versions of these operating systems there were
chronic vulnerabilities that led to some very serious viruses and
worms.

[snip]

Some Solutions

The solution that Microsoft has been trying to apply involves the use
of software packages to identify vulnerabilities. It also appear to be
experimenting with different languages, perhaps in the hope of finding
one which offers its programmers a better chance of fixing the problem
or avoiding it altogether. Both seem to be rather a waste of time and
effort when all it really requires is to use correct concepts in the
operating system and compilers.

On the matter of memory regions and their protection it is absolutely
clear that this technique needs to be applied and done so in a very
strict fashion with none of the stupidity of EXECUTE_READWRITE. I can
do no better than suggest that Windows and Unix take a good look at
how OpenVMS handles these matters because it has the most effective
system that I am aware of.

The method used by OpenVMS is one of separating the virtual memory
into regions, each with their own protection. At execution time the
various program sections (PSECTs) are loaded into one of these regions
into orderly and defined areas, applying the protections specified for
each PSECT as it does so. Thus data is separated from executable code.

It is similar to the protection offered by Windows XP, which is not
surprising since NT arrived on the scene but the important difference
is that PSECT protections are set by default and the programmer must
explicitly modify them for special circumstances.

Now this introduction of proper memory access controls is all that is
required to prevent the introduction and execution of malicious code
but it does not solve the problem of an overflowed buffer corrupting
the call stack..."


--Jerry Leslie
Note: (e-mail address removed) is invalid for email

 

[Jeff Cook]

I see what you are saying, but I take the opposite view. I think
it is nothing short of criminal that Microsoft sells, at a very
high price, an operating system that, out of the box, with its
default settings, is immediately prey to dozens of viruses,
trojans and other malicious programs.

They are selling to people who don't have a clue, just as you say.
But shouldn't that place the onus on them to insure that when you
load Windows XP and go on the Internet with the default settings,
you are not immediately infected? Microsoft *knows* damn well that
if you use its OS in default mode, you haven't got a chance of
avoiding sypware, malware and viruses. Yet they keep selling it
that way.

Hi Al

I'm glad you saw my point, but your point came in loud and clear. I guess
no-one can really expect a 15 year old school girl, for example, who bought
a computer at Harvey Norman, Walmart, whatever, to be responsible for
securing her machine and protecting the world from what lurks within.

Looking from your viewpoint, the onus does indeed fall on Microsoft when you
take into consideration the fact that the know full well that their
customers want something that they can plug in like a toaster. From the
customer's perspective, they should be able to do just that. I sit
corrected!!

By the way, I've been trying out Firefox and, while it does a couple of odd
things, I've pretty much stopped using IE - defense of which was the very
reason I posted the message in the first place. I've gone from "stick in
the mud" to one of the converted in a matter of days.

Jeff

 

[Al Smith]

By the way, I've been trying out Firefox and, while it does a couple of odd

things, I've pretty much stopped using IE - defense of which was the very
reason I posted the message in the first place. I've gone from "stick in
the mud" to one of the converted in a matter of days.

Jeff

I haven't tried Firefox yet. I use the Mozilla suite, which has
the same browser as Firefox, more or less. I'm going to try
Firefox when it gets a little more refined, though. Everyone says
good things about it.