Bugtraq mailing list archives
RE: Six Step IE Remote Compromise Cache Attack
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 5 Nov 2003 16:32:54 -0800
-----Original Message----- From: Benjamin Franz [mailto:snowhare () nihongo org] Sent: Wednesday, November 05, 2003 2:50 PM To: Thor Larholm Cc: Liu Die Yu; bugtraq () securityfocus com Subject: RE: Six Step IE Remote Compromise Cache Attack On Wed, 5 Nov 2003, Thor Larholm wrote:This post raises an interesting question. Is our goal to find new vulnerabilities and attack vectors to help secure users andcriticalinfrastructures, or is our goal to ease exploitation of existing vulnerabilities? There are no new vulnerabilities or techniques highlighted in this attack (which is what it is), just a combination of several already known vulnerabilities. This is not a proof-of-concept designed to highlight how a particular vulnerability works, but an exploit designed specifically to compromise your machine. All a malicious viruswriter has to do is exchange the EXE file. Believe me, I am all in for full disclosure and detailingevery aspectof a vulnerability to prevent future occurances of similar threats, but I don't particularly think that we should actively be trying to help malicious persons.I have mixed emotions about this. On one side - why put millions of systems at risk to script kiddies? On the other side, as noted by the poster, one of these vulnerabilities has been known for more than _TWO YEARS_. Surely far more than enough time for MS to have actually _fixed_ the problem if they intended to. MS seems (at least in some cases) to ignore security problems until someone publically 'holds their feet to the fire' over them. I suspect this happens when the problem 'runs deep' in their code and will require more than fixing a boundary limit check and recompiling.
Very well said. I would note that I believe their strategy for securing code wants to be inline with their strategy for pushing their products. The company is full of strategies, and this is good. But, the primary stategy needs to be to "put security first". Especially, post 9/11. A few others things... As with all security issues, the researcher is not bound to tell anyone about them. Liu Die Yu could have just shared this with his friends, and we all could have kept these to do as we will. Kind of like keeping your own personal nuclear weapon. Who knows? Maybe there will be a rainy day. My question then, to everybody, is "would you have preferred that he keep this to himself and his friends, or would you have preferred for him to have disclosed this, with a workaround?" Because Liu Die Yu has worked with Microsoft (China) in the past, and he has, unfortunately, found that he can not trust them. Maybe he talked to the wrong person. Who knows? But, we can all see plainly that Microsoft was without excuse to ignore these problems all of these years. What was the thinking behind that? Was somebody's job saved so this could happen? Was somebody able to make a more successful career move because of this? Are researhers like Liu Die Yu too intimidating to deal with, too challenging, too successful? What would have happened if someone else put these flaws together and discovered they could make them work? What would have been the case in that situation? Why did Microsoft ignore the advice of all these researchers and not do something about these issues? Why did they think they could go it alone in this way? The advice was free for them. They had almost two years to fix this, should Liu Die Yu even conceivably be forced to wait another three to six months from a company that has shown him bad dealings in the past? This is using the system at its' best. It is an example of the best kind of system. There is no bureaucracy, there is no limitation, no glass ceilings, no prejudice... Anyone who is capable, come, find bugs. Microsoft is putting out millions of dollars in bounties for worm writers while people like Liu Die Yu are just trying to get into the security field, so they can do what they are best at. What they love to do. It isn't like he is incapable of doing this. He has found swarms of bugs since starting to look for them. Bounties work. We know they do. But, let's close the gap. Let's make sure that tomorrow's bugs are not found outside of the Full Disclosure community. Why would anybody be making these kinds of shortcuts? What good is AV or Firewalls or anything if your OS let's the attacker through? We worry about script kiddies trying to figure out what Liu Die Yu did here to make their own version? We should be worrying about rogue nations and criminal organizations creating teams of bug finders so they can penetrate any system they want to. The computers themselves are worthless, compared to human lives, but the information within them are invaluable. Blueprints. Military strategies. Political strategies. Security strategies. Governmental secrets. Corporate secrets. Identities. Weaknesses. I have to wonder when people when begin to figure out that security bugs mean... security holes mean: keys to the application, and generally, keys to the system. We can ponder all we want about the NSA having a backdoor, or merely Microsoft having a backdoor... But anytime someone finds a security hole like this, they have a backdoor. If you want, ask the researcher to please alert the vendor. Be rude about it, whatever. But, understand that if they were bad or interested in doing evil... They would not report it to the world. They would use it. Lastly, just to be fair. Most researchers that find bugs in Microsoft's products do so at least partly because everyone uses their software. Microsoft actually has a code auditing team, they actually have made moves towards securing their software. Most companies have not done this. Their code is not even looked at. If the case were anything different, Liu Die Yu would just put his resume on monster or dice, and he wouldn't be speaking to us right now. He would be working in the field he loves. Drew Copley Research Engineer, eEye Digital Security Fun quote for the day: "Who knows what evil lurks in the hearts of men? The Shadown knows!"
-- Benjamin Franz Gauss's law is always true, but it is not always useful. -- David J. Griffiths, "Introduction to Electrodynamics"
Current thread:
- RE: Six Step IE Remote Compromise Cache Attack, (continued)
- RE: Six Step IE Remote Compromise Cache Attack Steve Hillier (Nov 05)
- RE: Six Step IE Remote Compromise Cache Attack Benjamin Franz (Nov 05)
- RE: Six Step IE Remote Compromise Cache Attack white colin john (Nov 05)
- RE: Six Step IE Remote Compromise Cache Attack Tyler Larson (Nov 06)
- Re: Six Step IE Remote Compromise Cache Attack Florian Weimer (Nov 07)
- Re: Six Step IE Remote Compromise Cache Attack Florian Weimer (Nov 05)
- Re: Six Step IE Remote Compromise Cache Attack Seth Arnold (Nov 05)
- Re: Six Step IE Remote Compromise Cache Attack Jelmer (Nov 06)
- RE: Six Step IE Remote Compromise Cache Attack Thor Larholm (Nov 05)
- RE: Six Step IE Remote Compromise Cache Attack Paul Szabo (Nov 05)
- RE: Six Step IE Remote Compromise Cache Attack Drew Copley (Nov 06)
- Re: Six Step IE Remote Compromise Cache Attack http-equiv () excite com (Nov 06)
- Re: RE: Six Step IE Remote Compromise Cache Attack Steven M. Christey (Nov 06)
- Re: RE: Six Step IE Remote Compromise Cache Attack Paul Schmehl (Nov 06)
- RE: Six Step IE Remote Compromise Cache Attack Steven M. Christey (Nov 07)
- Re: Six Step IE Remote Compromise Cache Attack Goetz Babin-Ebell (Nov 10)
- Re: Six Step IE Remote Compromise Cache Attack Byron Sonne (Nov 10)
- RE: Six Step IE Remote Compromise Cache Attack Alun Jones (Nov 11)
- Re: Six Step IE Remote Compromise Cache Attack Goetz Babin-Ebell (Nov 10)
- Re: Six Step IE Remote Compromise Cache Attack Steven M. Christey (Nov 10)
- RE: Six Step IE Remote Compromise Cache Attack Michael Wojcik (Nov 11)
- Re: Six Step IE Remote Compromise Cache Attack Goetz Babin-Ebell (Nov 11)