RE: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: Bill Royds (full-disclosure_at_royds.net)
Date: 02/19/04

  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] New attachment"
    To: <insecure@ameritech.net>, "'Tim'" <tim-security@sentinelchicken.org>
    Date: Wed, 18 Feb 2004 21:50:36 -0500
    
    

    Last time I was at my doctor's medical clinic, I noticed all the shiny new
    LCD monitors showing the Windows logon prompt with account Administrator. I
    asked the receptionist why. She said so that anyone could sing on any
    machine when they needed it, since individual machines lock out so only
    signed user or administrator can sign on. They did have the screensaver
    timeout so people off the street couldn't sign on. But the only way to make
    the multiple workstations usable from for anybody was to use administrator
    account on all of them.
      This is a bit of a design flaw in the Windows network that means security
    is much less than it ought to be.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of insecure
    Sent: February 18, 2004 7:55 PM
    To: Tim
    Cc: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
    remote code execution

    Tim wrote:

    >>The first is that this IE bug is life-threatening. It's not.
    <snip>
    >>Where's the problem?
    >>This is outrageous FUD. Web browsers are not used in medical
    >>appliances.
    >
    >
    > Oh? Have you worked in a hospital? I haven't, but I am willing to bet
    > a lot of medical records and even appliances are run on Windows.
    > Correct me if I am wrong.
    >
    <snip>

    I do work in a hospital in the US. No sane person would run a medical
    device on Windows, or at least connect same to a production network.
    However, insanity is rampant...

    Many, if not most, medical record systems, diagnostic, and treatment
    devices run on Windows. The reason is simple: economics. The OS is
    cheaper than dedicated, hardened real-time OS's. Programming tools and
    programmers are cheaper, by far. The costs, as in the risk to patients'
    privacy and safety, can be easily shifted onto someone else.

    One of the largest selling systems used for storing and annotating
    images of paper medical records is written in Word macros. It's a very
    unstable system, but who cares if it has to be rebooted every day?
    Probably only the patients whose records get corrupted or lost in the
    process.

    Many of these systems come from the vendor with default shares enabled
    allowing anonymous access, no patches, default passwords, no anti-virus,
    etc. Many health-care organizations then proceed to plug them into the
    general network and pretend that nothing's wrong.

    We've had both diagnostic and treatment devices infected with viruses
    and worms. We've had this happen such while devices were connected to
    patients.

    So the next time you're at a hospital, consider that chances are anyone
    who has network access can find out more about you than you'd care to
    have them know, and may be able to modify records and treatment plans if
    they are feeling like it.

    If you happen to be receiving some potentially dangerous computer-driven
    treatment, for example radiation therapy, be assured that the computer
    telling the linear accelator where to place to dose, and how much, is
    likely to be a Windows box that was set up and maintained by someone who
    has exactly zero knowledge and concern about security issues.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] New attachment"

    Relevant Pages

    • RE: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
      ... > LCD monitors showing the Windows logon prompt with account Administrator. ... >> a lot of medical records and even appliances are run on Windows. ... or at least connect same to a production network. ... > We've had both diagnostic and treatment devices infected with viruses ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
      ... > a lot of medical records and even appliances are run on Windows. ... device on Windows, or at least connect same to a production network. ... We've had both diagnostic and treatment devices infected with viruses ...
      (Full-Disclosure)
    • Re: msconfig problem
      ... Operating system is Windows XP Home Edition Version 2002 with SP2. ... Administrator to make the return to Normal Startup. ... Event Type: Warning ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: i did something wrong. New User
      ... I have a boot disk called "ERD Commander" that gives me full access to the Windows XP ... Even changing the User to "Administrator" resulted in the same ... Both Computers are Dell Dimension computers with Window XP Pro and I have the Dell ... so I tried a Repair Installation. ...
      (microsoft.public.windowsxp.general)
    • Re: Automatic and web based Windows Update Installs all fail...
      ... "Administrators only" error message when you attempt to use the Windows ... Please contact your system administrator." ... CD, (by clicking on the Install Windows 2000 link), I receive the infamous ...
      (microsoft.public.win2000.windows_update)