RE: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: Bill Royds (
Date: 02/19/04

  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] New attachment"
    To: <>, "'Tim'" <>
    Date: Wed, 18 Feb 2004 21:50:36 -0500

    Last time I was at my doctor's medical clinic, I noticed all the shiny new
    LCD monitors showing the Windows logon prompt with account Administrator. I
    asked the receptionist why. She said so that anyone could sing on any
    machine when they needed it, since individual machines lock out so only
    signed user or administrator can sign on. They did have the screensaver
    timeout so people off the street couldn't sign on. But the only way to make
    the multiple workstations usable from for anybody was to use administrator
    account on all of them.
      This is a bit of a design flaw in the Windows network that means security
    is much less than it ought to be.

    -----Original Message-----
    [] On Behalf Of insecure
    Sent: February 18, 2004 7:55 PM
    To: Tim
    Subject: Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
    remote code execution

    Tim wrote:

    >>The first is that this IE bug is life-threatening. It's not.
    >>Where's the problem?
    >>This is outrageous FUD. Web browsers are not used in medical
    > Oh? Have you worked in a hospital? I haven't, but I am willing to bet
    > a lot of medical records and even appliances are run on Windows.
    > Correct me if I am wrong.

    I do work in a hospital in the US. No sane person would run a medical
    device on Windows, or at least connect same to a production network.
    However, insanity is rampant...

    Many, if not most, medical record systems, diagnostic, and treatment
    devices run on Windows. The reason is simple: economics. The OS is
    cheaper than dedicated, hardened real-time OS's. Programming tools and
    programmers are cheaper, by far. The costs, as in the risk to patients'
    privacy and safety, can be easily shifted onto someone else.

    One of the largest selling systems used for storing and annotating
    images of paper medical records is written in Word macros. It's a very
    unstable system, but who cares if it has to be rebooted every day?
    Probably only the patients whose records get corrupted or lost in the

    Many of these systems come from the vendor with default shares enabled
    allowing anonymous access, no patches, default passwords, no anti-virus,
    etc. Many health-care organizations then proceed to plug them into the
    general network and pretend that nothing's wrong.

    We've had both diagnostic and treatment devices infected with viruses
    and worms. We've had this happen such while devices were connected to

    So the next time you're at a hospital, consider that chances are anyone
    who has network access can find out more about you than you'd care to
    have them know, and may be able to modify records and treatment plans if
    they are feeling like it.

    If you happen to be receiving some potentially dangerous computer-driven
    treatment, for example radiation therapy, be assured that the computer
    telling the linear accelator where to place to dose, and how much, is
    likely to be a Windows box that was set up and maintained by someone who
    has exactly zero knowledge and concern about security issues.

    Full-Disclosure - We believe in it.

    Full-Disclosure - We believe in it.

  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] New attachment"