Re: [Full-Disclosure] Half-Life 2 source code stolen through IE exploit
From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: Sat, 4 Oct 2003 05:08:36 +1200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
"Thor Larholm" <email@example.com> wrote:
This neatly brings two threads of our recent discussions together -- I
have long commented that the exploitation of vulnerabilities for high-
value, targeted attacks, rather than the much more commonly seen "low
value" (individually), target-of-opportunity style of attack we usually
see, is both more likely to be seen more often in future and slightly
more likely to be reported (such attacks surely have been happening but
generally go unreported, for rather obvious reasons), _and_ that we
have now long gone past the point where the exploitation of IE
vulnerabilities outpaces "sufficient" patching.
I said to some of you just last weekend something like "It is at least
18 months since _ANYONE_ could intelligently claim they had a
compelling business case for continuing to allow the use of IE in their
systems because of the rate and level of exposure and the heightened
risk that its use raises". If you're having trouble convincing senior
management that they must OK the cost and accept the inconvenience of
switching browser, consider taking the URL Thor posted and other
sources covering this story, to that management.
Point out that as of today Microsoft still has not fixed this bug, and
you are (probably) just as vulnerable as the HalfLife folk.
Point out that the MS03-032 fix only fixes some of the many ways that
this flaw can be exploited (the whole mess is so complex -- or the
chimpanzees fixing it so incompetent -- that such incomplete "fixes"
are not uncommon).
Point out there are 30-odd other _publicly disclosed_ vulnerabilities,
many of which singly or in clever combinations produce similarly
disastrous exposures (and despite this, MS typically only rates these
vulnerabilities as "moderate" or "low" severity if it even publicly
acknowledges them when releasing the patches that fix them).
Point out that when the researchers who discover these bugs cooperate
with MS so as to get an acknowledgement in the eventual security
bulletin, MS requires non-disclosure of these bugs until it ships a
patch. Thus there are bound to be several (or many) more such bugs "in
the pipeline" awaiting MS's OK to publicly disclose. (Given that it
often takes three to six months to get even critical bugs fixed -- eEye
claims to have discovered the Object Data Type bug in May, and
information on the eEye web site suggests early-to-mid-May at the
latest, and MS03-032 shipped 20 August -- and IE cumulative patches
typically include two to five new _announced_ bug fixes, it seems
likely that MS is "sitting on" somewhere between six and thirty
unannounced IE bugs.)
Point out (you'll probably have to take my word for this) that it seems
the Object Data Type bug (just one of the bugs "fixed" by the patch
from the MS03-032 bulletin and the one apparently used to steal the
HalfLife 2 code) was leaked during the patch development process, or
was independently discovered. Either way, it was being exploited in
the wild months before MS, or the "MS acknowledged" discoverers
(remember, they were looking for the "glory" of being listed as the
"official" discoverers), said anything about the bug publicly _despite_
that the official discoverers of the bug found evidence of widespread
abuse (IIRC, "more than 10,000 web sites") of this exploit _back in May
of this year_.
To be fair to the "opposition", point out that their code is quite
possibly just as buggy, or worse. However, regardless of its quality,
it is _far_ less commonly attacked and apparently far less commonly
probed by the bad guys while looking for an attack vector, so at least
for now, with MS dominating the desktop and especially the browser
"market", you are much safer to simply avoid IE.
Note, however, that MS makes doing this really difficult as all manner
of IE code is used in the desktop version of Explorer and in future
versions of the OS, IE will be even more tightly integrated. This
alone suggests that MS has learnt _nothing significant_ from its
Trustworthy Computing initiative as the whole premise of blurring to
invisibility the "boundary" between "desktop" and "world plus sewer"
is, itself, antithetical to good security practice yet it seems even
despite TCI and Billy's "security over functionality" pledge, no-one at
MS understands (or if they do, does not have the cajones to suggest)
that "maybe we've been doing this all wrong for years and need to fix
the real basics before we can progress".
So, avoid IE now, and I'd suggest that it would be really prudent to
have a plan in place to avoid having to "upgrade" to the next version
of Windows as it seems despite TCI, MS is still on course to make your
typical computing environment more insecure and even harder still to
make reasonably secure.
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ----- Most viruses these days use spoofed email addresses. As such, using an Anti- Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. -----