Re: [Full-Disclosure] Half-Life 2 source code stolen through IE exploit

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 10/03/03

  • Next message: Charlie Yontz: "Re: Free OverflowGuard For Windows Personal Edition Released"
    Date:         Sat, 4 Oct 2003 05:08:36 +1200

    "Thor Larholm" <> wrote:


    This neatly brings two threads of our recent discussions together -- I
    have long commented that the exploitation of vulnerabilities for high-
    value, targeted attacks, rather than the much more commonly seen "low
    value" (individually), target-of-opportunity style of attack we usually
    see, is both more likely to be seen more often in future and slightly
    more likely to be reported (such attacks surely have been happening but
    generally go unreported, for rather obvious reasons), _and_ that we
    have now long gone past the point where the exploitation of IE
    vulnerabilities outpaces "sufficient" patching.

    I said to some of you just last weekend something like "It is at least
    18 months since _ANYONE_ could intelligently claim they had a
    compelling business case for continuing to allow the use of IE in their
    systems because of the rate and level of exposure and the heightened
    risk that its use raises". If you're having trouble convincing senior
    management that they must OK the cost and accept the inconvenience of
    switching browser, consider taking the URL Thor posted and other
    sources covering this story, to that management.

    Point out that as of today Microsoft still has not fixed this bug, and
    you are (probably) just as vulnerable as the HalfLife folk.

    Point out that the MS03-032 fix only fixes some of the many ways that
    this flaw can be exploited (the whole mess is so complex -- or the
    chimpanzees fixing it so incompetent -- that such incomplete "fixes"
    are not uncommon).

    Point out there are 30-odd other _publicly disclosed_ vulnerabilities,
    many of which singly or in clever combinations produce similarly
    disastrous exposures (and despite this, MS typically only rates these
    vulnerabilities as "moderate" or "low" severity if it even publicly
    acknowledges them when releasing the patches that fix them).

    Point out that when the researchers who discover these bugs cooperate
    with MS so as to get an acknowledgement in the eventual security
    bulletin, MS requires non-disclosure of these bugs until it ships a
    patch. Thus there are bound to be several (or many) more such bugs "in
    the pipeline" awaiting MS's OK to publicly disclose. (Given that it
    often takes three to six months to get even critical bugs fixed -- eEye
    claims to have discovered the Object Data Type bug in May, and
    information on the eEye web site suggests early-to-mid-May at the
    latest, and MS03-032 shipped 20 August -- and IE cumulative patches
    typically include two to five new _announced_ bug fixes, it seems
    likely that MS is "sitting on" somewhere between six and thirty
    unannounced IE bugs.)

    Point out (you'll probably have to take my word for this) that it seems
    the Object Data Type bug (just one of the bugs "fixed" by the patch
    from the MS03-032 bulletin and the one apparently used to steal the
    HalfLife 2 code) was leaked during the patch development process, or
    was independently discovered. Either way, it was being exploited in
    the wild months before MS, or the "MS acknowledged" discoverers
    (remember, they were looking for the "glory" of being listed as the
    "official" discoverers), said anything about the bug publicly _despite_
    that the official discoverers of the bug found evidence of widespread
    abuse (IIRC, "more than 10,000 web sites") of this exploit _back in May
    of this year_.

    To be fair to the "opposition", point out that their code is quite
    possibly just as buggy, or worse. However, regardless of its quality,
    it is _far_ less commonly attacked and apparently far less commonly
    probed by the bad guys while looking for an attack vector, so at least
    for now, with MS dominating the desktop and especially the browser
    "market", you are much safer to simply avoid IE.

    Note, however, that MS makes doing this really difficult as all manner
    of IE code is used in the desktop version of Explorer and in future
    versions of the OS, IE will be even more tightly integrated. This
    alone suggests that MS has learnt _nothing significant_ from its
    Trustworthy Computing initiative as the whole premise of blurring to
    invisibility the "boundary" between "desktop" and "world plus sewer"
    is, itself, antithetical to good security practice yet it seems even
    despite TCI and Billy's "security over functionality" pledge, no-one at
    MS understands (or if they do, does not have the cajones to suggest)
    that "maybe we've been doing this all wrong for years and need to fix
    the real basics before we can progress".

    So, avoid IE now, and I'd suggest that it would be really prudent to
    have a plan in place to avoid having to "upgrade" to the next version
    of Windows as it seems despite TCI, MS is still on course to make your
    typical computing environment more insecure and even harder still to
    make reasonably secure.

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    Most viruses these days use spoofed email addresses. As such, using an Anti-
    Virus product which automatically notifies the perceived sender of a message
    it believes is infected may well cause more harm than good. Someone who did
    not actually send you a virus may receive the notification and scramble
    their support staff to find an infection which never existed in the first
    place. Suggest such notifications be disabled by whomever is responsible for
    your AV, or at least that the idea is considered.

  • Next message: Charlie Yontz: "Re: Free OverflowGuard For Windows Personal Edition Released"