RE: Six Step IE Remote Compromise Cache Attack
From: Drew Copley (dcopley_at_eeye.com)
Date: Wed, 5 Nov 2003 16:32:54 -0800 To: "Benjamin Franz" <firstname.lastname@example.org>, "Thor Larholm" <email@example.com>
> -----Original Message-----
> From: Benjamin Franz [mailto:firstname.lastname@example.org]
> Sent: Wednesday, November 05, 2003 2:50 PM
> To: Thor Larholm
> Cc: Liu Die Yu; email@example.com
> Subject: RE: Six Step IE Remote Compromise Cache Attack
> On Wed, 5 Nov 2003, Thor Larholm wrote:
> > This post raises an interesting question. Is our goal to find new
> > vulnerabilities and attack vectors to help secure users and
> > infrastructures, or is our goal to ease exploitation of existing
> > vulnerabilities?
> > There are no new vulnerabilities or techniques highlighted in this
> > attack (which is what it is), just a combination of several already
> > known vulnerabilities. This is not a proof-of-concept designed to
> > highlight how a particular vulnerability works, but an exploit
> > designed specifically to compromise your machine. All a malicious
> > viruswriter has to do is exchange the EXE file.
> > Believe me, I am all in for full disclosure and detailing
> every aspect
> > of a vulnerability to prevent future occurances of similar threats,
> > but I don't particularly think that we should actively be trying to
> > help malicious persons.
> I have mixed emotions about this. On one side - why put
> millions of systems at risk to script kiddies? On the other
> side, as noted by the poster, one of these vulnerabilities
> has been known for more than _TWO YEARS_. Surely far more
> than enough time for MS to have actually _fixed_ the problem
> if they intended to. MS seems (at least in some cases) to
> ignore security problems until someone publically 'holds
> their feet to the fire' over them. I suspect this happens
> when the problem 'runs deep' in their code and will require
> more than fixing a boundary limit check and recompiling.
Very well said.
I would note that I believe their strategy for securing code wants to be
inline with their strategy for pushing their products. The company is
full of strategies, and this is good. But, the primary stategy needs to
be to "put security first". Especially, post 9/11.
A few others things...
As with all security issues, the researcher is not bound to tell anyone
about them. Liu Die Yu could have just shared this with his friends, and
we all could have kept these to do as we will. Kind of like keeping your
own personal nuclear weapon. Who knows? Maybe there will be a rainy day.
My question then, to everybody, is "would you have preferred that he
keep this to himself and his friends, or would you have preferred for
him to have disclosed this, with a workaround?"
Because Liu Die Yu has worked with Microsoft (China) in the past, and he
has, unfortunately, found that he can not trust them. Maybe he talked to
the wrong person. Who knows? But, we can all see plainly that Microsoft
was without excuse to ignore these problems all of these years. What was
the thinking behind that?
Was somebody's job saved so this could happen? Was somebody able to make
a more successful career move because of this? Are researhers like Liu
Die Yu too intimidating to deal with, too challenging, too successful?
What would have happened if someone else put these flaws together and
discovered they could make them work? What would have been the case in
that situation? Why did Microsoft ignore the advice of all these
researchers and not do something about these issues? Why did they think
they could go it alone in this way? The advice was free for them.
They had almost two years to fix this, should Liu Die Yu even
conceivably be forced to wait another three to six months from a company
that has shown him bad dealings in the past?
This is using the system at its' best. It is an example of the best kind
of system. There is no bureaucracy, there is no limitation, no glass
ceilings, no prejudice... Anyone who is capable, come, find bugs.
Microsoft is putting out millions of dollars in bounties for worm
writers while people like Liu Die Yu are just trying to get into the
security field, so they can do what they are best at. What they love to
do. It isn't like he is incapable of doing this. He has found swarms of
bugs since starting to look for them.
Bounties work. We know they do. But, let's close the gap. Let's make
sure that tomorrow's bugs are not found outside of the Full Disclosure
community. Why would anybody be making these kinds of shortcuts? What
good is AV or Firewalls or anything if your OS let's the attacker
We worry about script kiddies trying to figure out what Liu Die Yu did
here to make their own version? We should be worrying about rogue
nations and criminal organizations creating teams of bug finders so they
can penetrate any system they want to.
The computers themselves are worthless, compared to human lives, but the
information within them are invaluable. Blueprints. Military strategies.
Political strategies. Security strategies. Governmental secrets.
Corporate secrets. Identities. Weaknesses.
I have to wonder when people when begin to figure out that security bugs
mean... security holes mean: keys to the application, and generally,
keys to the system. We can ponder all we want about the NSA having a
backdoor, or merely Microsoft having a backdoor... But anytime someone
finds a security hole like this, they have a backdoor.
If you want, ask the researcher to please alert the vendor. Be rude
about it, whatever. But, understand that if they were bad or interested
in doing evil... They would not report it to the world. They would use
Lastly, just to be fair. Most researchers that find bugs in Microsoft's
products do so at least partly because everyone uses their software.
Microsoft actually has a code auditing team, they actually have made
moves towards securing their software. Most companies have not done
this. Their code is not even looked at. If the case were anything
different, Liu Die Yu would just put his resume on monster or dice, and
he wouldn't be speaking to us right now. He would be working in the
field he loves.
Research Engineer, eEye Digital Security
Fun quote for the day:
"Who knows what evil lurks in the hearts of men? The Shadown knows!"
> Benjamin Franz
> Gauss's law is always true, but it is not always useful.
> -- David J. Griffiths, "Introduction to Electrodynamics"