Re: WHY dosn't MS take this seriously.

From: linda w (lindaw_tlinxorg@hotmail.com)
Date: 11/10/02 

Date: Sat, 09 Nov 2002 22:39:23 -0800
From: linda w <lindaw_tlinxorg@hotmail.com>

I'm vaguely confused.

The instructions say to put it on a *remote* computer -- one that is
accessed by 'http://' -- that's not the local computer.

If the script is valid, it claims to have a way for an http javascript to
get "elevated" local-computer-zone privileges and thereby execute arbitrary
local commands.

As far as workaround? -- Get a filtering firewall. Looked for hacked copies
of AtGuard. It's possible Norton's Firewall product may work (though it was
seriously broken last time I tried it a year ago -- something about lack of
intellectual capital to fix problem...or something like that...:-| ). Block
all active X. Turn off java. Block all javascript. Block your browser ID.
Block all cookies. Block referrer and email. Essentially go fully private --
then surf to your heart's content.

Then -- on sites that you *trust*, re-enable only those services that you need
in order to use the site. If the site requires your browswer ID -- send them
a nasty message that their site is broken. Javascript is usually a minimum and
usually sufficient for most sites. ActiveX requiring sites -- just say 'no',
you're using Netscape, Mozilla or Opera (whether you are or aren't). Cookies
are usually necessary for sites you want to do commerce with.

But the solution is easy -- don't permit complete strangers to run scripts on
your machine. Real simple. If they aren't a reputable company. Don't do it.

The most secure machine in the world is one encased in 10 feet of concrete a
mile below ground. Unfortuantely, the usability sucks. The more 'automated'
usability features you open up, the less secure your machine becomes. Even
running Microsoft's update -- what happens if they make a mistake and one of
their updates attempts to enforce a security policy that was only supposed to
affect your playing a pirated copy of "xyzzy", but instead it accidently does
the opposite and blocks all programs except "xyzzy". Oops. Each and everytime
you install an update from Microsoft you have to remember -- their "EULA" claims
that they are protected from any consequential damages of such mistakes and that
you accept such risks by using their software (I haven't yet figured out they
can claim to enter into a contract with a 'click' made by a dog/cat or 8yr old
child, but, then, I'm not a lawyer).

Deliberate or accidental, the fallout can be the same -- your machine becomes
less or dys- functional.

Meanwhile -- turn off or selectively block the toy features on untrusted sites.
  Or use a browswer that doesn't operate the same way. I don't have a webserver
setup to test the test case you refer to, but does it do the same thing in
Mozilla? I *know* it won't do the same thing in 'lynx' (a text only browser you
can load onto windows and run under the 'cygwin'-FREE-unix environment. I've
run it on Win98SE, Win2ksp3 and winXP (www.cygwin.com, load the 'base' and lynx).

Has anyone ever wondered why there are so many different species on earth -- and
why there is so much genetic diversity even among humans? If all humans ran
the same software, then 1 software virus could easily wipe out the entire
species. It isn't safe or natural. It's a security flaw. Just like
biodiversity promotes species survival, so software diversity promotes
resistance to viruses. Think about it. I wonder if we should put remaining
amiga computers on the endangered species list? :-).

Think about MS's new palladium and the Intel trusted hardware movement. If they
have their way, lawmakers will attempt to extinguish all other forms of
hardware. Then all we need is some nice viral bug in the trusted OS certificate
system. We could find the entire computer population completely shut down in a
matter of hours or less with everyone locked out. No way to get a patch out --
computers won't boot. The trusted HW could lock down the keyboard --
everything. Don't think it won't be possible.

-linda

David Jones wrote:

> Um, what is there to patch?
> You're running this code in the local computer zone, not
> in the Internet zone. It's not a security hole any more
> than you double-clicking an unknown .exe file that
> deletes files.
>
> There's been lots of talk on the bugtraq list about this
> (http://online.securityfocus.com/archive/1) and the
> general consensus has been that since it's running in the
> local computer zone, it's not anything to patch.
>
>
>
> >-----Original Message-----
> >http://www.net-security.org/vuln.php?id=2200
> >
> >I´ve tested it and even tought my xp is up-to-date with
> >all patches, and "all" other steps to secure i could
> >(even tought i´m not an expert) change it to WHATEVER i
> >would like to do with C disk.
> >
> >This will become a major disaster soon. Promise! Wait
> >until every poor little kid (or bad guys for that
>
> matter)
>
> >understand this great hole.
> >
> >PLEASE! RESPOND NOW MS!! MAKE US A CRTITCAL PATCH!!!
> >.
>
> >

Quantcast