In late December, Microsoft researchers responding to publicly posted attack code that exploited a vulnerability in the FTP service of IIS told users it wasn't much of a threat because the worst it probably could do was crash the application. Thanks at least in part to security mitigations added to recent operating systems, …
They are a joke
Microsoft ... "told users it wasn't much of a threat because the worst it probably could do was crash the application."
“The point was proven that you could actually start to execute code, as opposed to them saying: 'Don't worry about it. It can only crash your server',”
This is why Microsoft is a joke. The hackers probably cannot steal your data but they can take out your server! And this is not serious?
About 80% of Apple security updates
In today's IT world, a repeatable crash means a red alert for security, any sane vendor, especially AV vendor (they run almost kernel level) will take it very seriously.
I always get Apple security updates mailing list and almost all of updates were crash prevention patches allthough it was NOT demonstrated to exploit the crash. That is Apple! The company we all critize for laid back security updates.
This is 2 strikes, get Avast free, paid or Kaspersky AV. Don't install that junk, they really proved that they microsoftized that AV.
Av software runs in very deep level by design and you wouldn't want it to be abused. Especially on Windows.
not to defend Satan
but M$ has actually come a long way security wise. They just are faced with a bunch of bad legacy design decision like embedding an internet browser deep in their OS. Adobe on the other hand is far far worse and responsible for at least as many boxes getting owned these days and M$.
RE:They are a joke
what they were saying was it could crash IIS Service not the server. Because its only a service crash Microsoft wouldn't spend time on fixing it as it takes only a few seconds to a minute to bring it back up. if it was to actually crash a the server OS im pretty sure Microsoft would have spent more time to fix the issue. learnt about the OS before you flame it.
servers don't crash
server, especially a public facing server shouldn't crash. If it crashes, it should be fixed. If someone manages to crash a server kernel, the entire OS remotely, they should already close the office and go home. Nobody says server os crashes. Tell it to the guy losing connection in middle of 4 GB download, that it is normal.
Even basic afp server on leopard had a mysterious crash, apple fixed it. It is not "server" version, it is the thing for trivial home sharing.
Defense in depth?
How about starting with the coding habits that *allow* heap overflow in the first place?
Or a set of macros (Can't be a subroutine call because "performance" is *so* important) to ensure check code gets inlined as a matter of course?
This is *not* a pop at MS in particular. They (like *every* development shop on the planet) want code written fast.
It's just the *consequences* of their practices ensure a whole lot *more* people get f****d than most other software suppliers.
Note the fix "Turn off FTP" might as well be "WTF did I buy this in the first place if I can't run something it says it can (in safety)?"
Thumbs up for finding this one. It's good to remember the price of security is eternal vigilance.
Bad coding habits
A culture where Source Code is fiercely protected from ever seeing the light of day is a culture in which bad coding practices can flourish.
The thought that millions of people all around the world might be looking at your code, is the single greatest incentive to write it in such a way that nobody can point and laugh at it.
It's long past time for some government or other to stand up to Microsoft and others, realise that withholding Source Code from users has done nothing at all to prevent piracy while creating a security nightmare that has cost countless person-hours and probably a few lives, and order vendors to decide between supplying Source Code to any duly-licenced user on request, or having their products banned from sale.
MS do supply the source code to duly licensed customers and have done so for about eight years.
If you're going to slag off a particular OS (it doesn't matter which), suggesting you have superior knowledge of systems and development, you shouldn't be making basic errors like this as it calls into question anything that you say. At the very least it shows you up as someone who, in this case, is slagging off MS from a point of ignorance and allows me to filter your posts appropriately.
On the other hand...
I wonder how many security problems have sneaked their way into Linux, like this one nearly did?
Simply making a project open source is not the magic cure-all you make it out to be: Open source brings with it other, significant, problems.
I'd rather run closed-source products, any day. I do not trust - nor believe - the open source community's ability to vet every single line of code that is submitted - and Linux is beyond huge - it's truly massive.
The question is not "Is there a secret backdoor in Linux?" - the question is "How many backdoors are there in Linux?" All hiding in plain sight...
This was from 2003 for grief's sake !!
and then it was stomped on VERY quickly.
Is this the best you can do ?
Not sure about this...
I'm not sure I'm ready to live in a world where I have to choose between dozens of half-assed not quite fit for use apps that are all trying to do the same thing and where if I have the temerity to ask why my scanner won't work the assumption is that I'm a retard who shouldn't have access to a network connections.
2003 was eight years ago.
Or do you seriously think that black hats haven't learned anything in the last eight years? What frightens me the most is that the risk is there, it's bloody obvious, and the best you can do is castigate me about the date!
Perhaps you missed the point I was trying to infer, that this happened to be one attack that was stopped. At least two possibilities exist:
a) That further attacks have all been caught (not very likely)
b) That further attacks have succeeded, without drawing attention
There are very big and very powerful players who have EVERY interest in seeing a backdoor planted in Linux, and there is absolutely no reason for me to believe they haven't already succeeded, especially if attitudes like yours are prevalent among the kernel developers.
Hint: When was the last time you checked your keyboard for keylogging devices?
The point about it
was that an attempt on open source was caught quickly because it was open source.
FUD FUD FUD
What a load of apparently wishful thinking ( and paranoia)
I am a heavy linux user, I like linux, but the whole "it was found so quickly because it was open source" thing, doesn't really wash with me. Here are a few from the first page of a search for "year old linux bug":
And remember that their fixes may well be into the nightly unstable builds quickly, but it's still often up to a month or more before they are in the repos for general end user's consumption.
Linux is used by...
Linux, especially enterprise class linux is used in bank mainframes, armies, governments, secret services and even in NSA (selinux).
So, these guys doesn't check the code and run a backdoor. Is it?
I work in a major UK/Global bank as a Linux specialist and no, we don't check the code, why would we? IBM (z/Linux) and Red Hat (RHEL) do that for us, that's what we pay them a shed-load of money for. Even banks don't have the resources to check the Linux codebase and we certainly don't change the codebase because that would invalidate our support contracts.
I work in Security.
It's my JOB to be paranoid.
The other thing that really worries me is the "It couldn't happen here" attitude so prevalent in the open source community. You know, there are just so many open vectors of attack on a distribution like Linux, it's scary. Perhaps you should try a couple of the more obvious ones:
a) Keylogging devices installed within keyboards of one or more Linux gatekeepers (if you have the money, power and the motive, such an act is most definitely possible. When was the last time you checked your keyboard?)
b) A modified compiler installed within the release system at Red Hat or CentOS. Even if you checked the source, you'd never find the code (see "Reflections on Trusting Trust", by Ken Thomson, ACM 1984, for a full explanation.) For those in the banking sector who are paying the likes of IBM to check the code, well, I hate to break this to you, but you're wasting your money. You may as well be using closed-source: It's safer.
The bottom line is this: One of these days, people are going to find that there's something pretty fucking big submarined in the Linux kernel, and I am going to be there to laugh at you when it happens. We're not just talking about people with an interest in espionage (although that is pretty powerful enough just by itself) - we are also talking about people with an active interest in making as much money as possible by exploiting your own ignorance.
It has just been proven that if a burglar is determined and skilled enough he will be able to break into your house. No matter how many alarms and fancy locks you have!!
You mean operating systems aren't 100% secure either? Who would have believed that one.
Here we go yet again.
Microsoft are a joke. Microsoft are crap. Windoze is crap. As full of holes as a swiss cheese. I don't use it. I use Linux. I use Mac. They are better, they are more secure. Yeh right.
"Microsoft Security Shield" What is that exactly?
The interesting work these people carried out is being used here to bait the smug M$/Windoze bashers into another tiresome round of predictable responses.
What purpose is served? None.
Take my wife, please
Maybe the interest comes from examining the complacency of the homeowner, who was warned several months in advance that his house would be broken into by a specific door that he insisted on not locking.
metaphor doesn't really hold up
read the article. The homeowner insisted that the lock could be broken but not in a way that allowed access to the house. The investigators found that, if they first rung the doorbell and ran away then broke the lock when the homeowner was looking round the side of the house they could indeed gain access to it.
>> The interesting work these people carried out is being used here to bait the smug M$/Windoze bashers into another tiresome round of predictable responses. << Go back to your other os and continue to feel smug. As long as Microsoft are the biggest target you're relatively safe.
Sabroni: biggest target?
>As long as Microsoft are the biggest target you're relatively safe.
Yes, as everyone knows, IIS is THE big target. After all it runs on 80% of the internet-facing servers worldwide, and especially the Big Guy's ones. Or not.
The price of security?
Let me reword that - The price of security is eternal Linux?
Yes, that's right.
As long as it remains a minority OS that has almost no desktop market share, hooray, you are secure.
Step over that line, however, and you start to be worth cracking and then it's open season on penguins. Especially since many users are way too smug to even install antivirus.
Especially since many users are way too smug to even install antivirus.
if only you were right
But you're not. I've had the pleasure of reconsitiuting 2 ubuntu boxes and three early nettops which users thought were "immune to viruses". They weren't immune to browser infestation, sadly.
I'm just glad I know nothing about mac-fixing because mac users are in general even more smug and therefore, an even bigger target.
For a machine that "just works" those "genius bars" - I typed it, I feel ill now - sure are busy.
users thought were "immune to viruses"
If I have needed a server only, headless blade, I would install openbsd, buy couple of good books and stay the hell out of its maintainers/bosses sight ;)
They are mean guys and not really social but you don't hear them "oh ftp server crashes, no worries" type of thing. Man even an end user wouldn't consider a crashing program "normal".
Yeah, if only you were right!
If you are so good at Ubuntu, you might already know that you can't run it as root so it is almost impossible to ruin a system like one would do with Windows. Oh, and a Linux knowledgeable person wouldn't take that much pleasure bragging how he disinfects Linux PCs.
Install anti-virus for what ?
To scan for Windows viruses ? Please get serious!
Which would be a great comeback...
If it wasn't for the fact that this is a story about IIS. Not desktop Windows.
Linux on desktops.. Agreed.. Pretty small. A few percent tops.
Linux on servers.. Different story.
Windows on servers.. Not as common as you think.
Windows desktop OS running servers.. Is that even possible?
And given the number of windows installs of all kinds, including business, with quite frankly horrific security practices that have never seen a single Windows update.. I'd be very careful with that AV stone in your glass house.
"If you are so good at Ubuntu, you might already know that you can't run it as root"
not run as root? ever hear of privilege escalation attacks? Linux has been found to be vulnerable to a number of them over the years.
" so it is almost impossible to ruin a system like one would do with Windows."
Accidentally, maybe. But if someone is trying it's not "almost impossible," it's arguably "mildly difficult." (FTR the argument is that it's even THAT hard)
"Oh, and a Linux knowledgeable person wouldn't take that much pleasure bragging how he disinfects Linux PCs."
I think you misread the post, he wasn't bragging about it, just pointing out that Linux isn't the solution to all the worlds woes that the penguinistas seem to think.
Ok, I'll admit it... I maybe trolling a little bit at this point.
@ John Bailey
"Windows on servers.. Not as common as you think?"
What? not as common as the most installed server OS in the world?
"Windows desktop OS running servers.. Is that even possible?"
Yes, you just only get to have 10 clients access at any time.
Array in DIS-Array...
I'd think that if one can DIS the array, one can create a HEAP of SH*T... (Couldn't resist the parallel analo... ummm, constructs... )
I see you're reading the label on the box.
But the box is empty, and was empty before you picked it up.
I have Ubuntu (and CentOS and Fedora and XP) on my laptop. I run as root when I want to. On my old machine, that is never on the net, I run as root from login on Ubuntu, Fedora and XP (admin).
The only thing that Ubuntu makes you do to run as root is jump through hoops to re-enable it.
If you do indeed run linux as root and are not just a trolling MS fanboy, then you are a cretin of the highest order.
There is not one possible reason for you to use linux as a root user other than being a dimwitted Windows user who thinks that this is the only way you can be a proper "power user" or something.
@Goat Jam - hold on..
Just confirm this for me - you're blaming Microsoft for the fact that some people use linux badly?
Another one who doesn't get it
"Especially since many users are way too smug to even install antivirus." -- no. Linux, thanks to its Unix heritage, has privilege separation built-in from the ground up. If you want to use a door analogy, the locks are screwed on *from the inside*.
So does Windows, what's your point?
Yes, Windows can get viruses which run as Admin. These days, it's usually becuase someone has been tricked into installing them with elevated privilidges. Are you suggesting that Linux users are too smart to fall for this sort of trick?
There's practically NO reason to run a modern version of Windows as root/admin either - any halfway well written software will save any files that are modified during normal operation to the user folder. It's only badly written (or legacy) applications that tend to try and write to "protected" dive space.
In fact, even if you do run Win 7 as admin, UAC still pops up a privilege escalation prompt whenever needed.
MS guidelines for developers have been to "do it right" (use the user folder) since the fairly early days of XP at least... the problem is they'd never enforced it.
Facts? Look at real stats dude!
???? most installed server OS?
You surely mean Linux?
a title is blah
"As long as it remains a minority OS that has almost no desktop market share, hooray, you are secure."
IIS, as a server, to deliver websites, will most likely run on a server infrastructure, doing that, serving, not likely on a majority of desktop systems (though didn't they have it enabled by default at some point? Not sure there)
Which OS has a large server market share again?
@ dogged... if only you were right
Some actual details would be considered useful.
> Heap-exploitation mitigation .. works by detecting memory that's been corrupted by heap overflows, and then terminating the underlying process ..
Why not design a platform that is immune to "heap overflows", and don't say it isn't possible or try and blind me with techno-babble, it is patently obvious the combined efforts of WinTEL can't do it. It is curious that design decisions made decades ago still have such a disastrous effect on current security.
Yes, why not add "HEAP_OVERFLOW == 0" to the headers?
Why do they keep persisting in not designing a platform that's immune to heap overflows?
It's almost like that's quite difficult...
Why isn't HEM protection possible?
Maybe the programmers are on.... HEMP???
@AC Monday 09:21
Best sign up for this - you might learn about, and I quote, "Heap overflows in Linux"
rsync has been shown to have the same sort of vulnerabilities as Windows. Now stop believing all the marketing bumpf and actually get to learn about the tools you are using and how they work! Though I run the Penguini, I still believe in proper security...
Move along... nothin’ to see here....
MS said the bug was exploitable, said it was difficult to exploit and updated IIS two months prior to the conference where this mitigation research was discussed.
Mitigations are used to slow down attackers in their development of exploits, to try and make those exploits unreliable, and to raise the bar of the skill required to create such exploits (e.g. Chris Valasek is a Senior Research Scientist). The mitigations in this case served that purpose. Mitigations don’t take away the need to update the binaries and IIS was still fixed. Mitigations for all platforms are constantly updated to reflect research from White/Grey/Black Hats. Mitigation bypasses generally do not work broadly.
Server DoS's are typically patched by MS anyway, so whether or not it was exploitable is irrelevant, detailing whether it is exploitable or not is to allow the system admin to make a decision in how to prioritise the downloading/testing and rolling out the patch.
The revised blog post, that wasn't referenced by Dan for some reason, said it was exploitable:
"Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed."
The bulletin notes from Feb 2011 said it was exploitable:
“Maximum Security Impact - Remote Code Execution”
MS said they were aware of the research in the mitigation bypass.
“Vulnerability details for CVE-2010-3972 are public. However, it will be difficult to build a reliable exploit for code execution. We have heard rumors [sic] of an exploit technique that will be discussed publicly in April by Chris Valasek and Ryan Smith.”
These are not the security holes you are looking for
While these newly discovered vulnerabilities are interesting, you need only look at the change in attack vector by viruses in the wild to realise the depth of change related to windows security in recent years.
Long gone are the days of the of the blaster/sasser worms. Even the dreaded conficker worm uses a combination of social engineering and brute force dictionary attacks.
And the drive-by web based attacks rely on exploiting vulnerabilities in commonly installed software like Acrobat, not the OS itself. There in lies the rub.
All the current security issues on the Windows platform can be laid squarly at the feet of badly written 3rd party software.
It all started when MS ditched the home market DOS based OS and consolidated on the NT platform with XP. Prior to this, people who wrote software for the NT platform understood that it was a network based OS with tightly regimented ACLs, and if they didn't take this into account, their software would not work.
Then came the flood of script kiddies, DOS programmers, and beard-stroking old-school Unix zealots, who refused to comply with the windows security model, making it so diffucult to run as a limited user we have to run as admins, giving anything we double-click on full rights to the entire OS.
"Program Files? that has a space in it, and would require some improvement in my programming skills. I'll just install in the root of C:"
"Windows registry? Looks complex. I'll just write back to config files in my install directory"
The net result is that as a sysadmin, you spend days tightly locking down your windows environment, and then weeks punching dirty great holes in it again to get badly written software working. No wonder you're average home user is vulnerable, They've been conditioned into thinking that every bit of software out there needs direct kernel access and sufficient rights to re-partition your hard disk, just so it can self-update.
Firefox behaves like a virus, trying to write-back to its program folder when updating (instead of using an installed service). I've seen Google Chrome install itself into the users profile folder before! Don't think the open source crowd do any better. The first thing that happens when you launch GIMP, is it does a great steaming dump all over your user profile. You'd think by the way these programs behaved the coders had never actually seen a windows computer before in their life.
When these 3rd party programs finally start using the now decade old, well documented windows security model, then so can we! On that day, we will be genuinely worried by the UAC pop-up, rather that just assuming it's Mozillas crappy updating routine.
Re: These are not the security holes you are looking for
"It all started when MS ditched the home market DOS based OS and consolidated on the NT platform with XP. Prior to this, people who wrote software for the NT platform understood that it was a network based OS with tightly regimented ACLs, and if they didn't take this into account, their software would not work."
Let me re-write this for you.
"Prior to this, even Microsoft wrote software for the NT platform which didn't take into account the likelihood of tightly regimented ACLs, and this software would not work unless it ran with administrator privileges."
There, fixed the reality for you.