Exploit Based On Leaked Windows Code Released 952
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Open Source More Secure... maybe not (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
> like this secret as well.
Yeah, but if Windows were truly open source then there's not chance it'll just be sat on for six months...
Re:Open Source More Secure... maybe not (Score:5, Insightful)
You're right, but open source software don't all conveniently provide security updates for old versions, either. It is definitely better, because if nobody else (package maintainer) does it for you, you can do it yourself. However, let's not sing from the mountaintops, because the TCO for insisting on running Red Hat 5.0 today is probably considerable.
Both forms of development obey the same equation: cost versus benefit. The difference is that the cost in commercial software is entirely calculated based on the perspective of the source code owner. While open source is better, it can still be "too expensive" to fix relative to just upgrading.
Re:Open Source More Secure... maybe not (Score:5, Funny)
Re:Open Source More Secure... maybe not (Score:5, Funny)
Hehe
It may not of been a secret to everyone (Score:5, Insightful)
Re: of been (Score:5, Funny)
It could of been me that was modded insightful for of-ing no grammatical skills.
Well, you know the old saying... birds have a feather, etc.
Of a nice day!
Re:Open Source More Secure... maybe not (Score:5, Insightful)
In other words, had the source code for IE been OSS from day one, then the bug might very well have been found and fixed before the application was widely distributed.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
It just turns out this one was extra easy to find because the code could be read. It would have been equally easy to fix as to exploit (had non-assholes been reading the source, but fear of contamination is keeping most credible OSS engineers from touching that stuff with a 10-ft debugger), bringing us right back around to the superior security of open-source position.
Re:Open Source More Secure... maybe not (Score:5, Interesting)
These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.
Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.
I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.
I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.
Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
How is this practical? Look at Linux, and more specifically Red Hat. There was a period of a year or two where Red Hat was finding a TON of bugs and fixing them. Why? Because they paid an external auditing firm to find them.
This seems like business as usual until you think about the SuSE user... he gets a security update to openssh and sendmail even though HIS vendor didn't do the audit. This idea that everyone benefits whenever ANYONE in the community does the right thing means that the right thing gets done far more often. It's not that Linux vendors are more security conscious, it's that there are more of them.
When Microsoft gets around to doing a security audit that's great, but they don't benefit when Red Hat does one or when FreeBSD does, etc., and that's hurting them and their reputation.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
it's a pretty moot point
The impact of a bug i probably inversely proportional to the amount of people auditing the code in an open source project...
Sure, there are a lot of small projects that nobody really uses, so there aren't that many eyes for auditing the code... but so what?
The projects are unpopular, so if somebody found a security bug it wouldn't affect that many people (and is it really worthwhile spending the time making an exploit that will affect 1000 users worldwide?)
As long as the popular projects are safe then I don't really care.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
The editors should add an update warning that some source code is in the article. It's like seeing your sister naked. Ack!
Obligatory Monty Python reference:
GOD:
ARTHUR: I'm averting my eyes, oh Lord.
GOD: Well, don't. It's like those miserable Psalms -- they're so depressing. Now knock it off!
Re:Open Source More Secure... maybe not (Score:5, Funny)
It's like seeing your sister naked. Ack!
I don't know. I always thought your sister was pretty hot.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Interesting)
I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Just because someone claims something is a bug doesn't mean that it _is_ and must be fixed.
A lot of our bug reports are just user preference/pickiness.
Re:Open Source More Secure... maybe not (Score:5, Interesting)
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Open-source security doesn't come from having the source available. It comes from lots of people actively working on the source. Tell me, how many random hackers do you think will work on the Windows codebase?
This is one of the reasons why "open source" is more than "source available"
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Linux source code has been around for how long? An how many exploits have been released for it?
Re:Open Source More Secure... maybe not (Score:5, Insightful)
Re:Open Source More Secure... maybe not (Score:5, Interesting)
My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.
Re:But the question is... (Score:5, Insightful)
Re:off topic, but orthogonal kind of prompted this (Score:5, Funny)
It's an obscurity that provides extra security against exploits like buffer overflows.
Re:off topic, but orthogonal kind of prompted this (Score:5, Interesting)
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.
so THATS why it was leaked (Score:5, Funny)
"/Dread"
Re:so THATS why it was leaked (Score:5, Interesting)
well, the source is out there (Score:5, Interesting)
And counting (Score:5, Interesting)
Re:And counting (Score:5, Insightful)
Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.
No Problem (Score:5, Funny)
Oh wait.
I'll be first to say it (Score:5, Interesting)
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
Re:I'll be first to say it (Score:5, Insightful)
Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
Re:I'll be first to say it (Score:5, Insightful)
but i am happy that this leak happened. it just shows that the code should be out for peer review from day one. security-by-obscurity is second only to security-by-telling-people-what-not-to-do. (e.g.: "don't open that door, there's valuable stuff in that room")
Re:I'll be first to say it (Score:5, Insightful)
There is only one problem: the source code is ilegal.
Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.
It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.
IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.
Unless MS is trying to pull an SCO, I can't imagine a worst scenario.
Re:I'll be first to say it (Score:5, Insightful)
Please...you might as well say that BSD is dead. Nobody is happy about all the ruckus that the whole affair is going to raise, but it's a little early to pronounce Microsoft dead.
-h-
Re:I'll be first to say it (Score:5, Funny)
I can see the headlines now;
"New exploit found in IE5"
"Yet another exploit found in IE5"
"Exploit found in Minesweeper"
"Expolit found in Notepad"
"Yet another exploit found in Minesweeper"
"Yet another exploit found in Notepad"
"New exploit found in IE5"
"God damn! Another exploit found in Minesweeper"
.
.
.
"Exploit found in taskbar"
"Exploit found in Times New Roman"
"Exploit found in bootstrap"
"Exploit found in Wingdings"
"Exploit found in
Sounds pretty redundant and boring to me.
-m
Well I got IE6 (Score:5, Funny)
Bugs (Score:5, Insightful)
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
Leak a good thing for MS (Score:5, Insightful)
Re:Leak a good thing for MS (Score:5, Insightful)
I'm staying away from the code, and if I were ever tempted to look at it and did discover a vulnerability, I certainly wouldn't release a patch with my name attached.
Outbreak and email renderer (Score:5, Insightful)
Re:Outbreak and email renderer (Score:5, Insightful)
I've seen everyone say that IE 6 isn't vulnerable... and all I keep thinking is: Not to this particular instance of the exploit. That doesn't mean it is free of problems from this class of exploits.
But, you can bet that the person that wrote this one little bit of code wrote a lot of other code. So, what you have in front of you is a class of problem that can be tried over the entire binary code base. You now know that one image handling routine is succeptible to this flaw... and now you can start targeting them all. Without needing access to the source code for that part of the software.
Know how many times Windows (a graphical user interface) handles bitmapped files? Every one of those is a possible point of failure that you don't need the source code to find... simply start feeding something like this bmp to each of them.
Automated testing at it's finest.
A quick look at the source code (Score:5, Interesting)
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
Re:A quick look at the source code (Score:5, Insightful)
Wrong. He was right. This particular IE exploit has been fixed; it only affects an old version of IE. And IE is free, so there's no real excuse for not upgrading it. If I found a bug in an older version of an open-source app, and filed a bug report on it despite the fact that it had been fixed AGES ago in a newer version, I think I would be told to shut the fuck up and upgrade with little or no delay.
No, the FS/OS world does not insist on upgrades (Score:5, Informative)
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
Outlook (Score:5, Insightful)
Gone.. But Never Forgotten (Score:5, Funny)
Good thing all thoes Goatse pictures where in
The lessons learned (Score:5, Insightful)
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
Tad Sad. (Score:5, Interesting)
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
Re:Tad Sad. (Score:5, Insightful)
Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.
It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.
It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)
occurances of " Don't Care " in MS code (Score:5, Funny)
$ grep -ir " don't care "
332
check it yourself
Well sucks but (Score:5, Insightful)
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Re:Well sucks but (Score:5, Insightful)
If they knew it was a security risk, they'd have fixed it in both IE5 and IE6.
Since they didn't, you may safely conclude that MS doesn't "do their job."
Now is a good time to Burn CDs (Score:5, Insightful)
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
This is not BAD news (Score:5, Funny)
I cant wait (Score:5, Funny)
However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".
This reminds me of "The Ring" (Score:5, Funny)
I posted that vulnerability on August 13, 2000 (Score:5, Insightful)
You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.
If Microsoft doesn't read Slashdot, that's their problem.
Just one little thing... (Score:5, Insightful)
eh... its not really an IE problem... (Score:5, Insightful)
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
use it for change! (Score:5, Funny)
Re:huh (Score:5, Informative)
Re:huh (Score:5, Insightful)
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Cheers
Re:huh (Score:5, Insightful)
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
Re:huh (Score:5, Insightful)
I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:
Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."
Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."
Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.
Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
Re:huh (Score:5, Funny)
I'm a safety-conscious Windows user! I never login as "root"! I just use the "Administrator" account instead!
Re:huh (Score:5, Insightful)
Re:huh (Score:5, Funny)
You say that as if it were unusual. ;)
Re:huh (Score:5, Insightful)
Just search for all stack arrays in the source...
$ egrep "\[[:digit:]+\]"
Combine a search as above with one for calls to strcpy(), strcmp(), sprintf(), [or any other C runtime/misc. function that fails to check input], and you have an even smaller lump of code to inspect.
So, the 13 year old wouldn't need extensive knowledge, just what you could glean from reading an article or two on buffer overflows. Still, I'd bet its a seasoned socially backward individual.
Anyway, good question to ponder.
Contaminated! (Score:5, Funny)
I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.
Re:Text of advisory (Score:5, Interesting)
Re:Text of advisory (Score:5, Funny)
I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation
SCO does.
Re:Text of advisory (Score:5, Informative)
Re:Funny comment by the bugtraq submitter (Score:5, Funny)
Re:You thought Microsoft were tardy with (Score:5, Funny)
Re:You thought Microsoft were tardy with (Score:5, Funny)
Re:You thought Microsoft were tardy with (Score:5, Interesting)
I know, UAs get faked all the time...
* Depends on which site you look at.
Re:Smells (Score:5, Insightful)
Re:Smells (Score:5, Informative)
It's no hoax.
Re:Smells (Score:5, Informative)
Wrong (Score:5, Informative)
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
Re:What the fuck? (Score:5, Insightful)
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task
It all goes to the quality of the coder. This is just plain bad code. I learned how to write something to check these kinds of things in middle school.
Re:What the fuck? (Score:5, Funny)
1. load int from char array
2. check int against sizeof(yourbuffer)
3. user=root if greater
Re:What the fuck? (Score:5, Funny)
It went something like this:
You position yourself behind a functional input screen, and start hammering viciously and blindly. The latter is important, the more blind the better, it invokes he Holy Random God. Repeat for 5 minutes. You repeat this for each input screen.
If the screen showed anything similar to "ERROR: OTHER INPUT EXPECTED" it passed.
If it showed anything similar to "OK, 98zxc3v4^DD^C^Z NEW CUSTOMERS ADDED" or failed to read at all due to overly blinkeyness or so, it failed.
I understand MS needs more monkeys.
"/Dread"
Re:What the fuck? (Score:5, Interesting)
This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.
It's scary how many bugs a simple test like this can throw up...
Re:What the fuck? (Score:5, Informative)
Re:What the fuck? (Score:5, Funny)
Re:What the fuck? (Score:5, Funny)
Re:What the fuck? (Score:5, Funny)
Re:What the fuck? (Score:5, Informative)
(in fact, looking at the code snipped in the vulnerability notification [securitytracker.com], they do check against Offset > size of buffer)
Re:What the fuck? (Score:5, Insightful)
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
AHahahaha, you know you just made the exact mistake MS did. You're using ints, not unsigned ints. Reject if greater does nothing if it's less than 0, which would still cause an overflow.
Ha Ha Only Serious (Score:5, Insightful)
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Re:Ha Ha Only Serious (Score:5, Interesting)
- Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
- With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
- Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.
I'm disappointed (Score:5, Funny)
Re:The bitmap in question... (Score:5, Funny)
Re:Get the source code from Freenet (Score:5, Funny)
Re:Ignore it! (Score:5, Insightful)
Why don't you want to see MS software improve? My guess is that you think of your OS choice as a religion or a political statement, which makes you just as bad as pro-MS zealots.
If MS code gets stronger and less buggy, everyone benefits. Remember how many worms have caused major Internet congestion problems? How many spammers now use trojan's/worms to create relays for themselves? I don't think I'm the only advocate of Open Source who thinks that it would be a good thing to see more quality come from Microsoft.
I'm not fan of MS, but I am a fan of quality software. If MS can improve the stability and security of their products then it's a Good Thing(tm) for everyone, even those who don't use said products.
The real reason to ignore the code is so that MS can't try to pull a SCO and claim that OSS projects are steaing their code.
Re:they use GOTO? (Score:5, Insightful)
You're seeing an example of one of the very few instances where goto is considered "acceptable" to use. Sometimes you code a function which winds up a lot of complicated state, and a failure halfway through requires that you "unwind" the partially constructed state. This is most easily accomplished by having a "bailout ladder" which can be jumped into (via goto) from various points in the code above.
The only other solution involves lots of code duplication, or very bizarre function calls such as CleanupMyState(&context, 6) which just ends up use a Duff's Device in a switch() statement to simulate the use of goto in precisely such a manner, anyway.
When you find that the cleanest way to do something is goto, then the solution is goto. What is the point in cortorting your code just to follow a piece of dogma that was only meant as a guideline anyway? Remember, the point is clarity, not adherence to dogma.