Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

Re:favorite quote

[Ed Bugg]

Ummm I use crypto services outside of my browser all the time. My VPN client that I use to attatch to my company's network. I at times have a need to send encrypted/signed emails. My network uses Novell's NDS which heavily uses digital certs (hidden from the user) for authentication. My wife's computer is running WinXP and everytime it loads a driver it checks the digital signature on the driver.
I'm sure that others that use Windows more than I do can come up with other applications that use the crypto API.

Re:Yet again...

[ergo98]

Sweet time? Indeed, saying that the Konquerer team fixed it in 90 minutes makes them sound very irresponsible, not proactive : Every change like that can have hundreds of ramifications, and I assure you that there is a programmer at Microsoft who could point to a particular segment of code and say "There, we just need to change that line right there". But after several high profile incidents where someone did a change and it broke a dozen large applications, they seem to be a lot more weary about that nowadays. Working in software development, I've seen many situations in large systems where someone wanted to rush out an incompletely thought out feature or fix and the net result was disaster.

Re:What goes around comes around...

[OnyxRaven]

Blockquoth platypus:

actually the idea to put security sensitive piece of software in a library isn't bad.
While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.

Exactly right and having the crypto in a library every can get at is a good thing. What you missed was that this windows problem isnt in the security library it should have been in.

"Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer."

So they screwed up and didnt include this code for verifying trust signatures in their API, its somewhere in the OS.

And although knowing MS's previous security problems, its highly unlikely that this a problem in the kernel, since it affects NT based as well as 9x based systems.

Re:Let's be fair here

[FreeLinux]

You do have some valid points that should be addressed and probably will be over time. But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.

Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!

Re:thought SSL wasn't secure anyway

[Jeremiah Cornelius]

Dsniff was used as part of the practical exploit here.

The BugTraq [securityfocus.com] post describes the nature of a MOTM exploit using this vulnerability.

A BugTraq reader [securityfocus.com] was able to successfully demonstrate this [ipsec.pl] using dsniff and OpenSSL as his tool kit. Screenshots [ipsec.pl] on his site illustrate this, with his own bank account!

Re:Browser == OS

[optikSmoke]

Actually, the fact that it is in the CVS makes it accessable to anyone who wants it. Granted not many end users will connect to the CVS and get the latest dev version of KDE, but at least it's there.

On top of this, I believe there has been mention of them backporting the fix as far back as KDE2.2.2 so users who don't want to get the fix from CVS can fix their systems.

Re:Browser == OS

[LMCBoy]

The fix was also backported to non-HEAD branches of CVS. So, all you'd have to do is specify a "stable" branch like KDE_3_0_BRANCH.

Let's be even fairer...

[2short]

And note that I got the patch from windows update this morning. Total effort required by me: one mouse click.

Wait! what am I saying! this is slashdot, quick, ignore the facts:
"Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"

The most important thing

[coyote-san]

The most important thing in this story - and why the KDE fans should shut up and hide in a corner - is not the relative time to patch this mindnumblingly stupid bug, but the fact that both Microsoft and KDE made that mindnumbingly stupid mistake in the first place.

I've been auditing some of the SSL code in various applications, and sending in patches where the original submitter thought that SSL "was just like" sockets and didn't bother to do things like checking certificate chains or setting up support for perfect forward secrecy. In some cases the "SSL" support was really just SSL-tunnels in disguise and there was a bit of resistence to changes that would force the secadmin to set up true certificates for server and possibly clients. But most accepted the need, when I pointed out that if you really need to know the server (or client!) that you're talking to you must fully check your certs.

For instance, if your database is used to store information about ongoing criminal investigations, you do not want the bad guys to be able to masquerade as your trusted database. You want certs on the server, you want certs on the client (to keep the bad guys from connecting and adding "exculpatory" evidence to their own files), and you want to validate all of these certs.

It's one thing for a database or NNTP server to have a broken SSL implementation. After all, we don't, yet, expect them to have SSL so the people who need to use it may well check the source for themselves. But there's absolutely no excuse for a web browser to fail to check the path. If there's any question whatsoever, pop up a warning and let the user decide whether "Joe Smith" can be trusted to sign Microsoft's security web site cert.

(* With real SSL tunnels you can still require valid host and user keys all around. With these broken applications, you can't.)

Re:These statements don't agree.. - MSXML

[RoundSparrow]

I believe that the common scripting engine for HTTP - called MSXML - might be impacted.

In other words, I suspect the 2nd statement isn't correct...

Re:These statements don't agree..

[kawika]

I think they may be referring to the SSPI [microsoft.com] interface, which supports SSL when used with Schannel.

The reason it probably affects just IE is because this an obscure API that most apps don't need to use. Cross-platform apps that need secure communications have probably rolled their own solutions.

In defense of microsoft

[cp5i6]

How many people out there are REAL Windows Admins? Seriously? I bet not that many are true windows admins. Using windows does not qualify you as an admin. I'll admit I'm very weak on my nix admin but that's because I don't bother learning about it. In my mind Windows 2k can be just as good an OS. I bet many of you don't know that Microsoft's knowledge base acutally keeps track of all it's bugs and patches for them before they stick it on Windows Update for the rest of the masses. I bet many of you don't know that microsoft has a tool called hfnetchk ... what does it do?.. It'll download the LATEST patches that microsoft has available for you to use. It'll check your system to see what patches are installed and what aren't and give you a report telling you which article # in MS knowledge base you can find the patch for you problem. More tools you want?... How about Qchain... (which i know many of you don't know about either) that lets the user install multiple patches WITHOUT rebooting your system multiple times. For IIS Windows has IISlockd .. which many wanna-be admins didn't bother finding out during the time when nimda worms were going crazy. And the list goes on I can easily list pages worth of other tools that windows has that most people don't know about because they're ignorant. If anything I'd say windows has done a wonderful job by making people lazy. But let's take a step back. I bet many of you are saying pfft the Nix machines have this and that tool. Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful? Kinda defies logic doesn't it especially since nowadays with IBM's backing of linux MS needs to compete performance and feature wise even more (or are you going to tell me that MS has a stranglehold on IBM?). So before anyone else goes on with the typical. . "wat you expect form MS" read up about what MS really has and acutally maintain an intellectual conversation

Re:Slow down there.

[Malcontent]

Let's say you need to update a 100 windows machines when MS finally get around to issuing a patch. What do you do? Go to each machine and press windows update, answer a a few questions, click a few buttons, and reboot at least once.

Let's say you need to do the same thing with a 100 debian machines. You write a script which takes about 15 minutes and you run it.

Which costs you less time and money?

Re:Browser == OS

[RelliK]

Well, this summer alone, I have seen a fair number of Konqueror security flaws posted

How many? One?

Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?

Some ridiculously stupid mumbles there. Each distribution has an easy way of upgrading the packages. In Debian it's "apt-get updage; apt-get upgrade". In Mandrake & RedHat you just run the GUI updater software. The update icon is right there on the desktop.
Nobody is suggesting that you should install a CVS version of software to get a security fix. The fixes are backported into the stable branches of the software, and vendors package them. Wow, what a concept!

And then your issue on bugfixes. Are you trying to say that OSS patches never break anything?

No, I'm saying that Microsoft breaks stuff more often despite taking months to release a fix.

Re:Browser == OS

[the eric conspiracy]

they claim it was "Alpha" and can "patch the patch" (read: APATCHY web server

The "patchy" web server has a security record so far superior to Microsoft's IIS that the edge is more like 4 milliseconds vs. 4 billion years.

The number and severity of compromises of IIS is legendary (the FBI has ranked IIS as the number one security problem on the internet). There have been times where the servers I administer have been recieving more hits from compromised IIS installations trying to spread virii than they have from legitimate users. The problem got so severe last summer that my broadband ISP had to block port 80 to keep their network up.

And this is NOT an issue of population base causing statistics to be skewed - the patchy web server has more installations than all others combined.

Professionals or for the masses

[anonymous cupboard]

MSKB doesn't get the stuff that quickly, nor the special security bulletins.

I have hfnetchk and yes, it works and d/ls patches that Micrsoft have released. If they haven't released the patch yet, you are stuffed. I also have qchain and I don't trust it (some fixes didn't stick after being chained) and anyway, why should I have to run it? I manage 2K server boxes and it makes life easier.

However, there are a lot of 0wn3d 2K and XP boxes out there which can be used DOS me, you or Slashdot at the drop of a hat sitting on Cable modems or ADSL. The guys running those boxes are at home and as someone else points out over half couldn't find the C:\ prompt if they tried.

On Linux, I use RedHat's up2dat and XImian's Red Carpet. Very nice and very prompt with fixes. I also have Gentoo, but this is definitely not for people who dislike shell prompts.

Re:Oh, that's good then... Thank God for Opera

[Frodo420024]

> I hope that Opera's Not affected by this

It is.

But they posted V 6.05 within 24 hours, making the fix available to Joe A. User before anyone else.