Two Unofficial IE Patches Block Attacks 233
Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."
Other patches: (Score:5, Funny)
1 [apple.com] and 2. [mozilla.com]
Re:Other patches: (Score:4, Insightful)
1. [apple.com] and 2. [mozilla.com]
Yeah, but only number 2 "include source code for review."
Re:Other patches: (Score:2, Insightful)
Re:Other patches: (Score:5, Informative)
Not entirely true. You can review the code for darwin, and you can review the code for WebKit.
The only thing you can't review is the UI drawing code in AppKit/Quartz/Cocoa etc.
Re:Other patches: (Score:2)
Re:Other patches: (Score:3, Insightful)
Re:Other patches: (Score:3, Insightful)
So what is OS X? A VMS offshoot? Grandparent is a total disclosure zealot. I don't condemn the grandparent for having this attitude.
Re:Other patches: (Score:2)
WebKit is still open source, but frankly, WebKit sucks. Gecko (firefox) is much nicer. (Safari has a prettier GUI, but it least Firefox doesn't crash hard when you do something "illegal" to the DOM tree!)
It's weird that I've had a Mac for a bit over two years now, and I've stopped using "mac" programs. Right now I
Re:Other patches: (Score:2)
Re:Other patches: (Score:2)
Re:Other patches: (Score:2)
Free as in... (Score:3, Insightful)
The question is, would people patch if they had to pay for them?
Re:Free as in... (Score:2, Insightful)
Re:Free as in... (Score:3, Interesting)
Re:Free as in... (Score:2)
Re:Free as in... (Score:2)
Windows 3.1
Windows 98
Windows ME (Bwah ha ha)
Windows XP
and ultimately Vista.
People will pay for bug fixes if you market them well enough...
Re:Free as in... (Score:2)
Bug fixes (Score:2)
Wowzorz. Newer operating systems are not "bug fixes" for older ones. Believe it or not, Windows XP has a few more features over 3.1...
Re:Bug fixes (Score:3, Insightful)
Win 3.1 was an (admitedly significant) upgrade of 3.0 which they charged for.
Similarly 98 was incremental on 95, 98SE on 98, Me on 98SE all of which you had to pay for yet none of which offered significantly more than bug fixes & drivers.
That's my point.
Are there not risks even with official patches? (Score:5, Insightful)
As always, the advice is to weigh the risks before opting for an unofficial hotfix.
Is this not something that smart admins/companies so even with official patches and fixes? To me, the fact that the source was released shows that these people are quite serious about being taken seriously. I suppose that is better than MS assurances that they extensively tested the fix before release.
Re:Are there not risks even with official patches? (Score:4, Insightful)
Re:Are there not risks even with official patches? (Score:5, Insightful)
Re:Are there not risks even with official patches? (Score:2)
Re:Are there not risks even with official patches? (Score:2)
Leading the industry in patches that break the OS and introduce new security holes, yes.
Re:Are there not risks even with official patches? (Score:5, Insightful)
This quite far from the truth. Reading source code will not find the integration problems that can come up when you release a patch on millions of machines with different configurations.
Re:Are there not risks even with official patches? (Score:2)
With the source, you're in control of your computing experience. Without the soure, you're M$'s bitch.
(Yeah, yeah, I used M$ instead of Microsoft. Habit.)
Re:Are there not risks even with official patches? (Score:2)
Re:Are there not risks even with official patches? (Score:2)
I guess in some circles, IE isn't still considered a virus.
Re:Are there not risks even with official patches? (Score:2)
How do they even write these patches??? (Score:5, Interesting)
Yep, the more I watch the ills that befall the Microsoft-bound, the more I'm happy with my decision to go Linux-only a few years back.
Re:How do they even write these patches??? (Score:5, Informative)
Once I had the name of faulty function, I disassembled it using IDA Pro and found the bug by reading the disassembly. With enough reverse engineering experience reading disassembled code is not much harder than reading C source code. It just takes longer.
The IE vulnerability is caused by a funcion called with incorrect parameters which returns SUCCESS instead of an error code. The caller belives that the function suceeded and tries to use an uninitialized variable. The patch is a single byte change in mshtml.dll. The patched function now returns a valid error code and the vulnerability is stopped.
This free patch is just a demonstration of what we do every month as part of our LiveShield product. It is a lot more advanced, but the idea is similar. We use the vulnerability analysis techniques described above to create "shields" that detect and stop specific Microsoft vulnerabilities. The coolest part is that the shields can be inserted and removed at runtime, without having to reboot any of the running applications.
Alexander Sotirov
Security Research
Determina Inc.
Re:How do they even write these patches??? (Score:2, Insightful)
From the EULA:
"LIMITATION ON REVERSE ENGINEERING,
DECOMPILATION, AND DISASSEMBLY. You may
not reverse engineer, decompile, or disassemble the
Product"
Re:How do they even write these patches??? (Score:2, Insightful)
Re:How do they even write these patches??? (Score:2)
Assembler and debugging references (Score:3, Informative)
I would be surprised if Alexander used the Visual Studio debugger; more likely he used SoftICE or one of the Windows debuggers (NTSD/CDB/KD/WinDbg). SoftICE is a commercial product sold by Compuware and provides both user-mode and kernel-mode debugging. A version of the NTSD debugger comes with Windows,
Re:Assembler and debugging references (Score:2)
Re:How do they even write these patches??? (Score:5, Interesting)
When I do use a debugger, it's usually WinDbg. I like the command line interface and it has very good support for all versions of Windows. A lot of other security researchers use OllyDbg. For kernel debugging I use both WinDbg and SoftIce. SoftIce has the advantage of being able to follow code from user space to kernel space and back, which is very useful for analyzing kernel vulnerabilities.
Alexander Sotirov
Security Research
Determina Inc.
Re:How do they even write these patches??? (Score:5, Interesting)
Re:How do they even write these patches??? (Score:2, Funny)
They're cooler after you shear them
Re:How do they even write these patches??? (Score:2)
Re:How do they even write these patches??? (Score:2)
Re:How do they even write these patches??? (Score:2)
It was an MFC app, so the source was available,
one of the members on the class I was having
trouble with called a Win32 function, then
ignored that function's return code and returned
TRUE.
Re:How do they even write these patches??? (Score:2)
But wouldn't it have been nicer to run it in gdb with the source code, or in ddd, and been able to find the broken source and patch it for the future?
And as "Trusted Computing" takes off, and starts doing cryptographic signing of system binaries like MS-Office and core system files like Internet Explorer's dll's, isn't your patch going to be detected as a gross security violation and cause the security tools to start shriekin
Re:How do they even write these patches??? (Score:2)
Re:How do they even write these patches??? (Score:5, Informative)
from the article
Re:How do they even write these patches??? (Score:2)
I'm waiting for the official IE patches (Score:3, Funny)
weigh the risks (Score:3, Insightful)
Re:weigh the risks (Score:2)
Re:weigh the risks (Score:2)
- Reinstall windows with no 3rd party apps. Install patch, still broken - refer to your dealer for a hardware issue
- The above and it breaks after 3rd party app is installed - refer to the 3rd party vendor
- etc. etc.
Re:weigh the risks (Score:2)
Yeah. I called microsoft tech support after Windows decided not to boot after I upgraded IE, and they told me I could pay them $200 for help. I'm thinking that relying on MS to help you if somehting breaks is a bad plan.
Re:weigh the risks (Score:2)
You get free install support but have to pay after a certain time. Everything else can be fixed by searching the interweb thought. You some times have to go deep into the search before you find somethign usefull. There seems to be alot of incomplete errors out there in a seach were someone either
But how many would install them? (Score:5, Insightful)
Most of them are going to be patched only when MS releases the patch, AND they have selected to be updated automatically.
Its a horrible situation.
Re:But how many would install them? (Score:2, Insightful)
Fat, slow, and lazy (Score:2, Insightful)
Re:Fat, slow, and lazy (Score:2, Troll)
Re:Fat, slow, and lazy (Score:5, Insightful)
Re:Fat, slow, and lazy (Score:3, Insightful)
Re:Fat, slow, and lazy (Score:2)
Re:Fat, slow, and lazy (Score:2)
Unfortunately, as has been shown time and time again, Microsoft answers to no one.
Applying Patches Is Not Free (Score:5, Informative)
Re:Applying Patches Is Not Free (Score:2)
Re:Applying Patches Is Not Free (Score:2)
Re:Applying Patches Is Not Free (Score:2)
Re:Applying Patches Is Not Free (Score:5, Insightful)
This whole "scheduled patching" bit really is BS. All it does is leave critical problems unpatched longer than necessary, so that managers can point to MS when bad shit happens to the network. "Well, we couldn't patch until two days after patch-day, because we needed to test the patches." works lots better than "We got fucked because I decided that it wasn't critical enough to test and deploy right away."
While I can see where it would make a lot of people more confortable to know that there is patching every third Wed or something, I just don't see the value in withholding critical patches because "they aren't scheduled yet". At the very worst, let the IT departments decide if they want to schedule additional downtime, because ultimately, they know whether it will affect their systems or not. But then again, MS knows best, all the time, doesn't it?
Re:Applying Patches Is Not Free (Score:2)
The issue arises when exploits are known in the wild before the patch is available. When is a suitable time to release the patch? How big of a risk does a exploit need to be before it is considered critical enough to justify an out-of-schedule patch rel
Re:Applying Patches Is Not Free (Score:2)
It doesn't matter what MS does or doesn't know, their customers have demanded it.
Re:Applying Patches Is Not Free (Score:2, Interesting)
From descriptions of the fix elsewhere here, it is a stupid mistake that never should have made it through any kind of
Re:Applying Patches Is Not Free (Score:2)
The customers demanded less security holes that demanded patches, not less frequent updates of critical security fixes. It also helps polishing the statistics if you lump several patches together and release them all at one day every month. Big corporations dont use Windows Update without testing the patches either. Even if Microsoft release all the patches fast when they are ready big
Re:Applying Patches Is Not Free (Score:2)
But later (Score:2)
Re:But later (Score:2)
This is good but..... (Score:2)
I can see a use for these patches in a corporate environment where (for whatever reason) IE is a
Re:This is good but..... (Score:3, Funny)
I am ... Radish!
Damn, I wish I had mod points for your post. 'Course it would be modded funny, but hey ...
Tested and deployed (Score:3, Informative)
While it's clearly not the best solution, it does work and provides a much needed layer for the vast majority of corporations who simply cannot and will not disable active script.
well (Score:3, Funny)
Anybody who has the ability to weigh risks is already using firefox.
First party patches (Score:2)
Of course, Microsoft [computerworld.com] and other vendors [72.14.203.104] always get their patches correct the first time.
In memory fix (Score:5, Insightful)
Re:In memory fix (Score:2)
Rememer please, this is windows we are talking about. How would anyone write viruses and pervasive spyware without this feature?
(lets all say it together, this is not a security hole / bug, it's a feature )
Re:In memory fix (Score:3, Interesting)
Re:In memory fix (Score:3, Interesting)
Re:In memory fix (Score:3)
Re:In memory fix (Score:2)
OpenBSD has W^X built-in, which, in-fact, elminates this. Each segment of memory is exclusively marked as either WRITE or EXECUTE, to prevent security exploits.
Linux can also get somewhat similar security features using PaX or ExecSheild.
Re:In memory fix (Score:3, Interesting)
Next they use the AppInit_DLL registry key, which essentially forces the Operating System to load this DLL into all applications that link against user32.dll (I think), hence no hackery is going across address space boundaries, there is nothing wrong with self modifying
Anyone remember? (Score:5, Insightful)
Does anyone remember the previous third-party patch to IE? This is from December of '03.
opensource? (Score:4, Interesting)
Maybe the code would be completley different but would it achieve its goal by going about the same ways as the unofficial patch? Or would it be patched on a level deeper then we could access. I guess the most interesting part would be that a third party without access to the source code could actualy come together with a solution before microsoft. What would be more interesting is seeing how close those solutions match match each other. Sort of a test to how these third party programers can predict the neccesity or orders of different code they only have limited access to.
Re:opensource? (Score:2, Informative)
Risk management (Score:2)
Anyone else see a trend here? (Score:3, Insightful)
It's like the security community is slapping them in the face and saying that their current model of using patch cycles is not good enough for threats on todays internet.
In my opinion this makes Microsoft look very bad, this is that I know of the second time a patch has been released for an MS product before an official fix release.
And they even produce sourcecode for community scrutiny/review.
To eEye and others making these patches for MS products, thanks guys for making sure my parents don't get inundated by malware.
Re:Why doesn't Microsoft... (Score:3, Insightful)
Maybe because they like money?
Re:Why doesn't Microsoft... (Score:3, Insightful)
Re:Why doesn't Microsoft... (Score:3, Insightful)
Microsoft views IE as a "rich client" and one more reason to tie people to Windows. MS may one day have a 100% standards compliant browser but I gaurentee they will also have another 20% worth of features that only work in IE as one more way to try and keep people using Windows.
It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.
Re:Why doesn't Microsoft... (Score:3, Insightful)
There's also the rather significant problem of Firefox not being a drop-in replacement for IE.
It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.
OS X is a vastly greater "threat" to Windows than Linux is on the Desktop, but Microsoft are happy to make money selling Office for OS X. Your argument does not hold water.
Re:Why doesn't Microsoft... (Score:2)
Re:Why doesn't Microsoft... (Score:2)
I'm not so sure, I know someone who works heavily with Linux yet still won't use Firefox on their Windows box, becouse IE is "so much faster". I don't understand either, I find IE quite slow to start up, there isn't much difference. Maybe it's slightly quicker at rendering once the program is loaded. This person seems to enjoy having "20 Internet Explorer..." in the taskbar. I don't use IE for three reasons - principle of supporting OSS, exte
Re:Why doesn't Microsoft... (Score:4, Funny)
Are you related to my girlfriend? Because she asks smart questions like you. =)
Re:For my own edification.... (Score:2)
Re:Does anyone on /. even use IE anymore? (Score:3, Interesting)
Of course, IE on that particular network has a proxy server of 127.0.0.1 pushed out via group policy, with an exemption for the intranet. You could sneak around that by installing a proxy server on the machine you're using, but most of my users aren't that sharp. I've got Firefox 1.5.whatever running on everything now, so I can let my users off the leash a little.
The only thing I miss about IE is the ability to push settings to the br
Re:Patch! Patch on what? (Score:2)
Haven't you ever used a decompiler or a hex editor???
Re:Patch! Patch on what? (Score:2)