Report Of New Outlook Exploit 314
viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field.
MS says they're going to
release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.
I'm not jaded (Score:1)
-------
Re:Date? (Score:2)
[ ] Clueless Newbie [x] Loser [ ] Troll
[x] Signal 11 [ ] Pervert [ ] Geek
[ ] Spammer [ ] Nerd [ ] Elvis
[ ] Fed [x] Freak [ ] FascdotKilledMyPr
[ ] AOLer/Euronetter/PIer/MSNetter
[ ] Other: Unbearably self-righteous person
You Are Being Flamed Because:
[ ] You posted something unfunny that will inevitably be modded up as "+1 Funny"
[x] You posted something unfunny that will inevitably be modded up as "+1 Funny" by you using another one of your accounts
[ ] You started an off-topic thread
[ ] You continued a long, stupid thread
[ ] You posted a bitchy "Slashdot sucks!" message
[ ] You said "me too" to something
[x] You suck
[x] You brag about things that never happened
[x] You spend all day tapping the refresh button
[x] You posted something totally uninteresting
[ ] You posted sexist shit
[x] You wish to avoid the "wrath of the trolls" by flaunting your "edgy" sense of humor
[x] You masturbate to pictures of CmdrTaco's shoes
[ ] You are the leader of a secret Natalie Portman human-sacrifice cult
To Repent, You Must:
[ ] Give up your AOL/Euronet/MSN/Planet Internet account
[ ] Bust up your modem with a hammer and eat it
[x] Jump into a vat of acid while holding your monitor
[x] Actually post something relevant
[ ] Read the f****** FAQ
[x] Be Katz's love slave
[x] Apologize to me
In Closing, I'd Like to Say:
[ ] Blow me
[x] Bite me
[x] Get a life
[x] Never post again
[x] I pity your parakeet
[x] Go to hell
[ ] I think your IQ must be 5, join the Marines
[x] Take your s*** somewhere else
[ ] Learn to post or f*** off
[x] Do us all a favor and start linking to Illiad. He's funnier than you.
[x] See how far your tongue will fit into the electric outlet
[x] Go crying home to your mommy...wait, you still live at home. Nevermind.
Microsofts control of the Media (Score:1)
Which has some interesting implications i think. For companys like Microsoft to be able to cover up important press releases is one thing, and for the security crowd im sure you've all heard the term "security by obscurity". It never works.
This event makes me wonder what things a company like AOL, who owns too much (MONOPOLY), can cover up at will. If AOL had a security flaw I wonder how much press it would get. I have less faith in AOL software in terms of security then Microsofts but when was the last time there has been a public release of them doing anything wrong?
The media sucks is my point.
Re:Oops (Score:1)
------
Does Microsoft Guarantee Security? (Score:1)
I'm waiting for the first lawsuit (if there hasn't been one already) that takes Microsoft to task for being negligent in developing software with blatant security flaws. It's unlikely anyone can sue over bugs, but a failure to protect against malicious attackers might be actionable -- especially in the litiginous US.
Does Microsoft guarantee (or even imply) that Outlook (or Windows, for that matter) is secure?
Do we, as software developers, want to work in a world where our software is subject to judicial review? I think not...
Re:Bugtraq (Score:1)
At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.
Emphasis was mine. This is precisely the problem: I am 100% sure that no one of the other 12 computer users at my office have the faintest idea that there may be security problems related to e-mail clients. We use Lotus Notes (yuck!) here, so I don't mind educating people on this new hole (I've never heard of any LN exploit) and I still think this is a problem to be dealt with by the sysadmins, which I'm not. The point is that most people don't keep insecure versions because they are lazy, they just can't imagine they are at risk. They just trust MS. Now, if I could just figure out why...
Alternatives? (Score:2)
If this were almost any other app or company this wouldn't be front page news. How many other apps have buffer overflow exploits? Yes, Outlook has had its problems but look at other apps that have had them. How many problems were there with sendmail? The problems got fixed and it continues to be used today. Until someone comes out with a product to truely compete with OutLook people won't switch. What other LARGE enterprise mail systems are out there that offer the features of Exchange? Security people don't usually pick the mail system, management does. Management just can't pass up the calendaring and scheduling features of Exchange.
Instead of constantly bashing OutLook someone should actually go write a competing client. I'm currently using Mozilla's IMAP client. So far it's the most full featured by far. Sadly, it crashes about 3 times per day and on restart it sometimes won't create new messages. I can't wait for Evolution, but how long will that be?
I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.
Actually this is not the first (Score:2)
And I am sure that was not the first, I heard of it because it was the last time that an individual accidentally took down the Internet.
Regards,
Ben
Re:This one's better (Score:2)
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
Re:Bugtraq (Score:2)
There is a very simple, and elegant solution. Write a program that exploits the security flaw that patches the affected system, and then replicates itself. To be carefull it should have a self termination date, and maybe even maintain a list of addresses on a central server that it has been sent to, etc.
Of course there are complications to this, first and most importantly that it is probably illegal. Therefore the above thought is provided for humor and iorny purposes, and not an attempt to encourage anyone to break the law.
Oh, and IANAL.
W
This one's better (Score:2)
Why doesn?t IE 5.5 eliminate the vulnerability for Windows 2000 users?
IE 5.5 cannot replace the affected component because of the System File Protection feature in Windows 2000.
Nice "feature", guys.
$ cat < /dev/mouse
Non-Report of New Linux NFS Remote Root Exploit (Score:5)
from the not-all-that-surprising dept.
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record [securityfocus.com] for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.
Re:Wow..... (Score:2)
Not checking inputs before the buffer is copied into is a bad programming flaw, but only recently realized as being potentally hazardous. Thus, take all programmers that were in the workforce in 1990, and they would probably have missed adding the buffer checks, but now with buffer overflows a problem nearly every day, programmers in 2000 are much more conscience about it, but there is still legacy code that probably does this buried in code. Especially when the field itself is not thought of in a textual sense (a date field), these things tend to get overlooked in the general design of the program. However, this should only reinforce the use of a lint-like system after various compiles in order to find potental buffer overflows. Languages like C++ and Java provide some protection here assuming you use the typed Strings, but you can still create a buffer overflow without thinking about it.
I'm very surprised by this! (Score:2)
I'm very surprised it took so long for this bug to be discovered!
This isn't new. (Score:2)
MSNBC Hijinx (Score:2)
Just as with any news source, there's going to be bias. It's just that most news sources don't have such obvious and entertaining bias as MSNBC.
Vulnerabilities==virii (Score:3)
Our only hope is to make an antivirus email that uses the hole to install the patch and then forwards itself off.
Re:Just to be fair here... (Score:3)
Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.
You may be vulnerable too! (Score:2)
How can I tell if I'm vulnerable to this issue?
If any of the following apply to you, you are not affected by this vulnerability:
- You are running a default installation of Internet Explorer 5.01 Service Pack 1.
- You are running a default installation of Internet Explorer 5.5 on any system except Windows 2000.
- You are using Outlook and it's configured to use only MAPI
If none of the above apply to you, you are affected by the vulnerability.
--
So all you Linux users, beware.
Anyways, it's this kind of warped logic that caused the bug in the first place.
Breace
"OOPS, I did it again" by Bill Gates (Score:5)
by Bill Gates
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
I think I did it again
I made you believe you've got security
Oh baby
It might seem like a feature
But it doesn't mean that I'm serious
'Cause to lose all my reason
That is just so typically me
Oh baby, baby
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
You see my problem is this
I'm dreaming away
Wishing that bugs, they don't exist
I cry, watching bugtraq
Can't you see I'm a fool in so many ways
But to lose all my customers
That is just so typically me
Baby, oh
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm not that innocent
Yeah yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
"All aboard"
"Bill, before you go, there's something I want you to have"
"Oh, it's beautiful, but wait a minute, isn't this...?"
"Yeah, yes it is"
"But I thought the old lady dropped it into the ocean in the end"
"Well Billy, I went down and got it for you"
"Oh, you shouldn't have"
Oops!...I did it again to your trust
Got lost in denial, oh baby
Oops!...You think that I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I played with your heart, got lost in the game
Oh baby, baby
Oops!...You think I'm in love
That I'm sent from above
I'm not that innocent
:Chorus:
Oops!...I did it again
I created a bug, got lost in the game
Oh baby, baby
Oops!...You think it's secure
That its sent from above
I'm is not that innocent
USSR *security*? (Score:2)
Re:Bugtraq (Score:2)
Do you have any idea what a buffer overflow actually is?
Basically, you fill a fixed-size array with enough data so that you overwrite other parts of the program, do some magic (which is somewhat explained here [infonexus.com]), and then get the program to execute some arbitrary code of your own writing. Developing said code (i.e. actually writing the exploit) generally takes time, and is limited to one software/os/platform/version combination.
This has *no* relation to how the code is initially written.
A program which reads one line of code from the user, saves it to a fixed sized buffer, and then prints it out is vulnerable to a buffer overflow.
Moderators: (Score:2)
This one deserves +5!
Re:Its Time For Eudora (Score:2)
this site is for people smart enough to use linux.
Maybe he wants to learn how to install and use Linux, but he has to spend so much time administering Windows clients that he can't get around to it?
Applaud him for sparing the time to at least get away from Outlook, for which all the exploits seem to be well known.
Time was, and still is, my problem; even after five years of experience with UNIX as a user, learning administering my first Linux box is still quite an uphill battle.
However, you'll be pleased to note that I now type "ls -l" accidentally and frequently at DOS command prompts.
Go easy on the Linux newbie, for together, we will all be Bill Gates' demise.
Re:I'm very surprised by this! (Score:2)
Yep, the beauty of Closed Source...
What about Exchange? (Score:2)
Re:Outlook vulnerable? (Score:2)
"This is certainly a serious one," said Steve Lipner, manager of the Security Response Center at Microsoft. Lipner said the stand-alone Outlook patch might not be ready until Wednesday, but concerned Outlook users can protect themselves immediately by downloading and installing the newest version of Internet Explorer at Microsoft's download site. That software includes code that will stop the vulnerability.
So the way to stop the virus is to load IE5.5? Why? Did they already know about the virus for a while and do nothing to tell anyone else (ie. release a patch for the existing users while developing the future release)? Sound like a malicious plan to force users to upgrade to a new version, as long as the bug wasn't uncovered too soon.
Re:How long can they keep this up? (Score:2)
I'd rather find a security breach in a MS product and have them release a patch, then to find a breach in some free software and be told "Fix it yourself - that's the beauty of it."
Companies love the fact that they can hold MS responsible for their products. (Accountable to the market, if not the EULA).
This one's EVEN better (Score:2)
WWJD -- What Would Jimi Do?
Just to be fair here... (Score:5)
Re:Buffer overruns: what's vulnerable? (Score:2)
(Nitpickers: yeah, I know, buffer[3] is really the last allocated space, meaning that the starting address of buffer[5] is actually 4 * sizeof(int) from the start of the array, and not adjacent to the end of the buffer. Children should be taught to count starting at zero.)
So, it is a vulerability specific to languages that don't check bounds on arrays. However, it is just as much the fault of the programmer. If you don't validate input, you shouldn't be surprised when things don't go as planned. In a Java program that wasn't given special bounds checking, the program would die on the exception, better than providing an exploit, but bad form nonetheless.
"Sweet creeping zombie Jesus!"
Re:It's about time (Score:2)
> that someone with a brain could
> actually fall for?
People "with a brain" wouldn't be using such a horribly insecure mail client in the first place. There's a reason you don't hear about exploits like this affecting users of other mail clients such as Netscape Messenger (for example).
This security hole could potentially become a nightmare, but only to those people who use Microsoft's inferior mail software. Microsoft has set back computer security by years. Take these old pieces of virus protection advice:
Microsoft needs to admit that Outlook is fatally flawed. Since this will never happen, it's up to people like you and me to educate and inform anyone and everyone. Companies that mandate the use of Outlook or Outlook Express (I used to work for such a company) especially need to be educated.
--
Re:MSNBC reports Microsoft Security Hole? (Score:2)
Journalistic integrity at NBC? I don't think so. Dateline NBC is almost as sensationalist as Extra or any of the other video editions of supermarket tabloids.
With the MSNBC partnership, I feel I can trust their reporting of Microsoft news about as well as I can trust the CBC's reporting of the state of the Canadian federal government.
Never leave the fox guarding the henhouse.
I'll stick with ABC. World News Tonight is great, Nightline is excellent, and they're in league with Disney, not with the devil.
Re:MSNBC reports Microsoft Security Hole? (Score:2)
Disney is the devil
Hahaha... Well, getting back to NBC for a second, I'm a Will & Grace fan. Sorry.
Outlook Express required to fix? (Score:3)
A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components.
The *REASON* I did a non-default installed of IE 5.5 was so I could EXCLUDE Outlook Express because I use Outlook 2000. So basically MS's Internet software is so "integrated" that you can't have one be patched for security reasons without installing all of them
I could care less if Microsoft is a monopoly
blarg.
Planned fix (Score:2)
In an email from our IT division that I recieved recently, I read that SANS hopes to be using a "virus" email patch- a virus email that exploits the problem to quietly patch it.
Neat idea, using a virus to fix it and stop others, if it works...
Below is the email I recieved from our IT (via SANS):
>I am forwarding this note to you as a FLASH because the vulnerability
>it describes is probably the most dangerous programming error in Windows
>workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has
>made.
>
>You are vulnerable to total compromise simply by previewing or reading
>an email (without opening any attachments) if you have one of the
>affected operating systems and have the following installed:
>* Microsoft Access 97 or 2000
>* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes
> IE 5
>
>SANS Prize: It may be possible to fix this vulnerability automatically,
>via an email without asking every user to take action. The concept is
>similar to using a slightly modified version of a virus to provide
>immunity against infection. SANS is offering a $500 prize (and a few
>minutes of fame) to the first person who sends us a practical automated
>solution that companies can use, quickly, easily, and (relatively)
>painlessly to protect all vulnerable systems.
Re:sorry but , no (Score:3)
There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.
There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Re:Outlook Express required to fix? (Score:2)
It is your attitude that allows them to engage in monopolistic business practices. If you don't like their products - and it's obvious that you have serious issues with them - then instead of whining about it on /. just stop doing business with Microsoft. It's really just that simple. Corporate profit whores are the easiest entities in the world to manipulate. All you have to do to change their ways is to choke off their profits.
If you stick a fork in your eye, I will neither help you get it out nor sympathize with you; you stuck it in there and it's your own damn fault. Using Microsoft products is the same way. Anyone who does so is just asking for problems. I'm not claiming nobody else's products have flaws, only that Microsoft's have many more flaws than anyone else's, and as you mention their fundamental strategy merely worsens the situation. If you use them, you deserve what you get.
Finally, I end virtually every post this way: if your employer "forces" you to use this stuff, just remember that in most countries you can always quit. So either stop whining about it or quit your job and go work elsewhere. "Whoring: Just don't do it!"
Re:Bugtraq (Score:2)
Re:Just publishing a patch isn't going to fix this (Score:4)
Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).
...j
It's not about Suckage, it's about Security. (Score:5)
Newsflash: Some Companies Don't Use Outlook.
We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.
See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.
As for bugs; well, we're always in development :^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)
Anyway, I can walk the walk. So, let's talk the talk.
There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.
To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.
Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party .OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!
Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%
Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think
"Why was is so damn easy to do?"
Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.
What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"
It never, ever had to be that way...
Thanks for listening...
There must be some kind of mistake. (Score:5)
Re:Bugtraq (Score:2)
People are still using IE 3.0!
Unfortunately, many updates are not worth doing for the majority of people. If IE 3.0 does what you want, you shouldn't have to make a 2-hour plus download just to stop a bug that shouldn't have existed in the first place.
Another problem with upgrading is what I call the Bullshit program' problem. On my Windows box, I use Office 97. I saved a word file and sent it to a friend. It was just under 1.5 MB. He uses Word 2000, and a while later, e-mailed me the file back, for reasons I won't go into. It had grown to 4Mb, and was in the Word 2000 format, which I couldn't open. I e-mailed him and asked what he had changed in the file, other than the format. He said: Nothing.
Many upgrades give the average user nothing more than features like OS integration and annoying talking paper clips. Which they don't want. These 'upgrades' regularly have a large download time and/or price tag.
I blame Microsoft. After all, this IS Slashdot.
Michael Tandy
...another insightless comment from Michael Tandy.
Re:Can we say "Lotus Notes?" (Score:2)
Re:/., please... stop whining. (Score:2)
The most popular desktop operating system and office package in the world, the one that MANY
I'm glad to find this stuff on
Pointing fingers at the infrastructure (Score:2)
Specifically, perhaps it is time to fix the infrastructure -- in this case, Internet mail as a whole. Although it would be unfair to compare it to something as weak and outdated as QWK mail from the ol' BBS days, there are abundant weaknesses in the current model for Internet mail that allow nasty things like mail header security exploits. And spam. Imagine if spam was not just antisocial and/or illegal, but technically impossible?
How long can a date field be? For that matter, how long can any header field be? (No, I'm not asking for a technical answer based on the current system, I'm suggesting that you think about the meaning of the fields, and the maximum length necessary to impart that meaning.) Given that mail client software authors are demonstrably ignoring such length limitations, is it not time to enforce at the protocol level some basic validity and, ideally, permission from the recipient?
I don't have a blueprint to roll out for you. However, as long as we focus on the weaknesses of this or that client, server, company, etc., we are missing the boat.
Re:Wow..... (Score:2)
-B
2000-07-18 17:57:54 Major MS Windows Vulnerability (Score:2)
I wonder how many people submitted that. I put mine in about an hour after this TechWeb article [techweb.com] came out.
It'd be cool to see some cut-away of the slashdot experience. Like, are the posters the ones who hit reject or accept? Is there an early team that does some filtering? Is one nay enough to reject an article, or do a few people look it over?
-----
Re:Outlook vulnerable? (Score:2)
So you are telling me that propaganda doesn't fuel pro-Microsoft sites or any other sites?
The biases of Slashdot are well known, and not a secret. Other sites often try to claim non-biased reporting, but in reality, everyone has their biases.
Re:outlook just cant be fixed (Score:2)
Re:Not really (Score:2)
The bug has been fixed in IE 5.01 SP1; so there already exists a solution to avoid the bug on a Win box. Also, on Win-9x, IE 5.5 also avoids the bug; but on W2K, IE 5.5 still carries this bug (go figure).
In my opinion, any bug fix from MS isn't going to accomplish much. The majority of systems which are reportedly vulverable are home systems where the users have failed to download the readilly available SW upgrades. If the users failed to download the upgrades, I doubt it's likely that they'll get around to downloading the bug fix either.
Re:Wow..... (Score:2)
I have worked in software companies for 8 years, and I can tell you bar none, that 90% of quality problems are caused by a marketing-driven schedule and feature set.
Yes, it's unavoidable that sofware has to sell to finance it's own development, and selling on a schedule is a requirement of marketing
Other factors have been the easy ability for software companies to ship with massive defects to match a schedule, and put a patch on the web for downloads later - this was not nearly as common back when customers had to dial into a BBS for a patch (before widespread use of the web).
Basically, it's more of a competitive advantage to get a market presence (we're talking vapor here), than it is to ship a good stable product.
Who to blame?
The trade press. Whether the reviews are accurate or not, they still sell their rags. My company has a whole department of people whose job it is to "manage trade press relationships", that is, to make sure they get a favorable review. If we had a serious bug during an evaluation, our people fly out there and pucker up to the journalists, and no mention is made of the bug in the review.
This is life, in the software industry folks. It's only gotten worse.
And it will only get still worse.
if it ain't broke, then fix it 'till it is!
Anyone notice this one? (Score:4)
This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute [sans.org]. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here [sans.org].
look... its a buffer overflow bug... (Score:2)
these things are really really really difficult to find... I mean... how many of your QA people will sit around and write low-level code to include in every possible field to test for buffer overflows...
I dont know of any where i work that are capable of even thinking about that... granted MS may have the best minds for it, but really, truthfully...
BUFFER OVERFLOW EXPLOITS HAPPEN...
now ... they should have fixed it sooner... hell... they had it since JUNE 8th...
Re:C / C++ etc. (Score:3)
WWJD -- What Would Jimi Do?
Re:MSNBC reports Microsoft Security Hole? (Score:3)
the cure recommended so far is for everyone to upgrade to IE5.5 as soon as possible
Now THAT'S marketing.
My favorite line in the article (Score:3)
*rolls eyes* Do I even need to elaborate?
Neither macro nor virus... (Score:5)
Outlook doesn't check the length of one of the date fields - a long string of data in that field will overflow a buffer. Once this has occurred, arbitrary code can be executed.
The fix is to install IE 5.01 SP1 on any affected Windows platform. Or you can install IE 5.5 - but not on Win2K.
More information is available in the posts to BugTraq and NTBugTraq, which is where I got the above information.
There is a reason Lotus is losing (Score:3)
Need I say more?
Cheers,
Ben
Not really (Score:4)
I thought by now, we'd be rid of buffer overflow bugs.
Unfortunately there's a fundamental disconnect.. (Score:3)
Admins will continue to throw in layer after layer of mail pre-filtering software at the delivery level, when they should really just be able to get a secure MUA on their users' desktops.
--
Finally an "cluefull" Outlook exploit (Score:4)
At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.
VM should handle this (Score:2)
Ryan
Re:Outlook Express required to fix? (Score:2)
I wish things could be that simple. I'm currently setting up some machines for my folks. when I suggested an OS other than MS, they requested Windows not because of the OS but the application software they want to run on it (in this case accounting software.) The alternatives on Linux for example are not an option as we (.au) have recently implemented GST (goods and sales tax). As there is no *nix port of their software (MYOB), they have no choice. Though I have heard mumbles of a Linux port on my local LUG.
Re:Just to be fair here... (Score:2)
It isn't so much that there's a bug that concerns me, it's that it took this long for anyone to pick it up. The bug has been in every version of Outlook, and that's been around for quite a long time now.
In the end it was discovered by an independent entity, and considering that Microsoft doesn't traditionally open their development to outsiders, they have no control (directly or through probability) of who that entity might be. If it wasn't a security firm that discovered this first, it could have been anyone.
IMHO, they should instead have an internal infrastructure to find these things for them before anyone else can. People trust Microsoft to provide them with secure products, yet Microsoft is at least partly relying on the users to find the security holes.
===
Re:Outlook Express required to fix? (Score:2)
So you're suggestion is that I should up and QUIT my chosen profession which happens to be a PDA and Mobile electronics analyst where I'm senior editor of a *very large* site devoted to the subject. A site that is my *full time job* where 99% of the products and services we cover have direct ties to the most popular PIM on earth, Outlook 97/98/2000.
Yeah, I'll just up and quit because you've convinced me that Microsoft's integration that requires components of software packages that you DO NOT WANT just to fix a security problem is all my fault, you're a brilliant man
(If only life were as simple as the self indulgent zealots try make it seem.)
Re:outlook just cant be fixed (Score:2)
---- ----
Re:Non-Report of New Linux NFS Remote Root Exploit (Score:3)
Those are the moderation totals on the parent (this) [slashdot.org] post, as of 7:26pm 7/19/2000.
Before you dismiss this as off-topic, read on.
How is it that 3 people think that this is an interesting or informative post, and 2 people think that he is Trolling, i.e., intentionally trying to disrupt an intelligent conversation?
If something is thought-provoking, it is insightful, even if you disagree with it. If something is a deliberate attempt to disrupt a conversation, it's a Troll.
Now, to get on-topic:
Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit).
It's on-topic. It's thought provoking, and it's informative. He hunted down a link for you. It's a massive security hole, just as big as the one in Outlook. Yes, you may disagree with his opinions or conclusions (I sure as hell do - no one is being paid billions of dollars to quality control Linux, it's the difference between a flaw in a gift and a flaw in an expensive PRODUCT) but that doesn't mean he's trying to disrupt the conversation. This comment is an insightful reality check. If his link was bogus, or his information was incorrect, Troll him. But if his facts are VALID and you disagree with his OPINION, mod him UP so we can all think about it and decide.
Moderation is not about supressing opinions with basis in fact, it's about supressing l33t hax0rz who want some Natalie.
Calling this guy a troll makes us look bad. Mod him up, and take his argument apart.
/., please... stop whining. (Score:2)
(the only purpose for this non-informative crapnews I can think of is: it must be a hint for a new conversation at the coffeemachine, when that nice blond from Marketing is at the coffeemachine at the same time as you do :)).
--
Wow..... (Score:2)
-- pause whilst I hug my browser --
So all Microsoft bashing aside, how do things like this get out the door? To me, it almost seems that they are purposely not doing any sort of testing at all. I know about the jokes that say they get free testing by releasing their alphas, but seriously! So many people around the world depend on their software, you would think that they would put it through hell and back, but products continually come out of Redmond with serious, serious flaws.
I mean, how long did it take someone to find a hole in IE 5.5? Like 3 days???
Putting aside all the joke and the "evil empire" comments and everything that the
Re:MSNBC reports Microsoft Security Hole? (Score:2)
I find these sorts of holes fascinating, especially in light of Microsoft's sales pitch of selling C3 secure systems. (Yes, this is the least secure you can get, and still get a rating, but the badge is still being used to promote the idea that Windows is secure.
One thought I had, after reading this news - if WINE could be made sufficiently stable & complete, it shouldn't be too difficult to write a virus which replaced MS' Windows with Linux, without the users even noticing. Do that, and Linux could subvert 98% of the desktops on the Internet within a matter of days.
(Wouldn't this be, well, illegal? Not if you put a shrink-wrap licence on the virus, which stated that running the virus constituted the user's agreement to the OS switch. If the licence failed to appear, and the virus ran without the user being able to detect it, well, that becomes a Microsoft issue, not a viral one.)
Other news stories on this vulnerability (Score:3)
ZDNet Story [zdnet.com]
MSNBC Story [msnbc.com]
Information Week Story [informationweek.com]
CNN Story [cnn.com]
SANS Story [sans.org]
Also : Microsoft security bulletin [microsoft.com] (irony)
Microsoft FAQ + Patch [microsoft.com]
Re:Non-Report of New Linux NFS Remote Root Exploit (Score:2)
A rabid Linux zealot that runs into a convention of MCSE's and starts slamming everthing and everyone around him won't be treated nicely, even if every argument he uses is based in fact.
That said, the post to which you refer was just that. His post was inflammatory and arrogant. Troll, perhaps not. But worthy of the 4 positive moderations it was awarded? I think not.
On another note, I'd say an NFS vulnerability isn't as major as this Outlook one is, not by a longshot. And I can name dozens of Linux security exploits that have come out recently. They don't get this sort of press because of facts like 'MS has been sitting on this exploit since mid-June' and 'MS still has not released fixes for it's flagship product, Win2k.' And at least with the NFS vulnerability, you can choose to turn off your NFS server. Telling people they can't check their email is a lot less of an option.
Re:Bugtraq (Score:2)
The new one is worse (Score:2)
I just do not have a site available that does such a good job dissecting it...
Cheers,
Ben
Re:Quick fix for Outlook Express users (Score:2)
According this web page:
http://www.microsoft.com/technet/security/bulle
the bulletin specifically states that if you do a default installation of Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, this will automatically install and/or upgrade to Outlook Express 5.5. Microsoft has specifically stated that OE 5.5 is -not- vulnerable to the issue that USSR Labs discovered. It should be noted that if you are running Windows 2000, you may have to apply the patch (which is now available) or do a manual upgrade to OE 5.5.
nothing to do with flexibility (Score:3)
A New One I Just Found (Score:2)
His Netscape kept loading up this GoHip web site as it's default home page. Even going into the preferences in NS would only change this until the next re-boot. Had me poking around all over his system trying to figure out how his default home page kept getting changed. I couldn't find anything in the registry or
I then popped on over to this GoHip web site to have a look. Right on their front page is a link that states something like "Make GoHip your default home page". The clever bit was that this was not a link to some how-to about preferences. It linked directly to a
Once I managed to download this
Now just imagine sending someone an E-Mail with an embedded meta tag that redirected you to some
Mind you, I strongly disagree with this monopoly case that is presently going on. The details of this I'll save for later. On the other hand, I would have no problems at all with Microsoft being held criminally liable for gross negligience. None of what I'm talking about here is a secret to Microsoft, and still they continue to put out a known faulty product. How long do you think folks would put up with flaws like this from Ford, Honda, or any other car maker?
outlook just cant be fixed (Score:2)
The likelyhood of MS actually admitting the above, let alone following through with my suggestion, is nil. But I think the fact that the hole has been a KNOWN exploit since June 11th and a patch was not made available even a MONTH later is very telling.
Truly, this hole longer than that.. wasnt there a whitepaper about 6 months ago from the authors behind BackOrifice detailing how this kind of exploit was possible?
Bugtraq (Score:5)
Also, bugtraq archived here [securityfocus.com]
Now, to avoid everyone calling me a karma whore, here's my insight on the whole thing:
USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.
Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.
That said, I'm as guilty as most of them.
Actually Eudora is much safer (Score:2)
Two points: If you had read any of this, you would know that the problem is in the transport mechanism of Outlook (the components) - NOT the displaying of the text. Eudora uses its own system for that. Eudora CAN (in the later versions) use the MSIE engine to display message (for the extended HTML parsing), but it doesn't HAVE to do this, its a feature users can set as they please.
This email will self destruct in 30 seconds (Score:2)
Anyhow, for more fun, take a look at the source for msnbc's article. It is one HUGE mess of scripting for a short little article. What are they trying to hide in there? Easter eggs? Why all the features for just a damn story?
Re:More Microsoft Bashing.. how sad (Score:2)
I read this (Score:2)
send flames > /dev/null
Re:Outlook Express required to fix? (Score:2)
Rubbish. I don't use anything from Microsoft, and haven't for at least 4 years. You and everyone can do the same. Fact is, most people don't care enough about the issue to do the necessary investigation to take this step.
The suit against Microsoft is tripe and nonsense. The only way anyone can have a monopoly is if people choose - yes, choose - to do business with them. Sorry, you lose on this one because the argument is irrefutable. No business, no profits, no market share. There is a choice. There is always a choice.
Whoring: just don't do it.
Re:Outlook vulnerable? (Score:2)
while it's obviously a troll, I'll respond.
A quick search for security brings us:
2.2.16 Kernel Released - Fixes Security Hole [slashdot.org]
Open-Source != Security; PGP Provides Cautionary Tale [slashdot.org]
Red Hat 'Piranha' Security Risk - And Fix [slashdot.org]
FreeBSD implicated in HotMail security problems [slashdot.org]
Looks like they do. Granted, there're more MS security holes posted. However, I would say that there are more MS security holes. The problem only arises when/if they are posting in a proportion (MS vs. Open Source) that is not close to the real proportion of significant problems.
Re:Outlook Express required to fix? (Score:2)
Then you failed to grasp the whole point of the post. It really is just that simple.
Whoring: Just don't do it.
Security certification needed? (Score:2)
This is the second time in a week i've been burned (had to do extra work) by security flaws found in Microsoft programs.
I've been thinking about the need for a standards organization, or certification authority, for some time now. The question is; how would you set up such an organization, and would you trust it?
An analogy: All of the major e-commerce sites on the web today buys their SSL certificate from one of the big CA:s, VeriSign for one, because that's a trusted entity.
Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT) My guess is yes. Microsoft, for example, would benefit (at least in large, mission critical installations) from having their source code audited and confirmed by a third party.
When we have open source, most problems are found early (many eyeballs make shallow bugs) but not all. Think of the Wuftpd exploit last month. Is there, perhaps, even a need for an open security auditing organization?
Re:Outlook vulnerable? (Score:2)
It seems to me that the biggest security risk would come from newly added features to a product. Perhaps MS add more new features to their products than people? They're not playing catch up like other people.
Of course, so might say that it is just because MS are incompetent when it comes to security
Just publishing a patch isn't going to fix this... (Score:4)
The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.
I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.
NT BugTraq report (Score:2)
It's about time (Score:2)
But at this point in time, one individual could probably bring down the entire internet and then some. Imagine what would happen if someone used this bug to load a CIH-type virus on every computer. Suddenly, the majority of the world's computers go out simultaneously. It'd be mass destruction - and virtually untracable. (Can you imagine what would have happened if someone did this on Jan 1?)
But I don't think any of this will ever happen. I'm sure there will always be a way, but there's no one out there crazy enough to actually do it. Virus writters want cheap thrills. Just becuase the hole is there, doesn't mean anyone will exploit it. We may never see the doomsday virus everyone's worried about for the last decade....
Oops (Score:2)
-rpl
The total skinny (Score:2)
This particular vulnerability is kind of amusing. UNIX types have been suffering with buffer overflows for a long time now that have done some nasty things, like giving someone remote root.
In any case, it's pretty lame of M$ to be seeing people fix all their buffer 'sploits on unix-centric applications and then not fix them in an obviously vulnerable location in their own code.
This is especially amusing since they just released that gigantic patch that will ask you before it executes content in an attachment or embedded in a document. They fixed that, but they missed the buffer overflow. All I have to say is HA HA HA. :)
No wait, I have more to say: Mozilla mail ownz j00!
Conflict of Interest! (Score:2)
Not as bad as it might seem (Score:2)
I haven't yet seen a comment that points out a critical factor for this bug:
You need to use Outlook(Express) as your Internet mail client, and not in its "Corporate and Workgroup" mode.
This saves a lot of the hassle for office types running their own mail servers.
See the NTBUGTRAQ article [ntadvice.com] for more details.
Re:Bugtraq (Score:3)
Quick fix for Outlook Express users (Score:2)
IE 5.01 SP1 (which avoids the hassles that has plagued some IE 5.5 users) not only has a upgraded browser (which corrects a problem where certain
I believe there will be a fix available on the Windows Update web site that will correct this issue by upgradeing a number of
The *only* solution? (Score:2)
Wouldn't a better solution be to stop using Outlook completely?
Re:Bugtraq (Score:2)
I don't thank that is the root of the problem. I think that the problem (considering strictly the Microsoft OS development, not Linux/Unix or anything else) stems from the fact that Microsoft tries to shove too many of these useless active features down the throats of the standard install people who buy their PC from OfficeMax. ActiveX is crap, all the stupid Microsoft proprietary stuff that breeds these security breaches should be curtailed. There shouldn't be huge gaping holes in major packaged components of the Microsoft OS.
If they truly innovate, they shouldn't make these mistakes. This SANS alert [sans.org] goes into more detail about the security hole. Turns out MS's software engineers actually make a series of calls out of order that preempts whatever the user chooses to do. Why does this crap get released?