MS04-025

Microsoft Security Bulletin MS04-025

Ignorance is Indeed Bliss

A Rant By hellNbak

August 3, 2004

:DISCLAIMER:

This paper may in fact be yet another rant with multiple mini-rants and tangents but I do promise that while reading this you will be entertained, annoyed and hopefully educated about an issue that in my opinion has not has very much attention or at least as much as it deserves. Those that I let read this before this final version have come to the conclusion that I either;

a.) Got way too much sun while at Blackhat/Defcon last week or

b.) Sat way to close to Gobbles in the CTF room at Defcon.

This document is meant to be humorous and I fully expect to offend at least a few. Hell the entire shock and awe strategy has worked for Howard Stern, Marilyn Manson and even George W. Bush. It is meant to poke fun at all the silly little things that everyone from the people owning the boxes to those who find their lives are made into a large ball of stress because their box got owned to those who have made a fortune based on the fact that there will always be someone curious enough to bypass a security control. OK, maybe not that last group, I think everyone hates those guys.

There will always be hackers and, to blatantly rip off and mutilate the tag line from the Open Source Vulnerability Database (OSVDB.org), everything is and always will be vulnerable. There will always be a need for Security Bulletins; there will always be a need for patches.

If you see that I crack a joke at your expense, your profession’s expense, your hobbies expense, or even your great aunt Hilda’s expense please remember that this is meant to be an educational parody. It is by its very design meant to create a reaction, it is meant to piss you off and hopefully, while you are loading your handgun you will also realize that yes among all of this text there is a message.

Regardless of the conspiracy theory behind this post, regardless of the humor and regardless of what you do or do not learn from this remember this one thing. I am speaking on my behalf and only my behalf. I am gainfully employed in the Information Security industry, and I try to help out with other worthwhile projects when I can. All of that being said -- this post does not represent the opinions of anyone silly enough to associate themselves with me and all my crazy talk.

If you really do get offended by this little paper that I wrote up at the spur of a moment then please email me – hellnbak at nmrc dot org and tell me how I offended you so I can save the material for the next time I am motivated enough to actually put an effort into something entertaining.

:END DISCLAIMER:

:DISCLAIMER FOR THE DISCLAMER:

I am speaking for myself and myself only. My employer, my friends, and mostly my mom do not at this point even know that this document exists or what the content is. Any issues with this document should be taken up directly with me via email, via carrier pigeon, or over a beer at a pub of my choosing in a location of my choosing at a time of my choosing. Do you get that this is created by me and all about me yet?

:END DISCLAIMER FOR THE DISCLAIMER:

This document may be republished only with the written consent of the author and is copyright 2004 Nomad Mobile Research Center (NMRC) although you damn well know that its next to impossible to get a consensus on anything over at NMRC so do not assume that they all agree with what I have written but do assume that in the event the happy fun ball is taunted punishment will be swift.
Now for the issue at hand that I do feel is important enough for me to spend some time typing this.

Being at Defcon Las Vegas on Friday, and then being in transit until today I am sure a lot of you, like me, almost had a Friday release of Microsoft Security Bulletin MS04-025 slip right past. I mean why would anyone look for a MS Security Bulletin on any other day but the usual Wednesday release date as outlined in the multitude of press articles on Microsoft's new approach to patching?

Apparently, Microsoft saw the issues addressed in MS04-025 to be of a great enough importance to deviate from their rigid patching plan that we have all grown accustomed to. On the other hand if these issues were this important -- why so little fanfare about the release? Yes, it was sent out to the MS Security Alert mailing list and yes that resulted in the typical carbon copy post to NTBugtraq but other than that -- not a peep, NOTHING no comment not even from Russ Cooper himself (http://www.nmrc.org/~thegnome/russ_cooper.jpg)

No news articles like we normally see when MS deviates from the norm and definitely no Security Experts being quoted in the media talking about how critical this bulletin really is to Microsoft. Nothing, nothing but rumors and multi-page documents that may or may not have the letters N, D, and A attached to the header. Obviously, if such a stack of papers do exist, I am not the person to confirm or deny this I am as in the dark on the thoughts of the Redmond Machine as the next guy. I will leave the rumor mongering and second guessing to the experts in this field over at TheRegister.co.uk and instead take a quick look at what was fixed, and in my opinion based on the usefulness of the vulnerability why it needed to be patched quickly.

First from the official MS bulletin that could be found on your favorite archive of Microsoft Security Alerts or at http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx

Version Number: 1.0

Issued Date: Friday, July 30, 2004

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

There is nothing out of the ordinary here, other than the date and for the cynics in all of us -- the fact that it is considered a critical issue by Microsoft -- something that most who play in this "profession" would actually agree about for once. Either that or we can all marvel at the fact that it is a Version Number 1.0 that may appear to even work.

In order to get any value out of this paper I have taken it upon myself to assume that you, the reader, are in fact literate enough to comprehend my unusually small vocabulary. Based on this assumption I won’t bother summarizing the entire Security Bulletin and let everyone go and see for themselves what specific versions of Internet Explorer and on what Operating Systems it effects but to make a sweeping generalization consider it to effect all Windows Operating Systems and most browsers from 5.01 all the way up to 6.0 SP1.

So what did Microsoft consider to be critical? Why is it critical? What warranted this early (or was it 2 days late?) patch or better yet when did Microsoft be made aware of these issues and how long did it take to path? Why should any of us care? Why should our grandma’s and other non-technical computer users care? Actually, that last question is a horrible generalization. I once saw a 85 year old grandma overflow an IIS box from a Symbian cell phone completely by hand and from memory. Enough about Marc Maiffrets family and lets look at the patch released by Microsoft.

What did MS04-025 fix?

In total MS04-025 admits to fixing the following three issues (direct from the Security Bulletin);

* Navigation Method Cross-Domain Vulnerability - CAN-2004-0549: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles navigation methods. An attacker could exploit the vulnerability by constructing a malicious web page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could run malicious script code in the Local Machine security zone in Internet Explorer. If a user is logged on with administrative privileges, this could allow the attacker to take complete control of an affected system.

* Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566: A buffer overrun vulnerability exists in the processing of BMP image file formats that could allow remote code execution on an affected system. If the user is logged on with administrative privileges an attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

* Malformed GIF File Double Free Vulnerability - CAN-2003-1048: A buffer overrun vulnerability exists in the processing of GIF image file formats that could allow remote code execution on an affected system. If the user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

So When Did Microsoft Know About Each Issue?

CAN-2004-0549 – As explained above, this is an issue that in its simplest form allows remote code to be executed on a vulnerable system via the issue which is found in Internet Explorer. First let me apologize for over simplifying these issues. This post is meant to draw attention to a patch that may be important enough that the general user, your grandma, my grandma, but not Marc’s grandma needs to understand.

By using CAN-2004-0549 a malicious individual could bypass the local restrictions as controlled by the built in Security Domains on a vulnerable system running Internet Explorer. Once an attacker has exploited this vulnerability he or she can cause scripts to run on the local system outside of the restricted area.

According to all the information I can find Microsoft admitted to knowing about CAN-2004-0549 approximately 60 days prior to the release of MS04-025. There is a more detailed timeline later in this document.

How easy is CAN-2004-0549 to exploit?

Obviously, this is a bit of a trick question. It all depends on who the person is attempting to use this attack and how they choose to use it. A quick look around the World Wide Web reveals that there are numerous pre-created scripts and examples on how to leverage this vulnerability. I won’t bother pasting any of these here as I am sure we all have discovered either Google (www.google.com) or the Open Source Vulnerability Database (OSVDB – www.osvdb.org) by now. But based on the simple fact that you would have to be illiterate to not find enough information to make this work makes me want to say that the exploit potential for this vulnerability is high and easy.

So what good is CAN-2004-0549 once one learns to make the exploits work?

Getting the exploit to work is only half the battle. Once you have your malicious web site setup and running with this malicious code tested and ready you still need to trick someone into visiting your website to be exploited. Before I go any further, I want to spell this out a bit more clear for those friends of mine in law enforcement that might miss this point. THE MALICIOUS INDIVIDUAL REQUIRES A WEB HOST – psssst, check the domain registration records, you just might be pleasantly surprised while shocked at the same time and yes you might have to get a court order lets not step on due process shall we. Now for those of you considering starting a life of crime by exploiting Internet Explorer, you will want to first get yourself an anonymous registry service or better yet, stop being so messy and noisy with your web defacements and actually hang on to “your” web servers for more than an hour or two. Trust me; you just might be harder to catch next time if you…… actually I will keep that last part between your FBI handler and you.

So regardless of how you accomplish it, you now have a web site that you need to bring your victims to. So other than advertising the lost video of Gweeds, some dirty, unshaved girl, and his crew in the hot tub at pool number 2 paying more attention to each other than the girl at the 2003 QueerCon ^H^H^H^H Defcon in Las Vegas you need to think of a way to actually get people to want to look at your site.

Probably the easiest way to do this is by leveraging something that the real hackers have always known and done but the various Security Companies, especially the software vendors, have recently discovered and latched on to the point of actually creating a marketing buzzword for what has been long considered common sense – blended threats. That’s right folks – BLENDED THREATS - those of you in the marketing department for some of the larger Information Security Software Companies can now stop reading and simply attach this document to a press release saying; “See we told you so”.

So just in case you actually are in marketing and you have not put this down and started calling your press contacts to get this puppy out the door before anyone else does and you are actually still reading this I will quickly explain in very simple terms what a blended threat is. This is my definition so you can argue the semantics of it all you want with me but understand that I am sitting here in nothing but my underwear trying to think of a definition that is simple but convincing. So now that I have created a horribly distracting mental image here we go a definition; a blended threat is the act of using more than one vulnerability to compromise a system. Simple right? There you are now as smart as some twelve year old named Mike that the press will call a hacker after he is arrested for compromising a large corporation.

So, based on the great definition above how can we turn this already serious issue into an even more serious one by creating a blended threat. Well, for help we need to seek a higher power. This power is one that has been an old secret of experts, authors, and teachers everywhere. Once you harness this power, you too can be a Hacker Ninja. You too can sport mad skills. This power is the one, the being, the keeper of all; Google.

A quick search using Google and some other tools that if Google thing was news you just are not ready for yet yields that the most common. Read those last two words again, MOST COMMON way, so not the best way, not the only way but the most common way that CAN-2004-0549 can be leveraged is by using another, yes you guessed it, Microsoft Internet Explorer vulnerability.

Specifically, that nifty little trick used by spammers of the world, yes those scumbags that fill each of our mailboxes every day with promises of millions of dollars and large penises for all just please click on this link or reply to this email, that’s right, those that are probably already bored with this document guessed it already I am talking about CAN-2003-1025 the almost infamous and definitely over used Microsoft Internet Explorer Domain Spoofing Vulnerability.

CAN-2003-1025 gave spammers, scammers, and pranksters the ability to trick a user, via an email or other form of online communication into clicking on a web URL that would appear to be trusted when really, due to an error in the way that Internet Explorer handles input validation of certain characters that would just happen to be in this URL that you feel you must click you can easily make your victim think he or she (do you really want to hear about my grandma?) is actually going to a trusted Web Site.

Before I go on let me interrupt again with a very short rant – think about this phrase – “Trusted Web Site”. On a daily basis millions and millions of people surf the cesspool we call the World Wide Web in search of love, information, and unique pr0n. All of these web sites, many of which you have no clue who the actual person creating the HTML is, that is if they still use people for that these days, are automatically given the ability to potentially run code on your computer or, at the very least, copy files on to your computer as either some sort of scripting functionality or to take it to the truly paranoid step of dementia even via something as simple as cache images on your hard drive that you have zero control over. If you are new, re-read this, pause and reflect on that.

Then, do what the experts would do and automatically take this little tidbit completely out of context and compare it to some everyday task in order to prove your point and come up with a meaningless phrase like this; “Surfing the average web site is the equivalent of letting complete strangers store small packages in the trunk of your car without having any control over what the contents of those packages are. “.

Feel safe yet? I’ll bet you paused and just thought about what web sites you were looking at last night after the kids went to bed. Quick, go check your inbox there has to be an email that you never wanted trying to sell you some sort of false sense of security in the form of a vaporware privacy product that is probably more owned than a hotel clerk on Kobe Bryant night. Still feel safe? Quick turn on CNN and wait for the next vague but Friday the 13^th Part 666 scary super orange alert from those appointed to protect all of us.

Enough of the ranting for now and back to using CAN-2003-1025 to get a victim to your website. Victim goes to web site, malicious code exploits CAN-2004-0549 and your computer is now a part of a thousand strong node of sophisticated machines being used to conduct very important tasks such as packet h0t4m! from #hackergirls on Effnet because h0tc4rL just realized that h0t4m! is really a thirty year old Information Security Executive with a nasty little secret that only Michael Jackson would understand.

Of course the above example is probably the least of your worries, chances are when your system is being used as a bot to packet whatever requires packeting you won’t be using the spare bandwidth anyways so why not let some random person who you cannot see, track, or talk to have complete control over your PC. I mean you as the owner of that connection and PC surely won’t be held responsible right?

So what happens when your “guest” decides that he wants to order a pizza but doesn’t have the funds or feels that you should purchase dinner? Do you bank online? Do you check credit card statements online? Every purchased anything from an online site? I think you see where I am going with this……..

Perhaps, and this is only a suggestion, one of the members of the press might want to call the major credit card companies and after you are finished asking them about the ability to Google for credit card numbers why not see if they will tell you the dollar value of credit card fraud via the Internet these days. Has there been an increase? Can this increase be connected to the release of CAN-2004-0549 or any other serious web vulnerability? What do you think the major banks would say if they could actually prove a connection between vulnerabilities and real financial loss? Note that I said REAL FINANCIAL LOSS – so that means I am not talking about the inflated and misrepresented numbers that are usually created after an organization gets owned because they couldn’t give their Administrators the budget or support they needed.

By now, you should be at least starting to understand the impact of CAN-2004-0549. If you are already way past me on this and furiously writing me a flame mail to correct all of my inconsistencies, mistakes and general offensiveness then you sir probably got sick of this paper by the time you read the first disclaimer and should probably not bother with the email and move on to let the daily stress of your job and your life slowly eat away at you until one day you snap, change your name to MafiaBoy and become the ultimate Internet patsy no one liked you in high school and college and no one likes you now you are a whiner who takes things too seriously and always will be.

If you are already past the point I am so painfully trying to make but have wet yourself with laughter or have said, “that is so true” at least once then you are still with me and read on. If you have no clue what I am talking about and don’t even get my joke, you not only work in marketing, you run the whole damn department and you should probably just wait for your options to vest, move along and hope for the best because even though you don’t realize it now, eventually a focus group and Gartner survey will tell you that yes, ignorance is in fact bliss.

But wait, there is more. Before you hit that Send key on the email telling me that Microsoft addressed CAN-2003-1025 way back on February 2, 2004 almost an entire ninety days after it was reported to them by releasing the work of art currently known as Microsoft Knowledge Base Article # 833786 (http://support.microsoft.com/?id=833786) please go read the Knowledge Base Article then after you are done shaking your head at the golden nuggets of advice contained in that piece send me another email saying that I am obviously illiterate because I missed Microsoft Security Bulletin MS04-004 which contained not only a carbon copy of some of the nuggets of wisdom from KB#833786 but did in fact include a patch that does in fact address (from Bulletin MS04-004);

“A vulnerability that involves the incorrect parsing of URLs that contain special characters.”.

Great! It’s fixed. Microsoft took a group of developers got them all hopped up on the happy juice (is it still Jolt or is that what us old farts drink now to chase our Viagra?) and had them take a bunch of ones and zeros and make those ones and zeros replace the ability for someone to entice someone else to be interested enough in a web link to actually click on it and visit an unknown web site.

Speaking of websites. Did everyone see the pictures of the Alexis Park Security Guard and the rogue stripper at pool #2 during Defcon 12 in Las Vegas? Here you can catch the photos and high quality video here at http://www.nmrc.org/~hellnbak/dc12/poolfun.html.

You didn’t actually click on that did you? The patch Microsoft released that, oh by the way will cause (I am quoting from the bulletin again); “Some Internet Explorer 6.0 Service Pack 1 users may receive an error while attempting to access SSL secured Web Sites.”, prevented you from being suckered by the promise of a security guard acting inappropriately with a stripper in front of a bunch of underage boys right? I bet you tried to click but that amazing patch, the result of an entire day of happy juice fueled work somehow prevented your hand from moving that mouse and your index finger from pushing that button. Yeah, that’s what it does to me as well and I have the added comfort that some of the time my SSL connections will error out and not work. That’s so special! Imagine the ability of a closed source executable file to actually change human behavior. Freedom to innovate indeed.

So I guess the point I am trying to make is, for every patch previous to CAN-2004-0549 may have prevented one attack vector (marketing buzzword alert write that one down there will be a quiz later) but did not prevent them all especially the simplest one of them – blatant lying. Your parents did it to you when you were a kid – “Do this little Johnny and mommy will buy you some candy” and it works on you as an adult – “Click here for free pr0n”

You know as I write this I realize that I am jumping around a little and perhaps going on a few different tangents and I may have failed to mention probably the biggest issue of them all. Probably the one issue that up until now, my new found friends, and I don’t mean good friends, I mean the type that curse your name and throw things at you randomly, at Microsoft were probably sitting there with a lot of relief.

I mean everything I wave written about so far can be spun – every little character that I have typed actually helps Microsoft. It shows that they are listening, it shows that they are trying and most of all it shows that they are in fact worried about security and are in fact trying to fix the issues as quickly as they can (ahem, attention Microsoft Marketing Executive, please make the check payable to my good friend CASH and mail to the address your people think they have for me). So I bet now that I have given them this great marketing idea – turn the seemingly negative comments into potentially positive ones that actually support your initiatives they are feeling pretty good and are ready to stop reading and fire off a press release. Go do that now mmmkay….

Lets walk away from CAN-2004-0549 for just a couple moments. But before we go I do want to leave this issue, albeit on a temporary basis, with a very positive and non-sarcastic comment in favor of Microsoft. This issue was reported to Microsoft back on June 6 or June 7 depending on who you choose to believe, one of the companies I do not speak kindly of based on their tack record and willingness to take advantage or Microsoft who ummm forget it… [editor note: delete these sentences it makes zero sense as you cannot expect the reader to recognize the lesser of two evils].

Regardless of which day it was actually reported Microsoft released MS04-025 on July 30 and updated it on August 1. So in less than sixty days Microsoft released a patch to deal with a serious issue and even managed to fix inconsistencies ^H^H^H^H^H^H^H^H update the Security Bulletin once. Now before you get back in front of your email to flame me for counting weekends and holidays on my time to fix count (you are an Outlook user aren’t you?) notice that not only does Microsoft claim to have had the issue reported them on Sunday June 6 but they also updated the Security Alert, MS04-025 on Sunday August 1. This leads one to assume that that they do in fact work weekends on those issues are deemed important enough or maybe I am completely wrong. But the reality is that it was about less than 60 days plus or minus a few.

However in attempt to simply add more confusion to the issue, I mean have these heavy breathers ever had anything of value to add other than confusion? CERT claims that they were notified on June 3 about CAN-2004-0549 and Microsoft confirmed vulnerability on June 10.

Also according to CERT, information on this vulnerability was first published on June 9, 2004 at 11:30:20AM one day BEFORE Microsoft even confirmed that the vulnerability was legitimate. I guess I kind of proved the opposite of what I was trying to prove. The last few sentences was a legitimate attempt on my part to show you, the faithful reader who somehow has found the patience and strength to read nine pages of this garbage, that Microsoft actually reacted quickly to something apparently I was wrong.

From the best I can tell in the thirty seconds, sorry I have a short attention span sometimes, of in depth scientific research that rivals that of iDefense Labs that can be backed up with the same general comments and half truths as a weekly marketing attempt ^H^H^H^H^H Vulnerability Alert by Mi2g no one has specifically taken credit for discovering and releasing this vulnerability.

It was found to be used in the wild by one individual and additional research was provided by another. CERT leaks so consistently and profusely, it is a wonder that they are not wearing adult diapers. Reporting details of a vulnerability to CERT is the equivalent of taking out a full page add in the New York Times. So where did the code come from? Who reported it to CERT back on June 3?

Is CERT even relevant anymore considering that they knew about this issue six days before they published their advisory and CERT does not specify, on any of the documentation I can find on their site, when or even if they notified Microsoft. They simply say that Microsoft confirmed the problem on June 10. One day after it was published and 7-8 days after the equivalent of taking out a full page newspaper add was done with the vulnerability.

So if you are a user, or a System Administrator, that spent a lot of time and money cleaning up your system because of the various worms that used this vulnerability to STEAL CREDIT CARD NUMBERS how do you feel right now? How do you feel knowing that there is a potential, a damn good potential, that CERT completely dropped the ball on a yet another vulnerability and allowed it to be used in the wild for ALMOST TWO FULL WORK WEEKS before the vendor who everyone beats up on and who everyone blames in the first place to fix this problem.

Don’t get me wrong, I am in no way defending Microsoft in this case either. I mean sixty days to fix something that was being actively exploited and causing massive losses – but we will get to those losses later. So it seems that I was attempting to move on from talking about CAN-2004-0549 and ended up ranting for a page or so. My apologies to put you through that but why have none of these points been brought up or noticed? Am I missing some important facts that change the scenario from a pretty ugly one in my opinion to something that we would all be able to at least partially stomach?

So, let us summarize CAN-2004-0549 very quickly so we can move on.

1.) It is unknown how CERT handled CAN-2004-0549

2.) It is unknown, or no one wants to take credit (would you?) for the discovery of CAN-2004-0549 so it must have been those evil hackers we read about on the various news sites.

3.) It is unknown when CERT notified the vendor or if they even did.

4.) It is known that the report on CAN-2004-0549 that CERT has named VU#713878 has gone through 69 revisions and still contains nothing helpful to us but does contain enough sample code to assist in creating your very own malicious web site.

5.) It is unknown why Microsoft spent 60 days on a patch when EVERYONE including some very large customers of Microsoft knew and were experiencing major issues and losses due to this vulnerability.

6.) It is safe to assume that this flaw has been known and exploited before June 6 which is when researcher Jelmer disclosed his findings on a mailing list.

7.) We still don’t know who told CERT about it on June 3.

8.) Consider how many IE users there are. Consider how long they were unprotected from the various worms that exploited this issue. Consider the amount of credit card data alone that was probably compromised.

Did CERT switch sides and did I miss the memo? Who is in charge over at CERT these days? Is it the one and only The_uT sitting behind a desk over at Carnegie Mellon University collecting a fat government funded salary spending his time leaking zero-day and tweaking his nose at the equally sketchy Sans Institute? Stranger things have happened, right Chris? I mean only in America can an unreformed hacker and thieve make it big.
What am I missing? Why have we not seen anyone start busting heads at both CERT and Microsoft for this? Well, the light at the end of the tunnel is that now you can fix CAN-2004-0549 with an actual patch that so far seems to work at least it works on the handful of systems I have installed it on but your mileage may vary.

None of the previous twelve pages explain or help me come to any conclusions as to why this patch was released on a Friday. Was it late or was it early? Why wasn’t it done at least 45 days ago? Only CERT and Microsoft can answer these questions and they don’t seem to be talking much these days at least to me.

After reading all of the above you may have forgotten that I started writing this to talk about and explain why MS04-025 is an important alert and why the patch needs to be considered very critical. Those in the know, have either been using an alternate browser or completely stopped surfing porn sites since this was first disclosed. Let’s not forget that CAN-2004-0549 is not the only issue addressed in MS04-025 there are still two more issues who are equally important and unfortunately only raise more questions and concerns. These other two issues are (taken from MS04-025);

Both of these issues have the same potential as CAN-2004-0549. So instead of beating a dead horse let’s just make some generalizations and assumptions on these two vulnerabilities. They are serious, and they need to be patched it is that simple. When I started writing this paper, it started as a serious technical analysis of the patch, I wanted to do a good job and provide in depth detail on all three issues. The more I read the more cynical and sarcastic I found myself becoming and now we have a paper that hopefully still makes a point and hopefully still asks the right questions.

Instead of wasting your time with more insulting jokes, yes I have ran out of good material to be honest all of this has frustrated me and given me a migraine, I will simply break down the timeline for all three vulnerabilities so that we can see when they were reported and when they were fixed.

Please note that I am using the date that CERT/CVE/MS are using for a discovery date and I am fully aware that there is a good chance that someone sat on these for a few weeks to play before letting them go public. Perhaps even longer.

CAN-2004-0566

Date Discovered: June 3 and June 9

Public Disclosure: June 9.

Vendor confirmation: June 10

Vendor notification: unknown

Vendor fix release: July 30

Vendor fix time: ~60 days

Windows of Vulnerability: At least 60 days that we know about

Not to sound repetitive but this is kind of important to hammer home. This vulnerability was used in worms, spy ware and key logging software that may have been used to steal credit card and other personal information with the potential to cause millions of dollars of REAL losses.

Good thing we are all preoccupied with the fear of a plane falling from the ground and killing us all to notice our credit card bills.

CAN-2004-0566

Date Discovered: Feb 15, 2004

Public Disclosure Feb 15, 2004

Vendor Confirmation: July 30, 2004

Vendor Notification: not directly but publicized on Feb 15, 2004

Vendor fix release: July 30, 2004

Vendor fix time: ~168 days

Windows of Vulnerability: ~168 days at least

Again, this enabled YOUR STUFF TO BE STOLEN and YOUR COMPUTER TO BE ABUSED. Why did Microsoft not even respond to the Feb 15 post? I mean the post was based off of their own source code that THEY LET BE STOLEN. Did the person at Microsoft that was supposed to be monitoring that specific disclosure point fall asleep that day? Microsoft does have a plan in place and people in place to monitor potential alternate disclosure points right? I mean surely Microsoft does not assume that someone will eventually fire off an email to secure@microsoft.com so they need not bother watch the other usual spots do they?
CAN-2003-1048

Date Discovered: September 2, 2003

Date Published: September 2, 2003

Vendor Confirmation: July 30, 2004

Vendor Notification: unknown but public on September 2, 2003

Vendor fix release: July 30, 2004

Vendor fix time: 10 months give or take a few days

Windows of Vulnerability: 10 months but don’t worry according to MS (from MS04-025) they saw no evidence of it being exploited in the wild. Somehow that doesn’t make me feel better seeing how it took them ALMOST A YEAR to fix this. So if something is able to silently install a Trojan that will then in turn silently collect your keystrokes and send them off to another location how would you know? Where would your evidence be? Credit card statement would be your only clue but by then it is a bit late isn’t it?

Do I even need to say it a third time? Microsoft, what happened to Trustworthy Computing? What happened to the Security Response Team that I knew under Scott Culp that was in the public eye, visible and actually attempting to make a difference or at least responding to various mailing list posts?

I honestly had hoped I could not blame Microsoft in this fifteen page rant but between Microsoft, and CERT it feels like I just typed up the script to the third sequel of Dumb and Dumber – “The Clueless, Uncaring but Market Focused Awareness Response Team Specialists.” (I sure hope someone sees the joke in that title…)

It is funny, quite some time ago I did an interview with a reporter who asked me what I thought of Trustworthy Computing – now that some time has passed is it working and just how is Microsoft doing. I did my best to say something nice because compared to the old days they HAD improved a considerable amount.

Then, in an attempt to write something to be helpful I do a bit of research on three vulnerabilities that I had not followed very closely when they were released but began to as of late and felt that they were important enough to look into and to be honest I am sorry I did. Ignorance truly is bliss… I have already patched my Windows boxes, I should have just done my reboot and not bothered………

So let’s do the whole executive summary thing for those that have skipped to the end looking for the bottom line.

MS004-0025 was far to important to be simply treated as yet another patch and released on a day that no one other than those who had the beta versions knew to expect it. Microsoft, based on their handling of these three vulnerabilities, has proven that Trustworthy Computing is nothing more than lip service and any progress they had made was in vain.

CERT, well what more can I say. We all know it; we are all thinking it, why does anyone bother with an organization that has proven MULTIPLE times that they completely suck at handling vulnerability information to the point of potential criminal activity. I sure hope their training is better but considering who their competition is they won’t have to work to hard on it.

Its funny, I had a discussion with someone who is a much smarter man than me when it comes to many topics. We were debating the usefulness of all the vague fear mongering alerts being issued by the DHS and without really thinking of the entire picture I made a comment about not giving the alerts until they are sure of a threat in order to prevent the mass fear that is usually created.

This comment got twisted into the age old vulnerability disclosure debate. But, my esteemed debate opponent (if you can call a small email thread a debate) made me think. What if we did put MS04-025 into this context – a more real world, real dollar measuring context? For example, let us assume that the day the alert level was raised for NYC and parts of NJ that there were at least a few hundred people who became to scared to even leave their homes. Yes, hard to believe but no I am not trolling, work with me here.

On Friday, July 30 Microsoft released Security Bulletin MS04-025. Then on Sunday August 1, 2004 Microsoft updated that bulletin. So how many people got this security bulletin and became too scared and fearful that they cold not leave their home? Compare that number to the amount of people that saw the bulletin and simply thought, “weird, its not Wednesday, I’ll look at that on Monday it must be a fake or something.”

Now imagine Bill Gates going on CNN and announcing to the world that they have raised their alert level to Orange due to the fact that MS04-025 has been released to deal with old issues that may or may not have been used to harvest millions of dollars of credit card numbers and to be honest they aren’t really all that sure of the impact, the level of active exploits in the wild, or even the location of malicious sites.

Do you think your Grandma, Mom, or Sister would still be using the Internet to order various products that seem to always show up in brown paper bags if they knew that for the last 60 days their information could be stolen leading to fraud and identity theft? What about if they knew they were vulnerable for the last 168 days? How about the last 10 months?

Someone, might have been incidents.org or one of the other organizations similar made a statement about at least 1000000 unpatched IE Systems being infected by a worm that leveraged one of the vulnerabilities finally addressed in MS04-025. So is 1000000 a large enough number to indicate a problem? Is 1000000 a large enough number to indicate perhaps a more sinister threat? I have no idea if this 1000000 number is even close to correct but knowing the percentage of IE users vs. other browsers – it is definitely possible.

Think the non-savvy computer user is still going to shop online? Well in this case of course they will because they have no reason to stop. Because what we have here is a failure to communicate. What Microsoft wants is to simply maintain the status quo – release a Security Bulletin with patch and hope no one actually looks deeply into either the issues around that patch such as these or the technical abilities of the patch itself. Don’t ask, don’t tell just turn on your Auto-update and don’t be scared you will be updated whenever and protected sometimes but there is really nothing you as an end user can do to change that oh, but don’t forget to vote and register your firearms.

Bottom Line – install MS04-025 right now and check your systems for Trojans, key loggers and other backdoors.

Want the bigger picture? Keep track of your time and send the bill to both Microsoft and CERT. Oh, and you might want to check your credit cards and credit history for anything suspicious. What ever you do not attempt to compile a list of current unfixed Microsoft Vulnerabilities or how long they or others for that matter have known about them – no one seems to care.

It is days like this that I look at http://www.nmrc.org/project/InfoAnarchy/ and wonder what could have been changed if the researchers and hackers actually cared enough to make those changes. Microsoft won’t change anytime soon why would they? They are still trying to sell us on the new and finally secure Windows. They have not learned or maybe they have and are just ignoring this that no matter what you do vulnerability will exist which is why we need a proper way to deal with these vulnerabilities. CERT is not the answer obviously. CERT won’t change they have no reason to. What about the Organization for Internet Safety (OIS)? Nope, the theory is alright but their ideas on what the standard should be are off base and they already proved that when a vendor chooses to ignore them they will. The more things change – the more they seem to stay the same.

As one last tweak lets make a quick list, and I do mean quick I am not spending more than 10 minutes on this next bit that will do nothing but create more frustration and prove that absolutely nothing has changed except that perhaps eventually our biggest worry will stop being some kid having some fun at the expense of others networks and hosts and become a bigger much more serious issue.

I have always written off the whole Cyberterrorism rants by clueless reporters such as Verton as nothing more than the same chest beating and media whoring we are already accustomed to and part of me hopes that we can continue to write off that topic as nothing more than FUD. More of the same and more of the different. Different operating systems. Different vulnerability. Same type of attacker. And more importantly the same type of vendor response. Blissful indeed.

Seeing how I beat on Mr. Maiffret a bit on this paper and yes it was nothing more than me going all out on the shock and awe campaign. Here is an excellent link to the eEye web site that helps illustrate some of my points;

http://www.eeye.com/html/research/upcoming/index.html

There used to be a good list of unpatched Internet Explorer issues hosted by some other company who apparently used to care about Internet Explorer Security or marketing you pick. But apparently that list was “sold” then burned and boiled by an illiterate man so that the information could be lost forever. Amazing what some promises and cash can do these days. Oops there I go with the blatant unfounded rumors again it must be nothing more than a coincidence.

If anyone happened to mirror or maintain their own list send me an email and I will update this document.

Mail to: hellnbak at nmrc dot org

Refferences;

MS04-025 - http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

CAN-2004-0549 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549

CAN-2004-0566 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0566

CAN-2003-1048 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1048

OSVDB – www.osvdb.org

CERT - http://www.kb.cert.org/vuls/id/713878