I wish to point out the risks of relying on poorly researched media reports for information about security ... The last issue of the RISKS digest [19.48] contained a report passed on from the CNET news service about the 'land' attack. The CNET report which appears at <http://www.news.com/News/Item/0%2C4%2C17009%2C00.html> carries a date of 4 Dec 1997 at 5pm PST. For a start, the way in which the article was written indicates a general misunderstanding of the bug and the possible exploitation thereof. More seriously, the article also appears some 14 days after the first posting (including exploit code) of the 'land' vulnerability to the BUGTRAQ list. But todays "news" does coincide quite nicely with the announcement that Microsoft would release patches. And please also note that the statement of "Jason Grams, a product manager at Microsoft", that "[o]bviously, this isn't a Microsoft-only problem, it's a pretty big problem" is not entirely accurate. There are a number of operating systems which are not vulnerable to this attack, including current releases of Linux, Solaris, Irix, OS/2 and others ... other vendors, including CISCO, acted immediately to warn of and patch vulnerabilities in their products. Wired News published an excellent article as early as 21 Nov 1997. <http://www.wired.com/news/news/technology/story/8707.html> While I'm writing about this particular problem, I might also quote from a Microsoft executive asked recently about the possibility that the Internet Explorer 'res://' bug and the Pentium bug could be combined. "It's not as simple as sitting down at an IE4 machine. We've tried it on several [machines] and we get a crash but that's it, which is certainly not a security hole," he said. <http://www.wired.com/news/news/technology/story/8429.html> Is that really acceptable coming from a major OS vendor? A demonstration of the exploitation of the 'res://' Internet Explorer bug in combination with the recently discussed Pentium bug is available at <http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/> [WARNING: this demonstration may crash your machine]. And here's a quote from a Microsoft technical note about security risks in Windows95 file and print sharing: "The SMBCLIENT Samba network client allows users to send illegal networking commands over the network. At this time, the Samba client is the only known SMBCLIENT that does not filter out such illegal commands. SMBCLIENT users do not automatically gain access to the Windows 95 drive; these users must know the exact steps to send these illegal commands." <http://premium.microsoft.com/support/kb/articles/q128/0/79.asp> Glossary: Samba <http://samba.anu.edu.au/> is an implementation of the SMB protocols to allow UNIX servers to be used in a Microsoft environment, as both servers and clients. Does anybody here want to volunteer for a trip to Seattle to explain to the Microsoft 'engineers' that client-server security mechanisms probably shouldn't rely on the good behaviour of the clients ?? It looks to me like it might be time to encourage a little more genetic diversity in operating systems ... lets not build the world around this sort of nonsense ... Hmmm ... and does anybody here still think todays "news" is news ?? Geoff <www.homosapiens.org> -- Geoffrey King Manager, Australasian Legal Information Institute Lecturer, Faculty of Law, University of Technology, Sydney phone +61(2) 9514 3176 fax +61(2) 9514 3400 email geoffat_private (pgp key available) www http://www.homosapiens.org/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:35:01 PDT