Now for the detailed response... At 09:16 PM 8/30/99 -0400, SysAdmin wrote: >ANY Windows 98 file can be overwritten. Sure - the OS has no concept whatsoever of securing itself from the end user. DoSing Win98 with an attack like this is trivial. However, it is still a cheap, lame attack on end-users that really doesn't gain you anything and gives people a bad day. Maybe that's your idea of fun, but it isn't mine. May as well send them an executable that fdisks the hard drive. Probably work nearly as often, and do a lot more damage. Put dancing bunnies in the .exe. People love dancing bunnies. >I would like to note, for the record, that the vast majority of home users For the record, this hole is a serious one. I don't downplay the seriousness of the issue. I can make it do a lot more than you're thinking about here, and a number of the obstacles you mention can be overcome trivially. YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE. Period. End of story. What you do with that code is up to you. There is no need to delve into the details of just how you steal the lunch money from the end users. >Despite David >LeBlanc et al. assurance that we could just disable Active X I'm discussing >it because you know your poor parents are NEVER going to, Since this is a security list, people here care about security. One of the things we do here is discuss work-arounds. Most UNIX admins don't install patches either. Most _people_ don't install patches. I've broken into systems that had holes that were 10 years old. Maybe some of the people will read this, and say "Damn, he's right", then go click on several buttons and poof - they aren't vulnerable any more. Then if some sociopathic moron DOES go off and create an e-mail virus with this as the payload, maybe just maybe SOMEONE won't be hit by it. I try to offer helpful suggestions as to how to make things BETTER, given that between the fact that security holes happen, end users are usually clueless, and sysadmins aren't much better, most networks are a mess. The ONLY chance you've got against this sort of thing are automated tools to check LOTS of systems at once so that you know where the problems are. I deal with a network that approaches 100,000 systems, so I know something about scale. No, most people won't go turn it off. They'll accept the defaults, whatever they are. Somewhat more of them will read about this in the news and go get the patch. >And, of course, what average user could EVER >recover from this sort of damage? They'll go get a friend who will help them reinstall, or go pay CompUSA or something. They might not ever figure out what got them. Too bad you can't get them to take a snapshot using their web cam and send it to you so that you can see the misery on their face. >Onto Windows NT, yes, David was correct, you can bar write access in NTFS >and it cannot be written to. I have not invested any interest in this but I >assume there is at least one critical system file (possibly security file) >that he would miss and might be overwritten. Maybe you should. If you're not running as admin, there isn't much you can torch off, and certainly not the SAM file. >In fact the default for the >Administrator or one with Administrator privileges is Full Access. Of course >this would allow the exploit to run. The other thing to remember is that in >very small domains the average user is generally administrator This is true. Far too many people run as admin. Fortunately, this should get better in Win2k - several changes to encourage people to run as < admin, and make life easier if you want to change user context to go do something. >and remember >this exploit can be E-Mailed!!! or mass-mailed! get my drift? I understand that. E-mail readers that display HTML aren't a really great idea in my personal opinion, and I'm not using one right now. However, I would encourage people to set their mail reader to assume that e-mail is a hostile site, and make the settings accordingly. Again, just a vain hope that maybe a few people might be more secure. IF someone takes my suggestion and tweaks their settings, there are whole classes of attacks that will no longer get them. And if you do mass mail something like that, you'll cost people a LOT of money, and the feds will make a good effort to hunt you down and put you in jail. Jail is not a fun place. >The other >thing is that the default install for NT (especially on HP's) is FAT, Wrong. That could be how that manufacturer sets up _some_ of their machines, but it isn't default for NT install. >which >does not allow specific file security. Anyone know a dual-booter? Maybe >someone who doesn't even know what NTFS is? I thought so. Most people who don't know what NTFS is are still using it if they are running NT. >Not bad 'huh? Actually, it contains flaws which are trivially overcome that make it break under a number of conditions. Though considering what this code does, not working could be thought of as a feature. >This exploit needs to be realized for what it is, a very >dangerous problem. If someone mass-mailed it to my domain I wouldn't be able >to deal with bouncing between three offices helping EVERY single user. It is extremely dangerous. I'm not down-playing that point at all. Go tweak your settings and get your fixes. Go around to your end-users and tweak their settings for them. Make a .reg file that tweaks the settings, and get them all to run it. Write a script that checks for the presence of the patch, run it against all your end users, and make a list of the ones that aren't patched. Then go patch them. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:06 PDT