[Infowarrior] - Worst Windows flaws of the past decade
Richard Forno
rforno at infowarrior.org
Wed Oct 8 02:10:42 UTC 2008
Worst Windows flaws of the past decade
The exploits and oversights that left Redmond with egg on its face
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/10/06/41FE-windows-flaws_1.html
By Andrew Brandt, IDG News Service
October 06, 2008
June 25, 1998, and June 30, 2008, marked two important milestones in
Microsoft's evolution of the Windows OS -- the passing of the torch
from Windows 95 to Windows 98, and the less seemly transition from XP
to Vista.
In the 3,659 days between, users of Windows have been forced to bear
witness to another evolution of sorts: bugs that left Windows open to
exploits that appeared almost as fast as you could say, "On the Origin
of Species."
[ For some fun of the hacker and admin variety, see "Stupid hacker
tricks, part two: The folly of youth" and "Stupid user tricks 3: IT
admin follies." ]
Uncovering -- and exploiting -- Windows vulnerabilities has made sport
for many and careers for many more. Entire industries have sprung up
to protect Windows users from previously unknown flaws, while malware
authors have matured their practices from juvenile pranks to
moneymaking criminal enterprises.
Caught in the middle of this never-ending onslaught is the innocent PC
user and the besieged IT admin -- you. And though Microsoft and the
entire software industry have labored tirelessly to handle zero-day
exploits and to develop protocols for reporting potential security
problems, we've seen and experienced several colossal security
meltdowns thanks to the humble Windows bug.
These errors, buried in millions of lines of code, have steered great
corporations and turned the tide of fortunes. It's high time they got
the credit they deserve. Here are the worst Windows flaws we've
endured since the introduction of Windows 98.
Password "password" would have been more secure
Bug identifier: VCE-2000-0979, MS00-072
Description: Share Level Password vulnerability
Alias: Windows 9x share password bypass
Date published: Oct. 10, 2000
Windows 9x introduced a nifty little concept wherein users could host
a password-protected mini file server, aka a share, on their PCs. The
idea was simple: Allow users of networked computers to host and share
files securely. Only the padlock Microsoft used to lock the door came
equipped with a gaping hole that rendered it useless.
"When processing authentication requests for a NetBIOS share, Windows
95/98 would look at the length of the password sent by the attacker
and then only compare that number of bytes to the real password,"
writes vulnerability expert H.D. Moore, who manages the Metasploit
Framework project.
Oops. "This let the attack specify a password of zero bytes and gain
access to the share," without actually knowing the password at all,
Moore explains.
"The real damage," he continues, "was that by trying all characters of
incrementing lengths, they could literally obtain the password for
share from the server."
Upshot: Rather than functioning as a lock on a door, the password
authentication scheme for Windows 95/98's File and Print Sharing acted
more like a nail through a hasp -- to open the door you only needed to
pull out the nail, with hardly any effort.
Folder traversal: Total server control with a single URL
Bug identifier: MS00-078
Description: Web server folder traversal vulnerability
Alias: Directory traversal bug
Date published: Oct. 17, 2000
If there's one thing we've learned from the past decade of Microsoft
patches, it’s that not everyone keeps on top of them. When Microsoft
published this particular advisory, the patch that fixed the problem
(MS00-057) had already been released two months prior.
With this bug, if you knew the layout of a Microsoft file system --
which folders appear where -- you could send a command to a Web server
that essentially gave you total control.
As anyone who has spent any time using a Windows computer will tell
you, it's not hard to find your way around the hard drive. Documents
go in a particular folder path; most applications are put in another
folder path; and so on.
By using dots and backslashes (or their respective unicode
representations) in the URL, this bug allowed you to navigate up and
down the file system and execute commands, just by knowing a few
simple rules and how Windows organizes itself. While account
permissions for IIS are somewhat limited, a related exploit helped
escalate privileges, giving remote users the ability to do whatever
they wanted to with Windows servers simply by sending a few URLs.
"Originally found as an anonymous post in the PacketStorm forums, this
resulted in nearly two straight years of mass ownage against Windows
web servers," Moore writes.
Upshot: Directory traversal opened up a new world for automated
attacks that merely had to call a particular URL to do their dirty work.
Code Red: Deadly bug, disgusting soda
Bug identifier: MS01-033
Description: Unchecked buffer in index server ISAPI (Internet Server
API) extension could enable Web server compromise
Alias: The Code Red bug
Date published: June 18, 2001
What happens when you send a ton of data at a Microsoft Web server? If
it was the summer of 2001, well, you owned the network. At least
that's what happened a little more than a month after Microsoft
released this obscure-sounding patch for IIS Web servers.
The nature of the bug was simple: Take an IIS server, invoke a buffer
overflow, and commands spill into other parts of system memory.
Because the commands were issued in the context of the system itself,
the bug opened up for exploitation virtually all aspects of the
server's operation.
And exploitation happened, all right, on a scale that hadn't been seen
before.
On the afternoon of Friday, July 13, 2001, security engineers at eEye
Digital Security received reports of a worm that was spreading rapidly
through its customers' networks. Fueled by a limited edition, crimson,
caffeinated, high-fructose corn syrup-based beverage, Mark Maiffret
and Ryan Permeh spent a weekend reverse-engineering the worm, and
alerted the world to its presence.
What the worm did was probe vulnerable IIS servers, infect them, and
create 100 threads of itself, which then spread to other computers. If
the date was between the 20th of the month and the end of the month,
it would attempt to spew data at www.whitehouse.gov. Permeh and
Maiffret estimated that the worm could infect approximately 500,000
unique IP addresses per day.
Upshot: Code Red really drove home the importance of patching bugs
soon after Microsoft released the patch, because the patches
themselves give malware authors clues to exactly where they should
look for new vulnerabilities.
Fastest infection. Ever.
Bug identifier: MS02-039
Description: Buffer overruns in SQL Server 2000 Resolution Service
could enable remote code execution
Alias: The SQL Slammer bug
Date published: July 24, 2002
While technically not an OS bug, the SQL Slammer bug deserves honorary
mention due to the sheer velocity with which vulnerable systems were
infected. The bug targeted Microsoft's database server. Vulnerable
computers were subject to buffer overflows that, if properly crafted,
could place commands into memory to cause the targeted system to
execute those commands with the permissions of the database service.
Patching was complicated by the fact that admins needed to run an
earlier patch before they could run the MS02-039 fix. The bug affected
primarily corporate server systems, but also affected home users who
had MSDE (Microsoft SQL Server Desktop Engine) installed. That made a
number of home users, some of whom didn't even know they had MSDE on
their machines, unwitting participants in the carnage to come.
Because the Slammer worm primarily targeted servers running databases,
it didn't infect millions of machines. It did, however, spread rapidly
-- so rapidly, in fact, that it had infected roughly 9 out of 10
vulnerable machines within 10 minutes of being released on Jan. 25,
2003. The entire worm was only 376 bytes, and fit into a single packet
of data.
The MS02-039 bug was "one of the biggest oversights of all time," says
Steve Manzuik, senior manager of security research at Juniper
Networks, "not because it was an easy or obvious bug to find -- it
wasn't."
"At the time of the patch, no one realized that every vulnerable SQL
installation was also listening on a UDP (User Datagram Protocol) port
that they could be exploited over," Manzuik explains. "Many
administrators simply locked down access to the SQL TCP ports while
forgetting about UDP."
A postmortem by the Cooperative Association for Internet Data Analysis
revealed that the worm was a model of efficiency, doubling the number
of infected systems every 8.5 seconds, and flooding the Internet with
so many infection attempts that routers shut down. When restarted, so
many routers attempted to update their routing tables simultaneously
that normal Internet traffic simply couldn't get through the gridlock.
Upshot: SQL Slammer demonstrated the power of a vulnerability that
could fit within a single data packet, and brought home the lesson
that a single application weakness could cause the entire Internet to
grind to a standstill. And it's still out there, drifting around on a
few old systems, looking for new hosts to infect.
Billy Gates, stop making money! Make malware instead.
Bug identifier: MS03-026
Description: Buffer overrun in RPC interface could allow code execution
Alias: The Blaster Worm bug
Date published: July 16, 2003
The DCOM RPC interface is a common component of NT-based Windows OSes,
including NT, 2000, XP, and Server 2003. In the summer of 2003, it
became the subject of intense scrutiny.
As Microsoft described in the bulletin that accompanied the patch, a
successful exploit only required the attacker to send a "specially
formed request" to a vulnerable PC -- a bit like dangling candy in
front of a ravenously hungry baby.
By Aug. 11, the Blaster worm arrived, and though it spread rapidly, it
was fairly easy to block with a firewall.
Unfortunately, protecting home systems with firewalls wasn't common
practice at the time. Home users' PCs -- connected directly to the
Internet -- got whomped by the worm. When the worm's code crashed the
infected computer's RPC service, the computer would display a message
warning of imminent shutdown, and unceremoniously reboot itself.
The worm had another message, this one to Microsoft's founder, and
embedded within its code: "billy gates why do you make this possible?
Stop making money and fix your software!!"
But it was fixed. Or at least it would have been if people had patched
their systems.
At the end of the summer, Microsoft released a second set of updates
in MS03-039 that blocked additional ports that attackers could use to
mess with the RPC service.
Upshot: We're all in better shape thanks to the wide adoption of
firewalls in the home. Thanks in part to Blaster and its ilk, most
broadband modems have one built in.
That sassy bug has a lot of spunk
Bug identifier: CVE-2003-0533, MS04-011
Description: Stack-based overflow in certain Active Directory service
functions in LSASRV.DLL
Alias: The Sasser bug
Date published: April 13, 2004
In yet another example of ironic buffer-overflow goodness, this bug
made the security subsystem of Windows the agent of evil itself. And,
once again, malicious coders used Microsoft's own patch to figure out
exactly where to target the OS.
As Windows XP's gatekeeper, LSASS (Local Security Authority Subsystem)
manages the permissions of a PC's user accounts. So when eEye -- the
same company that discovered the Code Red bug -- quietly disclosed the
details of this flaw to Microsoft in October 2003, it touched off six
months of furious coding in Redmond that culminated in a patch that
fixed 13 other Windows 98, NT, 2000, XP, and Server 2003 flaws, as
well as the LSASS bug.
And, within 18 days, the Sasser worm was cruising the Internet,
hopping from one unpatched machine to another. The poorly coded worm
wreaked havoc, shutting down networks around the world. Even though a
fix was already available, many users -- in particular, corporate IT
managers -- still had not applied MS04-011. By May 1, 2004, work on
fixing the unintended damage caused by Sasser had become a round-the-
clock operation, says then director of the Microsoft Security Response
Center, Kevin Kean, with "a number of war rooms and rotating shifts"
for MSRC staffers.
Upshot: What was that about patching as soon as the updates are
available? Lessons that should have been learned three years earlier
didn't really sink in until Sasser publicly pummeled patchless PCs to
pulp.
WMF: Wherein malware is foisted
Bug identifier: CVE-2005-4560, MS06-001
Description: Vulnerability in graphics-rendering engine could allow
remote code execution
Alias: Windows Metafile vulnerability, aka drive-by downloads
Date published: Jan. 5, 2006
Over the winter holidays in 2005, security researchers began
discussing a newly discovered vulnerability in a Windows library used
by the OS to display various kinds of graphics in apps and the OS
itself.
The problem stemmed from a particular image file format, native to
Windows since the days of Windows 3.0, called WMF (Windows Metafile).
Used as the native format for storing graphics within Microsoft Office
documents, support for WMF was by that point thoroughly embedded into
Microsoft products.
WMF files contain function calls that a program sends to the GDI
(Graphics Driver Interface). Someone discovered that WMF files can
contain executable code as well. This would allow you to, say, create
a WMF file that, merely by being viewing, invokes Internet Explorer to
visit a particular URL, download a file, and execute that file. Special.
The aftermath of the discovery followed a familiar pattern. Microsoft
issued a patch on Jan. 5, 2006, in record time. But for a long while,
unpatched computers running vulnerable versions of gdi32.dll roamed
the Internet, slurping up mountains of malware.
The bug had far-reaching effects, enabling malicious code to be
foisted on unsuspecting users and executed in a variety of ways:
previewing an e-mail containing the malicious WMF file in Outlook;
viewing an image preview in Explorer; viewing a malicious WMF in
certain third-party graphics programs; indexing a hard disk that
contained a malicious file; following a URL link in an e-mail, IM, or
on another Web page to a site where the malicious file was embedded in
the Web page.
Upshot: We learned that nothing is sacred, that any file format could
be considered hostile. And we also got a cool new name for an exploit
method: drive-by downloads.
MDAC: The component that keeps on giving (headaches)
Bug identifier: CVE-2006-0003, MS06-014
Description: Vulnerability in MDAC (Microsoft Data Access Components)
could allow code execution
Alias: MDAC RDS.Dataspace ActiveX bug
Date published: April 11, 2006
Way back in 1998, Microsoft issued a security bulletin about a
component of IIS that ran under Windows NT Server called Microsoft
Data Access Components. In the bulletin, MS98-004, Microsoft warned
that a part of MDAC called the RDS (Remote Data Service) had a
vulnerability that allowed unauthorized people to browse databases.
Flash-forward eight years to the spring of 2006. Microsoft released a
security bulletin about a component of MDAC called RDS, which has a
vulnerability that permits malicious Web servers to perform drive-by
downloads against the unpatched PCs of unsuspecting victims. Eerily
familar.
In the later case, it was an ActiveX control that allowed users to
connect to RDS through IE and wreak havoc. The ActiveX control doesn't
behave as intended, and can be loaded and exploited if you visit the
wrong Web site.
Of course, by 2006, MDAC isn't just loaded on servers; you may have it
on your PC. Moreover, the bad guys have changed tactics. No longer
content to wait patiently for you to happen upon their malicious Web
site, they spam you with links, buy ads based on Google searches, and
load their pages with SEO (search engine optimization)-rich keywords.
The result, however, is the same: Visit and be exploited.
In fact, the bad guys are now using off-the-shelf exploit software to
put malware onto your machine. A tool called MPack that's loaded on
malicious Web sites can check to see what browser version you're using
and what patches you have installed. Based on this analysis, it
delivers the exploits that will do the most damage. More galling is
that they don't even bother to hide what they're doing, naming the Web
page that performs the exploit "mdac4.php."
Upshot: The MDAC RDS is a complex system, with a multitude of patches
available depending on which version you have installed. Manually
choosing the right patch can be a complicated task. But with such a
serious flaw, you can't afford to make a mistake. Patches like these
have helped push advancements in Windows Update, which scan your
system and pick the right patch automatically, so you don't have to.
More information about the Infowarrior
mailing list