Official Microsoft security fix for IE vulnerability (ADODB.Stream) | The Coffeehouse

jonathanh
My mod color is red

Straight from my inbox:

"This morning, the Microsoft Security Response Center released a configuration change to the Windows Operating System that is designed to help protect customers against recent attacks against Internet Explorer. This update was released to the Microsoft Download Center (http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en) and will be on Windows Update shortly for all supported versions of Windows."

lars

I was writing a reply to Feedback wanted on adodb.stream modification. But it fits just as well here.

How to disable the ADODB.Stream object from Internet Explorer

So it took the MSFT security guys 20 days to figure out how to cut and paste from http://www.eeye.com/html/research/alerts/AL20040610.html?

Think 20 days is resonable? Then check this out:

Download the fix and check the file creation date. It says 2003-10-02.
Then look at http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html

Now, where are the fixes for the rest of the security problems?
Sorry Microsoft. I'm not impressed. At all.

/Lars.

jaxSharif
EncryptOrDie

I wonder if this adodb.stream setting will hose up Sharepoint file management in IE.
Hmm.

manickernel
anticipate consequences..

Hmmm, glad you mentioned that. I just created a shared workspace and that was ok, but I will let you know if anything else breaks. 'Course I am using the Eeye version myself.

Blkbam
Bam, Bam! Bam, Bam Bam!

I have apps that use Streams to pull blobs out of database tables. WIll those apps be affected by disabling ADODB.Stream? The apps are in C++ and VB. Niether of which use IE.

Stepto
Not everyone at the MSRC shaves their head.

Hi lars,

It seems on the surface like I should take it on the chin for that one, but one thing to keep in mind: other software companies may not have to worry about the impact on customers of putting out a change like that. We do.

Because security is such a critical issue, and our security commitments apply to such a large and diverse customer base, it'd just be irresponsible of us to provide or endorse a tool that could potentially cripple features and functionality that our customers have come to depend on without proper evaluation of the functionality, testing and guidance.

It's not so simple to just place an update out on Windows Update. There has been a lot of investigation and talking to customers about this. In this case we had to make an analysis of how people were using the functionality and make that decision on turning it off. The recent attacks showed us the functionality was being co-opted lately to put increasing numbers of customers at risk.

That said, this is just the first step and helps protect customers from the current attacks. We're working day and night on a comprehensive update, and once that has reached our quality bar we'll get it out to help further protect customers.

We here at the MSRC are still hunkered down in the offices with our sleeping bags working on this. Stay tuned!

S.

ZippyV
Fired Up

lars wrote:
So it took the MSFT security guys 20 days to figure out how to cut and paste from http://www.eeye.com/html/research/alerts/AL20040610.html?

Think 20 days is resonable?
/Lars.

I am very dissapointed in Microsoft. They didn't even make a fix, just a workaround.

lars

Thanks for taking the time to reply Stepto!

I see your point and I agree with everything you say. I'm sure you guys slaving away fixing stuff hate this situation just as much as I do. I know you can't just grab something off the net and release it without testing it for sideeffects. I'm not really going after the software engineers and security experts over at MSRC. I'm sure changing MSIE without breaking legacy behaviour is a tricky thing. So 20 days may be resonable. However this workaround has been public for 8 months, and would have done alot more good two weeks ago when all the customers started asking what the heck is going on. I'm sure you guys monitor the popular security lists and knew about this. XPSP2 is still beta, which means that for production environments it doesn't exist yet. As far as I know it's not even available as beta for non-english installs.

I'm sure you can see it from the customers perspective as well. We have to go on with our day to day business without the option of doing much but waiting for word from you guys. Knowing that the browser is wide open for nastyness - not only from the problems addressed by this workaround but from several other vectors that have surfaced during the last two months. It's not only your credibility that's at stake. It's also hurts the business of everyone working with you to deliver solution based on your technology. Maybe I come across as agressive and bashing. That is not my intent and I don't mean any disrespect to you guys. It's just that my only option is to make some noise. I don't have the source code!

/Lars.

Stepto
Not everyone at the MSRC shaves their head.

That's ok lars, thanks for the feedback and keep makin' noise!

S.

LarryOsterman

Btw, in case it's not obvious, Stepto is Stephen Tolouse, the guy whos name's been plastered all over the security bulletins recently. In other words, when he says something, it's gospel, straight from MSRC.

Keskos

Maybe I come across as agressive and bashing.
You have been bashing Microsoft all across this board.

That is not my intent and I don't mean any disrespect to you guys.
Yeah, right.

It's just that my only option is to make some noise.
I agree, but it is not because of an option, it is what you wanna do.

I don't have the source code!
Yeah, we are all sure that once you have the source code you are going to solve the problem within days.

On the other hand, I am learning a lot from Microsoft employees. They are able to communicate even with bashers like lars. Seriously, well done guys, that's really something.

manickernel
anticipate consequences..

Funny, I have read all of Lars posts and he seems to me to be offering valid criticism without being either personal in his attacks or overly antagonistic. In any case, let's just hope lessons will be learned in Redmond from this. I truly want to see MS succeed as a leader in this war, and it is truly a war we are in.

Any vulnerability is only a matter of when, not if... and adodb.streams has been a recognized weakness in Internet Explorer for 9 months by outside security analysts.

Trial by fire can make Windows the most secure OS in existence...but only if management understands and commits to this before users and enterprises and developers begin to migrate en masse to other options. Once that starts, it may accelerate so fast that there will be no turning back..

On another note, I see where ~~Yahoo~~ Google is adding a "spyware removal" capability to their search bar in addition to the popup-blocker. This is an area where Microsoft should be leading the competition, not following. (Oh, and when you get there please publish it as an .msi for me, ok?) LOL

lars

Looks like "Shell.Application" is the next way to "fix the fix".

How does all this impact 3rd party applications that use MSIE rendering? How about Outlook?

/Lars.

Karim
Trapped in a world he never made!

Stepto wrote:

Because security is such a critical issue, and our security commitments apply to such a large and diverse customer base, it'd just be irresponsible of us to provide or endorse a tool that could potentially cripple features and functionality that our customers have come to depend on without proper evaluation of the functionality, testing and guidance.

[snip]

We here at the MSRC are still hunkered down in the offices with our sleeping bags working on this. Stay tuned!

S.

Hey there, good to hear from the folks in the trenches!

I think there's a perception out there that the process didn't work right with this particular vulnerability. I personally don't have any issues with how long it takes, because I know you are trying to get these things to work on everything from Windows 95 to 64-bit Windows. But still, the perception is out there. Russ Cooper was quoted on MSNBC saying "it should have come sooner than a week."

http://www.msnbc.msn.com/id/5352495/

The main question I have is why did the MSRC apparently not go to "Defcon 1" (sleeping bags) until after Microsoft received reports of customers getting hacked on June 24? The CERT vulnerability note goes back to June 9. It seemed pretty clear to me, from reading various security sites and lists, that proof-of-concept and exploit code were in the wild at that time. I personally got worried enough to send out a heads up email to my customers on June 13, warning them about the vulnerability.

I know it must sound a bit like "What did Microsoft know, and when did it know it?" but I think between Jelmer's original mention of the ADODB.stream exploit last year, the CERT notification on June 9, and the perception that the process took too long in general, there needs to be some kind of accounting from Microsoft as to what it did and when, and whether there are any changes needed to the process for responding to future incidents.

On a less serious note, can you give us any insight as to what working conditions are like at the MSRC right now. I was assuming from your avatar that everyone has to shave their heads and put on white Tyvek jumpsuits. LOL Or is it more of a summer camp type atmosphere, with people strumming guitars and singing songs by the warmth of a ~~campfire~~ rack of servers? How do you take care of things like paying the bills and getting fresh laundry? Enquiring minds want to know...

Scoble, maybe you can break into the building (a la Tom Cruise in Mission: Impossible) and get some video for us.... Wink

Good luck Stepto and all the folks at the MSRC.

Senkwe Chanda

>>It seems on the surface like I should take it on the chin for that one, but one thing to keep in mind: other software companies may not have to worry about the impact on customers of putting out a change like that. We do. <<

Yes but only because IE is so deeply baked into Windows itself. I'm still waiting on someone at MS to admit that this was actually a bad decision. Hindsight is 20/20 of course but I think it's too late for IE to ever be as secure as the other mainstream browsers. Mind you, I still use it, I still prefer the experience over say FireFox, but I always "touch wood" mentally while using it.

Ah well, keep up the good work you've been doing in most other areas Smiley

erik_
Tablet Power

http://seclists.org/lists/bugtraq/2004/Jul/0026.html

That isn't a good thing I gues.

Stepto
Not everyone at the MSRC shaves their head.

Karim I've been reading your posts all over the past couple of days, and I want to thank you for the time you've put in to making your criticisms pointed but also entertaining to read. This is long so bear with me.

Karim wrote:
Stepto wrote:
Because security is such a critical issue, and our security commitments apply to such a large and diverse customer base, it'd just be irresponsible of us to provide or endorse a tool that could potentially cripple features and functionality that our customers have come to depend on without proper evaluation of the functionality, testing and guidance.

[snip]

We here at the MSRC are still hunkered down in the offices with our sleeping bags working on this. Stay tuned!

S.
The main question I have is why did the MSRC apparently not go to "Defcon 1" (sleeping bags) until after Microsoft received reports of customers getting hacked on June 24? The CERT vulnerability note goes back to June 9.

We did, we just don't have a public "The MSRC is at DefCon 1" sign. Maybe we need a webcam...

It's always unfortunate when people decide to publicly disclose security vulnerabilities without first notifying the vendor so that users can be protected with an update at the same time the issue is reported. However once this issue was first reported, we mobilized to provide guidance on Microsoft.com that customers could follow to help be protected. We mobilized again when a specific attack sought to utilize the vulnerability, and have been working non-stop on a comprehensive update.

It's also good to point out that the CERT advisory had several recomendations customers could follow to help be protected. At the end of that series of recomendations, they said effectively that if any of those recomendations were unpalatable that users could also evaluate another browser. It's actually not the first time CERT has had that guidance for customers so we were a bit suprised at the reaction from people.

Karim wrote:

I think between Jelmer's original mention of the ADODB.stream exploit last year, the CERT notification on June 9, and the perception that the process took too long in general, there needs to be some kind of accounting from Microsoft as to what it did and when, and whether there are any changes needed to the process for responding to future incidents.

I want to be clear about something: adodb.stream is not a vulnerability. It's not a security problem in the code. It is functionality provided in the operating system that, much like the address bar parsing functionality that we also recently turned off in Internet Explorer, was being coopted by attackers.

As a company with an amazingly wide and diverse user base, making a small change or removing functionality simply cannot be done without a thorough process to make sure we're not impacting so many customers that the change itself is worse than leaving the functionality in. In this case when attackers started using that functionality we accelerated the testing that has to go into making a change like that. I want to also stress that this is just the first step and we *are* working on a comprehensive update for Internet Explorer.

Karim wrote:

On a less serious note, can you give us any insight as to what working conditions are like at the MSRC right now. I was assuming from your avatar that everyone has to shave their heads and put on white Tyvek jumpsuits. LOL Or is it more of a summer camp type atmosphere, with people strumming guitars and singing songs by the warmth of a ~~campfire~~ rack of servers? How do you take care of things like paying the bills and getting fresh laundry? Enquiring minds want to know...

Well I'm the only one with the shaved head, but I'm extreme that way. :>

I love where I work. The MSRC is filled with people who do nothing all day long but work with security researchers and product teams to help protect customers. If you want to know what our day to day existance is like this article from ZDnet has a good overall description. But in a case like this there are a lot of late nights, duty shift rotations, and progress meetings with the developer and tester teams.

We're hard core about this stuff, and all the teams within Microsoft know that when we come calling, it's important. But the mood is good, we know when to take five to stay fresh and play a little xbox. And we're about to head on down to Las Vegas for blackhat. That reminds me if anyone here is going to the Blackhat conference let me know.

Karim wrote:

Scoble, maybe you can break into the building (a la Tom Cruise in Mission: Impossible) and get some video for us....

Good luck Stepto and all the folks at the MSRC.

Thanks man, and yeah we do need to do a feature on MSRC for Channel9. Scoble won't even have to break through the laser beam covered air vent to do it. :>

S.

manickernel
anticipate consequences..

..and Eeye has updated the registry fix here to set the kill bit for Shell.Application

<------------------------------------------->
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
<-------------------------------------------->

...and the beat goes on

Stepto wrote:

I want to be clear about something: adodb.stream is not a vulnerability. It's not a security problem in the code. It is functionality provided in the operating system that, much like the address bar parsing functionality that we also recently turned off in Internet Explorer, was being coopted by attackers.

..guns don't kill, people do. (sorry, i couldn't resist)

Wink

lars

Stepto wrote:

It's always unfortunate when people decide to publicly disclose security vulnerabilities without first notifying the vendor

That's true. But if memory serves these problems were discovered in the wild. The bad guys already knew. By going public with the information people were able to take some measures to protect themselves right away.
The antivirus vendors blocked the scripts very quickly for instance. If they hadn't, there would have been (atleast) a 20 day window where they could have continued to do some nasty stuff.

Stepto wrote:

It's also good to point out that the CERT advisory had several recomendations customers could follow to help be protected.

The information on how to killbit ActiveX was already out there for those that knew where to look. True. But did Microsoft publish any information regarding MSIE before the update? If you did I missed it. And that's why I felt that we were left without "official" guidance. Hopefully this will be better in the future.

Stepto wrote:

I want to also stress that this is just the first step and we *are* working on a comprehensive update for Internet Explorer.

Yes! Good times will be here again!

Stepto wrote:

But the mood is good, we know when to take five to stay fresh and play a little xbox.

That's good to hear. I don't think anyone is trying to put you down. We're just concerned and wanted to hear that you're on the case and giving it top priority attention. That is what really matters. The past cannot be changed. Rock on!

/Lars.

Stepto
Not everyone at the MSRC shaves their head.

No offense Manickernel but I liked your other avatar better. :>

manickernel wrote:

Stepto wrote:
I want to be clear about something: adodb.stream is not a vulnerability. It's not a security problem in the code. It is functionality provided in the operating system that, much like the address bar parsing functionality that we also recently turned off in Internet Explorer, was being coopted by attackers.

..guns don't kill, people do. (sorry, i couldn't resist)

Doesn't that make the update gun control legislation? <g>

S.

Manip

Stepto wrote:

It's always unfortunate when people decide to publicly disclose security vulnerabilities without first notifying the vendor so that users can be protected with an update at the same time the issue is reported.

ha, wow I can't believe you just came back with THAT. I mean Microsoft has been using and abusing the security community for a long time and only recently started to acknowledge or even thank people that advise them of security problems. As lars correctly pointed out this was in the wild so I don't think the good guys had an opportunity to inform anyway.

LarryOsterman

Only recently? Microsoft's vulnerability announcements have included a credits section for as long as I can remember. It's not just recent.

And I'm not sure it was in the wild when Jelmer reported it...

Stepto
Not everyone at the MSRC shaves their head.

Manip wrote:
Stepto wrote:
It's always unfortunate when people decide to publicly disclose security vulnerabilities without first notifying the vendor so that users can be protected with an update at the same time the issue is reported.

ha, wow I can't believe you just came back with THAT. I mean Microsoft has been using and abusing the security community for a long time and only recently started to acknowledge or even thank people that advise them of security problems.

I'm not sure I understand what you mean. Twice a year we throw a party for security researchers (all of them, not just the ones we credit) at Blackhat Seattle and Las Vegas, And we've been acknowledging and thanking security researchers who work with us to protect customers in our security bulletins for over 4 years (here's an example from 2000, check the Acknowledgments section. We do that for every security researcher who works with us responsibly to make sure there is an update to protect customers when the issue is made public)

I know there's a lot of people who believe we don't understand the security community or appreciate it. I'm here to say that's not true.

Security Researchers provide an invaluable service to all software vendors. If you report a security vulnerability in a Microsoft product to secure@microsoft.com, we're going to look at it, and provide you with information back. It's a two way street for us in terms of communication. That's not just me saying that, it's Microsoft's commitment to it.

Come see us at Blackhat Las Vegas and test the commitment. :>

S.

Keskos

Watch out, Manip is a convicted troll, bashing Microsoft all over the place. His knowledge of security, computers etc... is quite minimal.

One simple example, he thinks that Apache has GPL thus anybody writing a module for Apache has to open source their code. He just doesn't know anything about what you guys are talking about. He is a typical slashdotter trying to create confusion here.

Manip

...what the hell... So I made a *single mistake, also I did say 'I think' in that post.. I was quiet clear I was not certain and JUST suggested it as a problem for Microsoft.

*(I have made other mistakes)

I would love to answer that limited knowledge dig but it is subjective and therefore I have nothing to answer.

Also up until a few years ago (2000?) Microsoft didn't treat people very well as is my understanding from reading peoples stories on mailing lists and sites.

So I'm standing by my comment.