Coffeehouse Thread

61 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Microsoft Security Alert, here's where to go

Back to Forum: Coffeehouse
  • User profile image
    scobleizer

    Karim,

    Good point. I am sending this thread to the security team, and we'll do better in the future.

    One thing that we've had internal arguments about is transparency. Some people believe that you should only communicate when you have something to announce. I am in your camp.

    I have a ton of excuses, but we all know what those mean.

    --Robert

  • User profile image
    Karim

    [quote user="scobleizer"]Keep watching microsoft.com/security. As soon as something new is known, it'll be up there. [quote]

    Ok, here is where I'd like to bust the chops of the Channel 9 Team a little.

    On Sunday 6/13, I sent an email to some customers, with a subject of "New Internet Explorer vulnerabilities."  I mentioned the problem with IE and said Microsoft was looking into it and that I hoped to see a Critical Update for IE within the next few days.  (Admittedly, this was my optimism.)  I also added a warning about visiting unsolicited or untrusted URLs, which I felt somewhat sheepish about providing, given the hyperlinked nature of the Internet.

    I thought about starting a thread on Channel 9 at that point asking about the status of the IE security patches.  To use the Channel 9 airplane analogy, at this point I have told my customers fellow passengers, in my calmest voice, that they might be seeing what looks like smoke coming from one the engines, but it is nothing to worry about because we have very smart and capable people in the cockpit and they have the situation completely under control.  So now I'm seeking some information that this is in fact the case.

    I checked Channel 9 over the next few days as well as microsoft.com/security.  Nothing.  I thought it was weird that Microsoft didn't even mention the vulnerabilities on the Security page.

    Instead of starting a thread, I thought I'd just wait until someone else started one.  After all, you see a little smoke coming from the engines, probably everyone wants to push the little stewardess button flight attendant call button and point out the window.  Best just to hope they've noticed and they're taking care of it.

    Days pass and the "chatter" about IE exploits starts to pick up in the industry press.  Now people are reporting plumes of flame streaking from the engine that was formerly smoking.  Someone came back from the rear lavatories and said the back of the aircraft smelled like something was burning.  Still no word from the "pilots" on Channel 9, and based on the content of microsoft.com/security, the only thing I need to worry about is a thunderstorm that passed us a couple of months ago ("Sasser").

    Last Wednesday some of my customers fellow passengers had their antivirus alarms go off.  They'd been somehow infected by something called "Backdoor.Berbew.F," which does all kinds of nasty things, like turn your computer into a proxy server and (depending on who you ask) either steals cached passwords or installs a keystroke logger.  They've started to freak out.  So now I'm in that Twilight Zone episode ("Nightmare at 20,000 Feet") starring William Shatner in a bug-eyed cold sweat, grabbing my lapels and screaming, "THERE'S SOMETHING OUT ON THE WING!!!"

    Of course I tried to figure out how they got infected.  Did they install some bogus software?  Download any warez from Kazaa?  Click on a link someone sent them via email?

    No, it turns out that they had all merely visited the home page of a Fortune 500 company.

    So I load up "Wfetch" from the IIS Resource Kit and view the HTML from this Fortune 500 company.  The server is running IIS 5.0 and sure enough, there's some interesting Javascript tacked on the end of the home page, which seems to be pulling up content from an IP address... that's located in Russia.

    That's right, Fortune 500 company, home page pulls up content on obscure IP address in Russia. 

    Golly, Mr. Shatner, there is something out on the wing.  And it's ripping pieces of sheet metal off the plane.  (As Mr. Spock would say, "Fascinating.")

    So I check Channel 9 and there's some video about what snack foods were consumed during the creation of the .NET CLR and a poll on whether there should be any more polls.  No warm fuzzies there, so I check microsoft.com/security and I'm still getting dire warnings about... Sasser.  Hmmm.

    So now I'm thinking that the view into the cockpit isn't really working for me.  The plane is going down in flames and (as I joked earlier) all I can get is a pre-recorded selection of soothing music.  Please God don't let me die while listening to Kenny G....

    Of course yesterday Microsoft announced "Download.Ject," which is how that particular Fortune 500 server (and possibly others) managed to infect untold numbers of people -- it was missing a single patch.  Which was somewhat encouraging, because when you see people dropping dead of a mysterious new disease all around you, it is comforting to know that the experts (while unable to offer detection, cure, or prevention) at least know how the disease is spread.

    I checked Channel 9 for fun today (Kenny G starting to grow on me!) and mirabile dictu, there's a thread at the top about the IE security vulnerabilities.  And it tells you to check microsoft.com/security.  So I load up the security page again and there's a snazzy new graphic for "Download.Ject: What you should know."  The graphic features a guy staring at his laptop, who is probably blissfully unaware that he has just been backdoored out the wazoo.  Still nothing specifically about the IE vulnerabilities, though.  Threat number two?  Good old Sasser

    I hope I've made my point.

    I have nothing the least bit bad to say about the folks who are actually working on patching IE.  I'm sure they actually are very smart, dedicated people who are working around the clock under very difficult conditions.

    I do fault the communications from MS on this subject, though.  The information on Download.Ject suggests that IIS servers missing patch 835732 are "are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code."  POSSIBLY being compromised?  ATTEMPT to infect users?  Please.  This isn't a court case, and you don't have to say "alleged" perpetrator/victim until the DNA tests come back.  Servers are being hacked.  Fully patched systems running IE are being backdoored.  People need to understand this is not a theoretical threat.

    There needs to be some acknowledgement from Microsoft about the problems with IE.  Right now my links on this issue come from Reuters, Forbes, News.com -- NOT Microsoft.

    There needs to be some kind of regular (as in daily) update from Microsoft on an issue of this importance.  What is the point of this (besides giving your customers warm fuzzies)?  Well, let's say that a patch for IE is "almost there," but there is some problem getting it to work on 64-bit systems (as recently happened with XP SP2 RC2).  If the security team posts for three days straight that the patch will be RTM as soon as the 64-bit issues are fixed, I guarantee that you will hear from a LOT of customers saying, "Screw the five people using 64-bit systems, I need to patch IE now!!!"  I know MS coders take pride in their work and have a craftsman-like approach to their software -- it's done when it's done, and they'll get it right the first time -- but in some cases (e.g. security issues) I think they need feedback from their customers saying "It's good enough -- ship it!"

    Channel 9 has given me lots of entertainment and insight into Microsoft "behind the scenes."  But I can't say I've felt that it has been all that useful.  For useful, I still turn to sites like Neowin, Bink, MSDN, and the rest of the industry press. 

    Channel 9 has the potential to be so much more than an admonition to "keep watching microsoft.com/security."

    My apologies for such a long rant.

  • User profile image
    jonathanh

    "What he said"

    Also, big kudos for a really great riff on the Channel9-as-airplane idea.  Makes it hit home -  although hopefully not in a "controlled flight into terrain" kind of way...

  • User profile image
    scobleizer

    I just got a reply back from the security team. There are literlly hundreds of people who haven't slept more than a couple of hours since Thursday night. Every statement they put out has lots of thought behind it. The guy who replied to me said "hundreds of hours."

    Their pushback on me (we were talking about crisis communications last week, ironically) is that they need to make sure that anything they say is 1) Accurate. 2) Doesn't cause more harm than what's being caused already. 3) Consistent.

    Anyway, the security team (and many others) are aware of this thread and hopefully they'll jump in with more info.

  • User profile image
    scobleizer

    Nektar: I already have plans to tour the IE team. That'll happen soon.

    I'd love to do a Channel9 tour of the Security Response team too.

  • User profile image
    rjdohnert

    Hey guys the linux comment was a joke and not inteded to be taken seriously, I was just qoting what a user said on /. If I offended, my apologies.

  • User profile image
    Charles

    Karim,

    You are right on target. Let's see if we can get some sort of almost-real time patch status data up on Channel 9 going forward ("Fix has been designed. Currently implementing... Major regressions uncovered...Need more time").

    Why keep people guessing about the status of our security patches? It just adds confusion and creates skepticism. I'm thinking this type of transparent mechanism would be quite useful. 

    Keep on ranting,

    Charles 

  • User profile image
    Charles

    rjdohnert wrote:
    Hey guys the linux comment was a joke and not inteded to be taken seriously, I was just qoting what a user said on /. If I offended, my apologies.


    No need to apologize, but thanks for being respectful!

    Nobody has an easy time with this type of mess. Whenever you fix something, there's always the possibility that you end up breaking something else, regardless of platform. Solid patches take time to make (since there is so much testing required), but there is certainly an upper limit for acceptable time to market and I know we are trying to figure out how to be more agile when it comes to hole filling. In the meantime, we can do a better job of communicating patch status and I think you will see us get better at this going forward.


    Keep on posting,

    Charles

  • User profile image
    Larry​Osterman

    Btw, as an example of a fix that broke something, consider what happened when the IE team fixed the username/password in an HTTP url problem.

    This was a case where IE (and most other browsers) clearly were not following the HTTP standard (which explicitly stated that usernames were not allowed in HTTP urls).

    When we pulled support for this because it was a security risk (and was being actively exploited for phishing schemes), we heard nothing but screams of anguish from customers who were using this feature.

    I'm actually really happy that Microsoft has stood by its guns and NOT caved in to put in a variant of the problem back in.

    This is a case where IE was made MORE standards compliant than its competitors and we got flack for it Smiley

    When you're IE, you can't make ANY changes without being REALLY REALLY REALLY careful.

    I think that Charles is right, that some kind of a "yes, we know about it, we're working on it" thing is a good idea.

    But it has to be tempered by the fact that we can only do this if there's an active exploit in the wild - if there's no exploit in the wild, just the knowledge that we're working on the fix can tip the bad guys to where to start looking for the exploit.

    That's why it's so important that every word published about this on official channels be carefully scrutinized.  You don't want to give the bad guys any more information than you can.

  • User profile image
    Karim

    LarryOsterman wrote:
    ZippyV wrote: How long does Microsoft now already about these bugs?

    As far as I know, Microsoft learned about the bugs in IE that are being exploited last week, when Jelmer announced them to Bugtraq.

    [snip]

    And it took Jelmer's vulnerabilities about a week.



    The CERT vulnerability note for this goes back to 9-JUN-04.  See http://www.kb.cert.org/vuls/id/713878

    Jelmer's posts are dated 6-JUN-04.  See http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html

    In that post Jelmer references an "0day exploit" which was mentioned on 14-MAY-04 (See http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0)

    And in Jelmer's analysis of the vulnerability (http://62.131.86.111/analysis.htm), he says that it uses the "adodb.stream" vulnerability he reported on 26-AUG-03, going so far as to add the comment, "Microsoft where's the patch?"

    Good question.

  • User profile image
    Karim

    Many thanks to everyone who replied.  I feel like at least someone is listening.  Smiley

    If crisis communications improves even a little bit as a result of this thread, Channel 9 will have truly proved its worth.

  • User profile image
    Charles

    You're welcome, Karim. Thanks to you and everyone else for the excellent feedback. As I type, there are folks from Microsoft Security Land reading this thread.

    We are listening, not just hearing. There is a big difference.

    Keep on posting,

    Charles

  • User profile image
    ZippyV

    So Karim, IF Internet Explorer wouldn't render/execute anything that comes before or after the <html></html>-tags this script would have never worked?
    Why should I bother placing those tags when IE just renders his own way?

    Guys (from ms), don't let this be a repetition of last summer.

  • User profile image
    pacelvi

    Dude, that was John Lithgow on the plane (his movie debue). 

    Though you if you want to stick with Shatner, I think Airplane II The Sequel should provide a good story.

  • User profile image
    phunky_avoc​ado

    This is good to know.  More people should post on what Microsoft does right because most of the time the only things people post are complaints and what Microsoft does wrong. 

    Point of fact:  In this thread Microsoft is getting bashed because they have not put out a patch fast enough after the exploit was released; yet, in the not-so-distant-past when it is discovered after a patch is released that Microsoft has known about the exploit that the patch fixes for a couple of months, guess what?  People scream and complain about "how could you let this thing go on for so long without letting anyone know?"!

    Damned if you do, damned if you don't.

    LarryOsterman wrote:
    Btw, as an example of a fix that broke something, consider what happened when the IE team fixed the username/password in an HTTP url problem.

    This was a case where IE (and most other browsers) clearly were not following the HTTP standard (which explicitly stated that usernames were not allowed in HTTP urls).

    When we pulled support for this because it was a security risk (and was being actively exploited for phishing schemes), we heard nothing but screams of anguish from customers who were using this feature.

    I'm actually really happy that Microsoft has stood by its guns and NOT caved in to put in a variant of the problem back in.

    This is a case where IE was made MORE standards compliant than its competitors and we got flack for it Smiley

    When you're IE, you can't make ANY changes without being REALLY REALLY REALLY careful.

    I think that Charles is right, that some kind of a "yes, we know about it, we're working on it" thing is a good idea.

    But it has to be tempered by the fact that we can only do this if there's an active exploit in the wild - if there's no exploit in the wild, just the knowledge that we're working on the fix can tip the bad guys to where to start looking for the exploit.

    That's why it's so important that every word published about this on official channels be carefully scrutinized.  You don't want to give the bad guys any more information than you can.

  • User profile image
    clint_hill

    Charles wrote:

    You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet.



    This is the comment that sent me down the road I went. And to be very clear, I am in no way trying to be the ungrateful end-user. I was simply trying to point out that comments like the one above can get really twisted (obviously as I am victim). Even scobleizer mentions all the time how ASCII can get twisted.

    More to the point, I really like hearing from the MS folks especially from behind the curtain. This site is exactly what I would want to see and hear. I am a fan of MS tools and products. But when I see comments like the one above it makes me think MS (and yes Charles I am picking on you) folks are just tired of us "stupid users" wanting our cake and eating it too. And I know there are humans behind the curtain scobleizer, I wouldn't have thought otherwise, yet it is the caliber of human that I would expect. I know it takes time as I said I am a developer too. To reiterate my thoughts from earlier, it seems to me you should be considering solutions, and if nothing else saying "we're working on it." Don't tell us to not use the internet.

    And you guys are allowed to be informal, please do. But you have to realize you're sitting in the castle and we don't know what goes on back there behind the walls.

    Lastly, Charles, scobleizer I would like to say that the responsiveness of MS from this site is truly a credit to you channel 9 guys. I consider you the gatekeepers and appreciate your efforts to put together this site. Just be easy on the "stupid end users" because we pay the money to use the products that your company sells to be able to pay your checks.

  • User profile image
    scobleizer

    >But you have to realize you're sitting in the castle and we don't know what goes on back there behind the walls.

    Yup, I was on the outside until a year ago. I always wondered what it was like on the inside. I'm trying to build relationships with the security team so that we can bring our cameras over there and show you more. They are pretty great guys who have to work under stressful situations.

    Heh, thanks for the kind compliments. Just remember, I'm a stupid end user too!

  • User profile image
    rjdohnert

    I heard that the version of IE in Windows XP SP2 RC2, damn that was a mouthful I challenge you all to say it 20 times really fast, is immune to this type of attack.  Is this true or is it false.  I was wondering if any of you MS guys could confirm or deny it.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.