Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista Exploit Surfaces on Russian Hacker Site

Zonk posted more than 7 years ago | from the exploits-show-up-in-the-funnest-places dept.

Security 103

Datamation writes "Exploit code for Windows Vista (though at this point only proof-of-concept code) has been published to a Russian hacker site, Eweek reports. Certain strings sent through the 'MessageBox' API apparently cause memory corruption. Though this is obviously cause for concern, at the moment it would seem access to the system would already be required to make use of the exploit. Determina has an analysis of the bug. Just last week, Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000."

Sorry! There are no comments related to the filter you selected.

I don't have to... (5, Funny)

DittoBox (978894) | more than 7 years ago | (#17341562)

I don't have to...you know...take pictures of squirrels or pigeons to get a hold of this exploit do I?

Re:I don't have to... (0)

Anonymous Coward | more than 7 years ago | (#17341674)

I pooted.

Re:I don't have to... (1)

Tackhead (54550) | more than 7 years ago | (#17341820)

> I don't have to...you know...take pictures of squirrels or pigeons to get a hold of this exploit do I?

Nope, just contact the Uplink Corporation [uplink.co.uk] , and be sure to break the chain of logs that connect your gateway's activity to the target machines before the passive trace gets you. (It helps to have root on at least one of the chain of proxies you're bouncing your connection through.)

$50K is a pretty good payout for a mission.

Re:I don't have to... (2, Funny)

Nuskrad (740518) | more than 7 years ago | (#17342298)

I'm pretty sure the Revelation virus is based on this exploit. Better install Faith, before they get taken over by Symantec.

Re:I don't have to... (3, Informative)

Esine (809139) | more than 7 years ago | (#17342774)

For those who didn't understand: http://attrition.org/postal/z/033/0871.html [attrition.org]

Re:I don't have to... (2, Funny)

wikes82 (940042) | more than 6 years ago | (#17345312)

more story here http://www.securityfocus.com/brief/391 [securityfocus.com] hehehe... He also reminds me of that city manager from oklahoma.. what's that guy name ?

Re:I don't have to... (2, Funny)

140Mandak262Jamuna (970587) | more than 7 years ago | (#17343818)

Wont help you. They use ROT-26 encryption. Not some stupid ROT-13 twice.

Obligatory Schwartzenegger quote (-1, Troll)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17341566)

Hack-a-la Vista baby...

Jokes referencing "In Soviet Russia...." (1, Redundant)

8127972 (73495) | more than 7 years ago | (#17341568)

.... begin in 5 - 4 - 3 -2

Re:Jokes referencing "In Soviet Russia...." (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17341594)

In Soviet Russia, Vista exploits YOU!

Re:Jokes referencing "In Soviet Russia...." (1)

jo42 (227475) | more than 7 years ago | (#17341696)

are now "In Fascist Amerika..."

Re:Jokes referencing "In Soviet Russia...." (2, Funny)

JasonKChapman (842766) | more than 7 years ago | (#17341908)

Okay. In Soviet Russia, Windows runs you. Oh, wait. . . .

Re:Jokes referencing "In Soviet Russia...." (0, Troll)

FluffyArmada (715337) | more than 7 years ago | (#17341960)

In Soviet Russia... Vista exploit you! ...

Oh wait! That's how it works everywhere else too!

Re:Jokes referencing "In Soviet Russia...." (0, Redundant)

KillerBob (217953) | more than 7 years ago | (#17342268)

In Soviet Russia, website hacks you?

Oh wait. They do....

Re:Jokes referencing "In Soviet Russia...." (1)

x2A (858210) | more than 6 years ago | (#17349674)

Site Hacker on Surfaces Exploit Vista Russia Soviet In

Hmm don't think I've quite got the hang if this yet. I "must be new here".

curious (3, Insightful)

east coast (590680) | more than 7 years ago | (#17341622)

Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.

I'm just wondering who would buy these at such a price. What is the real value of an exploit?

Re:curious (4, Informative)

minus_273 (174041) | more than 7 years ago | (#17341672)

probably a lot more if you can use it to get a lot of zombies and bots for DDOS attacks and SPAM. I'm thinking the SPAM alone should cover the cost if you can get an installed base quickly.

Re:curious (0)

Schraegstrichpunkt (931443) | more than 6 years ago | (#17347268)

"spam" isn't an acronym, and it isn't an initialism. Quit writing it in all-caps, unless you're talking about the trademark food product.

Re:curious (2, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17341680)

I'm just wondering who would buy these at such a price.

Someone with $50,000 to spend as an investment, who expects to make more money out of it.

What is the real value of an exploit?

$50,000.

Re:curious (1)

Qzukk (229616) | more than 7 years ago | (#17341740)

$50,000.

Only if someone bought it

Re:curious (1)

42Penguins (861511) | more than 7 years ago | (#17341704)

And when did these "hackers" become such sellouts? Way to ruin an art form...

Re:curious (4, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17341906)

And when did these "hackers" become such sellouts? Way to ruin an art form...

The only thing they ruin is the term "hacker". But that's okay, this word has been deformed, mis- and overused for so long to mean "pirate" and "cracker" by stupid media people that it just doesn't matter anymore.

In reality, these guys aren't even worthy of the term "crackers" (which itself isn't worth much in the first place): they're just mafia, conmen, blackmail artists, forgers, thieves, robbers... whatever you choose to call it. They just happen to use a computer instead of a tommy gun, but the result is the same.

Re:curious (1)

someone1234 (830754) | more than 7 years ago | (#17343546)

Bah, why is it a problem if some russians try to get rich from the bugfest created in Redmont, only Ballmer has the right to stuff his pockets? I bet the russians worked harder!

Re:curious (3, Funny)

Dirtside (91468) | more than 7 years ago | (#17344230)

They just happen to use a computer instead of a tommy gun, but the result is the same.

You'll be sleep()ing with the fishes?

Somehow, I don't think the idea of the "St. Valentine's Day TCP stack exploit" has quite the same impact. (Perhaps the "St. Valentine's Day Blue Screen of Death"?)

All things considered, I'd rather have my computer violated by the Mafia than my body.

Re:curious (0)

Anonymous Coward | more than 6 years ago | (#17346426)

All things considered, I'd rather have my computer violated by the Mafia than my body.

I don't know about that. I like my computer; it plays Minesweeper.
My body can't do that. Well, it can, but only once...

Re:curious (2, Insightful)

vertinox (846076) | more than 7 years ago | (#17341812)

I'm just wondering who would buy these at such a price. What is the real value of an exploit?

People who want to make Vista zombie bots.

And who would want to do that?

Spammers

Re:curious (1)

wetfeetl33t (935949) | more than 7 years ago | (#17341884)

Check your inbox, you've probably got some emails from people who would spend $50,000 on an exploit.

Re:curious (1)

peragrin (659227) | more than 7 years ago | (#17342276)

no but Iam getting 10-20 emails daily for Windows Vista ultimate downloads and cracks.

Re:curious (0)

Anonymous Coward | more than 7 years ago | (#17342070)

The value is that you get stung. Come on, really, who in their right mind would fork over $50,000 to some shadowy organization without any real knowledge of what they will receive in return?

People who have that much money and stupidity combined deserve what they get.

Re:curious (1)

nacturation (646836) | more than 6 years ago | (#17345940)

Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.
 
I'm just wondering who would buy these at such a price. What is the real value of an exploit?
The real value is that Trend Micro gets to post a dubious piece of information showing how deadly and valuable these exploits are. Wow, just look at how insecure Vista is that these harmful exploits are worth so much money! You'd better buy our antivirus software NOW to keep yourself protected.

Antivirus companies are certainly not broadcasting this kind of information purely for the public benefit. It's a FUD campaign. Much like certain governments like to say "terrorist, terrorist, terrorist!" these companies shout "virus, virus, virus!".
 

Meant to say this last week.. but.. (4, Interesting)

The Living Fractal (162153) | more than 7 years ago | (#17341644)

Obviously Microsoft is missing these holes in Vista in house.

Maybe the biggest customer for these zero-day exploits should be.. Microsoft?

$50,000 isn't that much compared to the other option IMHO.

Just a thought.

TLF

Re:Meant to say this last week.. but.. (5, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17341788)

Obviously Microsoft is missing these holes in Vista in house.
Maybe the biggest customer for these zero-day exploits should be.. Microsoft?
$50,000 isn't that much compared to the other option IMHO.
Just a thought.


It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree. On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.

Heck, MS could even offer these russians H1Bs/green cards, housing in the US, car and whatnot, that would be small change compared to how Microsoft stands to make out like a bandit on the semi-forced sale of their new OS...

Re:Meant to say this last week.. but.. (2, Interesting)

The Living Fractal (162153) | more than 7 years ago | (#17341898)

Agreed. It would be generally very poor form for a company to do such a thing.

And obviously the people who sell these exploits want to get more than one sale out of each one. Selling them to Microsoft means, hopefully, the end of the exploit and no more sales. So if MS really did buy these exploits, they'd have to do it without letting the hackers find out it was them buying the exploits. Because the hackers would probably never want to sell them to MS.

I'm sure this fits into some science fiction plot somewhere. And the truth as it is said is often stranger than fiction.

TLF

Re:Meant to say this last week.. but.. (0, Troll)

Rosco P. Coltrane (209368) | more than 7 years ago | (#17341968)

Selling them to Microsoft means, hopefully, the end of the exploit and no more sales.

In an ideal world, with a software maker worth the name, yes. But with Microsoft, it seems there's never an end to bugfixing. Look at XP: it was touted as the most secure Windows ever (which isn't saying much really) when it was released, and yet look, in 2007, there are still exploits cropping up almost every day even with all the patches.

Re:Meant to say this last week.. but.. (5, Funny)

Chosen Reject (842143) | more than 7 years ago | (#17342598)

I'm sure this fits into some science fiction plot somewhere. And the truth as it is said is often stranger than fiction.

Yes it is. Would you believe that the reason for all the security holes is for Microsoft. They're the ones who create the holes so that later they can take crontrol of the bot nets and send out spam. On occasion they find a guy who's trying to go it alone and starts intruding on their turf. They send the police at that guy to take everyone's attention at what their other hand is doing. They're pretty sinister in that regard.
Holy crap, I could almost believe that. Anybody have any extra tin foil they can spare?

Re:Meant to say this last week.. but.. (0)

Anonymous Coward | more than 7 years ago | (#17343552)

Anybody have any extra tin foil they can spare?


Who are you working for? A real paranoid would NEVER trust a tinfoil hat that had been out of his sight and might have been interfered with by THEM.

Re:Meant to say this last week.. but.. (1)

mrcparker (469158) | more than 6 years ago | (#17346126)

I love your sig. Math background?

Re:Meant to say this last week.. but.. (1)

PFI_Optix (936301) | more than 7 years ago | (#17342076)

I have a better interpretation (and possibly an idea for MS to hunt these guys down):

It's extortion. Someone identified a security flaw that Microsoft missed, and wants money for it. I'd wager their army of lawyers could spin it in such a way as to get these black hats locked up for a good long time for racketeering charges or something similar.

How MS can use this: broker deals with these guys under the table. Get any relevant law enforcement involved to ensure it's legality, and nail the guys when the transaction is made. $50k is pocket change to MS, they could shell it out hundreds of times over and not feel a pinch.

If MS was successful in prosecuting these guys, it would make exploit sales a much riskier business, always wondering if the Nigerian offering money for the latest exploit isn't in reality a MS agent.

Re:Meant to say this last week.. but.. (0)

Jherek Carnelian (831679) | more than 7 years ago | (#17342396)

If MS was successful in prosecuting these guys, it would make exploit sales a much riskier business, always wondering if the Nigerian offering money for the latest exploit isn't in reality a MS agent.

These guys are already dealing with the kind of people who will kill you if they feel like they've been wronged badly enough. I don't think threat of prosecution is going to add much to their concerns.

Re:Meant to say this last week.. but.. (1)

Ilmarin77 (964467) | more than 7 years ago | (#17342400)

You know, after the small episode with Sklyarov & DMCA [eff.org]
No Russian hacker in his right mind is going to deal with American company in the place under US jurisdiction.

Re:Meant to say this last week.. but.. (1)

PFI_Optix (936301) | more than 7 years ago | (#17342454)

1) Who said they'd know who they are dealing with?

2) MS can find ways to make Russia play ball on extradition or prosecution.

Re:Meant to say this last week.. but.. (1)

Ilmarin77 (964467) | more than 7 years ago | (#17342632)

1. Why M$ have to do it itself then? You have FBI which is good in this kind of business.

2. allofmp3.com style, I presume.
http://www.state.gov/www/global/legal_affairs/tifi ndex.html [state.gov] - sorry, no extradition treaty with Russia.

Re:Meant to say this last week.. but.. (0)

Anonymous Coward | more than 6 years ago | (#17347122)

Dude... MS knows who writes a bunch of these damned things. They've been trying to hire some of them for years. This is probably a signal that their offer wasn't high enough.

Re:Meant to say this last week.. but.. (2, Insightful)

Ilmarin77 (964467) | more than 7 years ago | (#17342434)

MS could even offer these russians H1Bs/green cards
And a place in jail for violating DMCA.

A fool and his money are soon parted (1)

Joebert (946227) | more than 7 years ago | (#17342580)

Much more cost effective to continue paying loyal employees to do this stuff & continue throwing everyone else in front of the bus.
An operating system simply can not be 100% secure & remain as portable as Windows is, paying outragous amounts of money for information in this situation would be foolish, hence the phrase A fool and his money are soon parted.

Portable?! (1)

Grendel Drago (41496) | more than 6 years ago | (#17345678)

In what sense do you mean "portable"? As far as I know, it runs on i386 and its 64-bit variants; that's hardly portable.

Re:Meant to say this last week.. but.. (1)

PixelSmack (837457) | more than 7 years ago | (#17343316)

MS pays $50,000-a-hack the Spamers pay $60,000-a-hack. In any case the spammers will cough up more for the code.

Re:Meant to say this last week.. but.. (1)

CodeBuster (516420) | more than 7 years ago | (#17343574)

It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree.

It is not necessarily bad for Microsoft to pay these guys a bounty behind the scenes to find flaws in their products for them. Think of it this way, the CIA pays criminals and other unsavory people to be informants and agents acting in the interests of the government at the behest of their CIA case officers or handlers. The CIA does not deal with these people because it likes them or believes in their causes, but rather because they have something we want and they are willing to sell it to us for the right price. If the operation is done properly then the CIA and by extension the government can plausibly deny that any relationship exists should the transactions be made public. It doesn't have to be a PR disaster and it might be worth the risks if the operations are handled properly.

on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.

Unless the program was advertised extensively to the underground scene on the Internet there would probably not be enough responses or interest to attract the best talent. It is also unlikely that Microsoft, even with their giant cash reserves, could pay enough on a per exploit basis to offset the potential illegal profits that could be made by using the exploit instead. To use an analogy, if you had a key that would open 95% of the worlds' locks then you would probably not show up at the lock picker challenge day to demonstrate on the front doors of FBI headquarters for a pittance prize and a hand shake for being a good citizen.

Re:Meant to say this last week.. but.. (1)

Tinman_au (1004053) | more than 6 years ago | (#17344458)

Actually, I wouldn't see Microsoft intorducing some sort of "Buy a bug/exploit" scheme as being a PR disater at all, quite the opposite. They'd have to be fairly particular about what defines "a bug/exploit" though, or at least define a reasonable scale.

Heck, they'd probably end up with the most secure OS on the planet if the offer $10-20k US for a bug/exploit.

Someone should suggest the idea to them ;o)

Re:Meant to say this last week.. but.. (1)

jorghis (1000092) | more than 6 years ago | (#17345248)

Well they already do exactly that. Microsoft has a huge QA department and its a pretty safe bet that the SDETs working in it make a good bit more than 50k a year. They recruit internationally and get people those visas you were talking about since software engineers who dont suck are in short supply these days.

Unless a hacker believes that he can find several big time exploits every year before anyone else does (quite a stretch imho) then it seems like it would be in his financial best interest to work for them already. I have always wondered why people would want to be in the illegal underground in Russia or someplace when they could make more money and have a safe and secure job in the states.

Re:Meant to say this last week.. but.. (1)

kjart (941720) | more than 6 years ago | (#17345486)

On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.

This has come up before in other articles, but I'll rehash the old arguments. It's tough to trust someone who has been maliciously attacking your business for years i.e. banks hiring bank robbers, software companies hiring blackhats, etc etc. Sure it happens and their knowledge is probably extremely valuable, but putting someone in a position of trust in an industry where they have committed crimes is hardly a straightforward proposition.

Re:Meant to say this last week.. but.. (2, Interesting)

lachesis-jp (886896) | more than 7 years ago | (#17341808)

That's possibly what the guys selling the exploits are hoping for: that Microsoft buys it from them and as you say $50,000 isn't much for Microsoft. Actually, maybe Microsoft should actually start a program to reward people that submit vulnerabilities in relation to security risk caused by it. This might actually help make Vista secure quickly if they pay well. And if they have any confidence in the fact that Vista is a relatively secure OS, they shouldn't have to worry that it is going to cost them too much as each bug that disapear is a bug that won't be discovered anymore.

Re:Meant to say this last week.. but.. (1)

kjart (941720) | more than 6 years ago | (#17345512)

From the article:

The vulnerable code is present in Windows 2000, XP, 2003 and Vista.

Another case of Microsoft getting burned by legacy code? You have to wonder how many problems would be solved if they actually started fresh, rather than propping up the compatibility bridge continuously. Probably a lot, but I doubt they want to damage their market share to the extent that such a move would likely make.

Re:Meant to say this last week.. but.. (1)

triso (67491) | more than 6 years ago | (#17349542)

Obviously Microsoft is missing these holes in Vista in house.
Maybe the biggest customer for these zero-day exploits should be.. Microsoft?
$50,000 isn't that much compared to the other option IMHO.
Just a thought.
 
If their source code was open, people would locate and possibly fix these exploits for free.

e4! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17341702)

has run fasTer [goat.cx]

Fscking Visual Basic (1, Troll)

mandelbr0t (1015855) | more than 7 years ago | (#17341768)

Geez, they don't even need to publish exploit details. I can figure it out from the technical details. Yet again, the need for the CLR to support this moronic language creates a very obvious security flaw. Once again, data being marshalled across process boundaries assumes the VB programmer knows what he's talking about, and doesn't safely pass the message string, instead allowing the marshaller to interpret it as code. Great. I'm sure we'll see a whole bunch of related exploits that target the .NETCOM marshaller.

Doesn't anybody know that the first rule of system programming is "Never trust your input"? Why on earth is something running with SYSTEM privileges not validating input it could have received from a Visual Basic programmer?

mandelbr0t

Re:Fscking Visual Basic (3, Insightful)

cnettel (836611) | more than 7 years ago | (#17341902)

This has nothing to do with Visual Basic. It's the plain and simple Win32 API. The demo just happens to be written in VB.NET using .NET Interop.

Re:Fscking Visual Basic (1)

crunch_ca (972937) | more than 7 years ago | (#17342058)

I just read TFA. Let me get this straight. The exploit is in MessageBox()?

Awesome.

Re:Fscking Visual Basic (4, Informative)

tlhIngan (30335) | more than 7 years ago | (#17342602)

I just read TFA. Let me get this straight. The exploit is in MessageBox()?
Awesome.


All I can say is... OUCH.

MessageBox() is a fairly commonly used API (it's used to display a message box, with optional icon (none, alert, caution, etc.), and buttons (yes/no, yes/no/cancel, ok/cancel, ok, etc). It's the most trivial way to do a quick debug, or pop up an error message. It's probably one of the most commonly used functions, as well.

Wonder what Microsoft did to break MessageBox(). Considering how often it's used...

Re:Fscking Visual Basic (1)

TubeSteak (669689) | more than 6 years ago | (#17344810)

Wonder what Microsoft did to break MessageBox(). Considering how often it's used...
Whatever they did, they did it a long time ago, since TFA says Win2k is vulnerable.

Unless this exploit is perpetuated by a patch, MS's brand spanking new OS is getting pwnd by a bug coded >7 years ago. I assume it's at least 7 years old, because I doubt anyone is testing against NT4 these days, so I don't know if it's a leftover from the mid-90's.

Re:Fscking Visual Basic (0)

Anonymous Coward | more than 6 years ago | (#17346458)

MessageBox() is a fairly commonly used API (it's used to display a message box, with optional icon (none, alert, caution, etc.), and buttons (yes/no, yes/no/cancel, ok/cancel, ok, etc). It's the most trivial way to do a quick debug, or pop up an error message.

Did you really need to use 25 words and five parentheses to explain what MessageBox() does? You could have just said "MessageBox() displays a message box."

Javascript alert()? (1)

Xenographic (557057) | more than 6 years ago | (#17346502)

I haven't read the details of this exploit, but doesn't the javascript alert() function usually call MessageBox() on Windows?

If it's just the text inside the message box that they need to screw with, this could be pretty easily exploited by any random website...

Re:Javascript alert()? (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#17347280)

Shut up already! You're ruining my fun!
-- Mallory

Re:Javascript alert()? (0)

Anonymous Coward | more than 6 years ago | (#17350324)

Wouldn't work, it requires the setting of an infrequently used flag (MB_SERVICE_NOTIFICATION) which browsers won't set on their messageboxes.

Re:Fscking Visual Basic (4, Insightful)

Daltorak (122403) | more than 7 years ago | (#17342200)

Yet again, the need for the CLR to support this moronic language creates a very obvious security flaw.
Huh? Where's the logic in that? Blaming VB.NET for a security vulnerability in a Win32 API is like blaming Perl for a security vulnerability in the Linux kernel API. This has absolutely nothing to do with the CLR, Visual Basic (.NET or 6), or any other specific language... the vulnerability exists on the lowest level of the Win32 API (CSRSS, amongst other things, is Win32's interface to the Windows kernel). Any language that can call into Win32 can trigger this vulnerability... including Perl.

Re:Fscking Visual Basic (1)

Foolhardy (664051) | more than 6 years ago | (#17346264)

For one thing, MessageBox() is implemented entirely in user32.dll, a client library which runs directly in the client process calling the function. CSRSS and win32k only implement lower level primitives like windows and display contexts (Here [bialystok.pl] 's a list of both the service tables; scroll down to win32k.sys to see all of it's functions). MessageBox() uses those to create a new window with the specified buttons and text on the fly with those primitives; the vulnerability is inside that code. There's no reason to put MessageBox() on the server side (i.e. in CSRSS or win32k). MessageBox() is not a path to privilege escalation.

However, this still could be a vulnerability if any programs pass arbitrary user data directly to MessageBox(). This seems to be like the GDI+ vulnerability: another client side library that wasn't prepared to deal with bad data coming from another module within the same process. The problem is that that bad data may have originated from outside the process, being passed on to the library verbatim. Shared libraries don't usually check their interfaces for security heavily because they weren't expecting to be handling data from the outside world-- only data coming from within the process.

The convention always was that the onus for providing correct data to a library was on the caller. If the data is bad, the only process that is hurt is the one that provided the bad data-- no escalation because a process can only hurt itself. The idea was that since only external interfaces are connected to untrusted sources like the outside world, only external interfaces need rigorous checks. Traditionally, library functions were used only as internal interfaces. As programs become increasingly abstracted, they pass their data more directly to their libraries. The problem occurs when a library trusts the calling application to validate data, when the application thought the library was going to do it.

Another thing this is similar to are SQL injection vulnerabilities. When SQL was created, only operators and services trusted to some extent by the system could write queries. When the line between data and query was blurred with various forms of dynamically generated queries, poorly written front-ends allowed user data to bleed directly into the SQL statements that (used to be) trusted.

As with SQL injection, I'd say that the onus should still be on the caller to provide sanitized data to naive functions like MessageBox(). It doesn't matter that MessageBox() will do bad things if it gets bad data; any program that talks to untrusted sources should sanitize incoming data BEFORE it gets to such functions. Javascript allows you to pop up a message box, but it's the browser's job (since it's the one talking to the outside source) to make sure that the text in the box is clean before passing it on.

As long as front-end program code doesn't prematurely abdicate it's responsibility to sanitize incoming data, vulnerabilities like this one and the GDI+ one won't be an issue. The only time they can pass that responsibility on is when the library states that it can accept it, either explicitly or implicitly by being an external interface (like a network service).

Re:Fscking Visual Basic (1)

Foolhardy (664051) | more than 6 years ago | (#17346700)

Ok, upon actually reading the articles, my first paragraph is off: although the display part of MessageBox() is implemented entirely in the client side library, it may ask CSRSS to display the box instead. It's CSR that's mishandling that request in some weird circumstances. This isn't the only [tesco.net] long standing bug of its kind in CSR. I sorta get the impression that no one at Microsoft really wants to touch the old CSR code (and may not even be competent to). The thing about "\??\" sounds like some debugging or obsolete piece of code that was written once and never read again. This is possibly a good case study for something that open source onlookers would've noticed as a bogus special case while browsing code.

My point about how apps should sanitize data from untrusted sources before passing it to internal library functions still stands, though... just not as much in this case.

Double free vulnerability (2, Interesting)

Utopia (149375) | more than 7 years ago | (#17341804)

How does one go about exploiting a double free vulnerability?
The article just mentions that Windows has a double free vulnerability but does not post an exploit (and neither does the russian site which originally reported this issue).

.

Re:Double free vulnerability (3, Informative)

cnettel (836611) | more than 7 years ago | (#17341998)

It really depends on the heap (the specific data structures keeping track of the blocks) in use, but it can result in other blocks also beeing freed incorrectly. If you are able to replace the first block at the address with another, during the relevant timespan, you can get THAT one freed, which then can cause some other part of the kernel, relying on that new data, to crash. As the buffers involved here are all allocated in-kernel, I would think you need to do some tricky timing-dependent work to get a real exploit going. If you don't have debugging privileges, you won't know the address used yourself, and you'll need to trick some other API to choose to allocate that very same memory, unless, of course, the data structures are severly damaged by just the double-free event, without any new allocation between the two.

M1C170Z0F7 (0)

Anonymous Coward | more than 7 years ago | (#17341942)

I'm of the anonymous opinion, from my short tenure at M$, that internal corruption of developers has tainted their software and business practices. Open source easily alleiviates this by publishing its code.

Discount... (1)

PreacherTom (1000306) | more than 7 years ago | (#17342126)

Heck of a discount after what we saw last week, huh?

Zero-day sale? (0)

Anonymous Coward | more than 7 years ago | (#17342132)

Just last week, Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.
I've heard of the Penney's "Day-after-Thanksgiving Sale", the Macy's "15-hour Sale", and even the Marshall's "7-hour Sale" but this new "Zero-day Sale" is really pushing it.

List of those strings... (3, Funny)

fahrbot-bot (874524) | more than 7 years ago | (#17342250)

Certain strings sent through the 'MessageBox' API apparently cause memory corruption.

A partial list of those strings appears to be: Linux, Open-Source, GNU, Stallman, and (oddly) chair.

Re:List of those strings... (0)

Anonymous Coward | more than 7 years ago | (#17342334)

So all you have to do is hit it with a chair?

Sounds reasonable to me...

Microsoft still hasn't learned about safe strings! (2, Interesting)

raddan (519638) | more than 7 years ago | (#17342280)

Which is ironic, because they actually have a page [microsoft.com] on handling strings safely. So are they lazy, stupid, or both? Lemme guess-- they couldn't use their own API because someone wrote the MessageBox API in assembly...?

Re:Microsoft still hasn't learned about safe strin (1)

TheNetAvenger (624455) | more than 7 years ago | (#17344248)

MessageBox API in assembly

Yep someone is lazy, or it is a side effect in the API.

BTW Only the HAL of any NT based system is written in assembly, everything above that must be portable C. (This is one reason it was sad that WinNT 4.0 was faster than Win9x, as the Win9x team could use all the assembly they wanted.)

Old API, not properly reviewed. BTW, did anyone notice that the exploit requires 'prior' admin authorization? It can only elevate after getting the permission to do so at a prior point, so it is kind of a moot bug on Vista.

slow week (0)

Anonymous Coward | more than 7 years ago | (#17342442)

This is a couple of very slow news days here at /. only 2 Microsoft threads today and 3 yesterday. We really need to step up the anti MS rhetoric if you want Linux to rule the world with an iron fist.

Awwww! (1)

Snarfiorix (1001357) | more than 7 years ago | (#17342496)

So a user could exploit this? Jeez, panic! Hold on.... As a matter of habit, I disabled any build-in accounts, so that leaves only me... but can I trust myself?

Re:Awwww! (1)

The-Ixian (168184) | more than 7 years ago | (#17342590)

not if you know what's good for you

More details on this (4, Interesting)

wumpus188 (657540) | more than 7 years ago | (#17342548)

... from another russian forum [bugtraq.ru] (roughly translated from russian...)

Function GetHardErrorText
Comment:
* This function figures out the message box title, text and flags.
* We want to do this up front so we can log this error when the hard error is
* raised. Previously we used to log it after the user had dismissed the message
* box -- but that was not when the error occurred (DCR Bug 107590)

This function finds and extracts strings like "{EXCEPTION}" from MessageBox's text and if found, writes them in the system log.

} else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 4)) {
strcpy( asLocal.Buffer, asLocal.Buffer+4 );
Local.Length -= 4;
Say, nice use of strcpy...

Why now? (2, Insightful)

Lxy (80823) | more than 7 years ago | (#17342720)

I think it's funny that the black hats are releasing exploits for Vista so soon. The product isn't widely available yet, so by the time Vista ships to consumers mosty of these 0-days will be patched.

A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.

Re:Why now? (4, Interesting)

hackstraw (262471) | more than 7 years ago | (#17342968)

A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.

A smart black hat has like a job and a life.

The only thing I can say that these script kiddies and whatnot are good for is that they are easily detectable and they alert security people of vulnerabilities so that it makes it difficult for people that are really interested in doing real damage or obtaining data that they shouldn't have.

Its really ironic how valuable these kids are. Without them, real compromises would be more common and much more painful.

Re:Why now? (0)

Anonymous Coward | more than 6 years ago | (#17345220)

A smart black hat has like a job and a life. Not only that.

Lots of people are able to "break code" and find vulnerabilities. But yeah, not only my job pays well enough, but risking getting arrested, doing jail time (don't pick up the soap!), likely getting a divorce and your ex keeping the kids, nobody wanting to hire you afterwards, everybody hating you for the bad things you've done, etc i.e. TOTALLY screwing up your life for 50k$ (that you didn't need in the first place), supporting spammers in the process (i.e. having having no morals is a prerequisite)?

If it was 500k$, I could see more people risking it. But for so little...

Re:Why now? (1)

blackpete11 (1040416) | more than 6 years ago | (#17344572)

I would guess that these aren't the real exploits and we have some decent ones to look forward to around SP1

Re:Why now? (0)

Anonymous Coward | more than 6 years ago | (#17345282)

New code from MS means new bugs from MS. Vista has a new networking stack does it not?
If I were a black hat, I could give a rats ass this MessageBox exploit. Surely its not a big job for an MS person to validate the input within the MessageBox function.

How many exploitable bugs are in that networking stack is what I want to know. 10? 20? more?

Doesn't count! (2, Insightful)

Macthorpe (960048) | more than 7 years ago | (#17342840)

Of course, this doesn't don't count, as has been evidenced by the outcry against similar proof-of-concept security holes in OS X.

I'm pretty sure the Slashdot community wouldn't be so two-faced as to claim something is an exploit on Vista which isn't 'counted' as an exploit on OS X, right?

Right?

Mod parent up! (1)

LinuxIsRetarded (995083) | more than 7 years ago | (#17344130)

Beautifully stated!

yet more excuse~1 .. (0, Troll)

rs232 (849320) | more than 6 years ago | (#17347726)

Of course, this doesn't don't count, as has been evidenced by the outcry against similar proof-of-concept security holes in OS X.

I'm pretty sure the Slashdot community wouldn't be so two-faced as to claim something is an exploit on Vista which isn't 'counted' as an exploit on OS X, right?

Right?

I fail to follow your logic. How does some imaginary Slashdot posters opinion on an OS X exploit have any baring on the contents of the article. We have yet to see a large scale virus or phishing exploit on the Mac. Re:Doesn't count!

re: (1)

rs232 (849320) | more than 6 years ago | (#17348732)

gutless prick ..

was Re:yet more excuse~1 ..

what the string is (1)

ILuvRamen (1026668) | more than 7 years ago | (#17342992)

I bet the string that causes memory corruptions is "Hello world!" hehehehe.

Beautiful! (0)

Anonymous Coward | more than 7 years ago | (#17343524)

Was the specific string "Hello World"? I'm astounded that one of the first potential exploits found to Microsoft's "safest and most secure OS EVAR!!" is within the reach of anybody reading the first chapter of a VB book.

This so reminds me of something else (0)

Anonymous Coward | more than 7 years ago | (#17343756)

So by sending invalid strings to MessageBox, it corrupts memory?

Maybe someone might remember this easy way to drop services on an irc network.

1. Get BitchX Running
2. Start a query with a service ( /q nickserv or something )
3. Execute a shell command with output back to the screen and dd /dev/urandom back to the console ( /exec -o dd if=/dev/urandom )

I hope this little hole has been fixed ( I watched a network fracture once because of this little "feature"

-Enjoy

Can this be exploited with alert() or prompt()? (2, Insightful)

scienceguy55 (904879) | more than 7 years ago | (#17344044)

I'm wondering what sort of checking IE does on alert() and prompt() calls, and on and tags. If you can force an error would it be possible to run arbitrary code this way?

so... (1)

mottie (807927) | more than 7 years ago | (#17344082)

This affects a total of what? 15 people? I don't see why anyone would pay cold hard cash for Vista exploits when 99% of the internet still runs XP or previous..

Re:so... (0, Flamebait)

DragonTHC (208439) | more than 7 years ago | (#17344164)

99% of the internet still runs XP or previous..
Hahaha, you never heard of OSX or Linux.

you're so dumb

Re:so... (1)

sqlrob (173498) | more than 7 years ago | (#17344178)

RTFA.

Win 2k and later, including Vista

local elevation of privilege on XP .. (1)

rs232 (849320) | more than 6 years ago | (#17347708)

"The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems,"

Deliberatly misquoting the report is a sure sign of desperation ..

was Re:so...

Um, what? (1)

Jugalator (259273) | more than 6 years ago | (#17344600)

Wow, so an exploit that requires root access?
Yeah, this tend to be how trojans and viruses work. In basically any OS.

Wake me up when there's a remote exploit requiring no elevation of privileges. :-p

Re:Um, what? (1)

Cyberax (705495) | more than 6 years ago | (#17347328)

No, it doesn't require root access. And it allows to elevate your privileges to 'System'.

more Trend hype (1)

cheezit (133765) | more than 7 years ago | (#17350574)

I don't buy it. Zero-day exploit value goes up with installed base. What is the installed base of Vista? If anything, the release of a zero-day exploit at this point would be foolish, it would not benefit the buyer, so it wouldn't be worth spending much on.

If anything, my guess is that any zero-day exploits are being held in various back pockets, in escrow so to speak, to be sold in early spring when the OEMs have shipped lots of Vista-preloaded boxes.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?