Digg this story   Add to del.icio.us  
Redmond's Butterfly Effect
Tim Mullen, 2004-06-28

Criminals are benefiting from an Internet Explorer that's so complex even Microsoft can't predict its behavior.

Most of you have heard of a reportedly widespread compromise of an unknown number of clients through an unpatched vulnerability in Internet Explorer. The clients were owned by visiting commercial web sites that had previously been compromised by a yet undetermined method; the attackers dropping code onto those servers that customers would then launch when the site was visited.

While some speculate that an IIS zero day was used to own the servers, my guess is that the hosting boxes were not patched against a recent vulnerability (something like MS04-11). I would normally say "Hey, you should have been patched" and gone about my business. But this event is a bit different.

Here we had multiple vulnerabilities in IE, at least one spanning back months, which have remained un-patched by Microsoft. The culmination of the vulnerabilities allows for silent code execution on the client box: zones crossed, files downloaded, code executed, boxes owned. Microsoft's own little butterfly effect.

To be quite frank, this really, really sucks.

This event perfectly illustrates points that we in the security community have been making for quite some time -- attacks are getting more and more complex, and attackers are using multiple vulnerabilities to carry them out. It also represents what I consider a flaw in the way the IE security team looks at and rates vulnerabilities. The "mitigating factors" in these vulnerabilities have always been determined by looking at the problems in singularity. Things like "an attacker would have to be able to write files locally" or "this would only work if code was run in the Local Intranet Zone."

When Microsoft then uses these factors to schedule hot fix development and deployment, we find ourselves in the position we're in today: insufficient ranking is given to these vulnerabilities, attackers piggyback exploits together -- leveraging one against the other to fully compromise a machine -- and here we are sitting around with no patch available.

We shouldn't be meeting today with our admins discussing "work-arounds," we should be following up on how the patch rollout went.

Microsoft's Tunnelvision
The combination of compromised servers in this scenario also breaks the old "one would have to be coaxed into visiting a malicious website" factor. There is no "coaxing" here. To fall prey to this attack, you would simply have to use IE the way we've been told to use IE -- to look in on your Abba collection on eBay or check your Yahoo mail account. And users sitting behind a corporate firewall with AV running client-side would have fared no better.

The fact that XP's SP2 would have fixed this problem is nice to know, but it really doesn't help us much today. To be honest, I'm a little miffed at the fact that Microsoft was familiar enough with these issues to address them in a service pack beta, yet no patch was made available for our production systems.

Internet Explorer is an extremely complex work. I'm not really all that sure what to call it: Application? Browser? Development platform? Mini-OS? Given the innate complexity of zone settings, ActiveX object controls and the various scripting configurations, there is really no excuse for the way multiple vulnerabilities within a single product were handled with such tunnel vision, particularly when their combined exploitation has been exemplified on forums like Security Focus for months now.

I've been watching IE grow for years now, and while I'm aware of the tremendous effort put forth to make it a platform from which elaborate corporate development projects can be built, one has to question the need for such complexity in what most of us use as a Web browser.

Maybe it is time for an "Enterprise Edition" of IE to be developed in the same way that Microsoft has developed expanded capabilities into other products like Visual Studio and Visio. That way, those who need a complex development platform can have it, and the rest of us can have a nice, tight little browser to do with as we will. When it comes to my browser, it would be nice to be able to concentrate on Adriana Lima without having to worry about the likes of Adrian Lamo.

Regardless of what the future of IE brings, it is evident to me that given the events of today the IE security team either doesn't fully understand the security ramifications of its product, or the thing is so complex that it really does take over 10 months to patch a bug. Either way, it doesn't look so good.



SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
Redmond's Butterfly Effect 2004-06-28
Anonymous (1 replies)
Redmond's Butterfly Effect 2004-06-29
Mene Tekel
Redmond's Butterfly Effect 2004-06-28
Anonymous (6 replies)
Redmond's Butterfly Effect 2004-06-28
Anonymous (1 replies)
Redmond's Butterfly Effect 2004-06-28
Anonymous
Redmond's Butterfly Effect 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-30
Anonymous (1 replies)
Redmond's Butterfly Effect 2004-07-02
Anonymous (2 replies)
Redmond's Butterfly Effect 2004-07-05
MadMonk
Redmond's Butterfly Effect 2004-07-09
Anonymous
Redmond's Butterfly Effect 2004-06-28
Ivanko (1 replies)
Redmond's Butterfly Effect 2004-06-30
Anonymous
Redmond's Butterfly Effect 2004-06-28
ISNYC
Redmond's Butterfly Effect 2004-06-28
Eric Lawrence (E_lawrence@hotmail)
Redmond's Butterfly Effect 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-29
Anonymous
IKEA can save our souls 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-29
Anonymous (1 replies)
Redmond's Butterfly Effect 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-29
Anonymous
Lima / Lamo 2004-06-29
Anonymous (2 replies)
Lima / Lamo 2004-06-30
Anonymous
Lima / Lamo 2004-06-30
blacklight
Redmond's Butterfly Effect 2004-06-29
Anonymous
Redmond's Butterfly Effect 2004-06-30
blacklight
Redmond's Butterfly Effect 2004-06-30
Anonymous
Redmond's Butterfly Effect 2004-06-30
Anonymous (2 replies)
Redmond's Butterfly Effect 2004-06-30
Penguinisto (1 replies)
other OS's 2004-07-02
Anonymous
Redmond's Butterfly Effect 2004-07-02
Anonymous
even cert agrees 2004-06-30
Anonymous
Good read, though... 2004-06-30
Penguinisto
Redmond's Butterfly Effect 2004-07-01
DavidM (EDS)
Redmond's Butterfly Effect 2004-07-01
Anonymous
Alternative browsers 2004-07-01
Sandalle (1 replies)
Alternative browsers 2004-07-02
Anonymous (1 replies)
Less bugs 2004-07-03
Anonymous
Redmond's Butterfly Effect 2004-07-04
WR SecAddict
Mozilla / Fifefox / Opera ! 2004-07-04
Anonymous
Play with fire, get burned 2004-07-06
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus