Digg this story   Add to del.icio.us  
Feast of Egos
Tim Mullen, 2004-09-07

Eager to tarnish Microsoft's shiny new Service Pack 2, the security press managed to spin the most thin and marginal issues into "gaping holes" and "security craters."

Some time back, while looking over resumes accompanying applications for a senior network administrator position our company was offering, I saw one with a strange signature quote at the bottom. It read: "In the Feast of Egos, everyone leaves hungry."

It may have been the capitalization of "Ego," or maybe my lack of breakfast, that caused my mind to read "Feast of Eggos." Yeah, like the toaster waffle. With a head tilt and an audible "er?" I tried to discern the pun. Nothing. As if it were some Gibranian metaphor, I racked my brain for its secret meaning. Nada. It drove me crazy. How could you leave hungry after a feast of Eggos? I mean, they're crispy on the outside, and light and fluffy on the inside! Finally deciding that the applicant was a total tool for quoting something so stupid, I jokingly told our new CFO about it. He paused and replied, "spell it." That's when I finally read the quote correctly, and realized that I was the tool. Then there was the irony in my readiness to dismisses the quote as "stupid" simply because I didn't understand it when all the while it was a message regarding the nature of ego.

In light of the recent media frenzy covering reported security issues in XP SP2, I'd like to take the opportunity to use that quote as a basis for a new one: "In the Feeding of Media Egos, everyone leaves vulnerable."

I expected security researchers to instantly focus on finding flaws in SP2 when it went public. I expected the "installation-from-hell" posts, and the "SP2 broke all my apps" messages. I even expected the whiney "Why in the world did Microsoft do that?" questions -- though I was a little surprised by how many of them read like Veruca Salt bleating on to Willy Wonka about wanting an Oompa Loompa.

But I really did not expect to see the sheer tonnage of media outlets that apparently went out of their way to expound upon every presumed XP SP2 issue they came across -- whether it was a real issue or not.

I know that everyone loves to bust on Microsoft, and with SP2's exposure and spotlight status, it is a huge target for people in this industry. However, when the media takes questionable (and even non-existent) issues and presents them as if they were critical vulnerabilities, it is just too much.

For instance, one of the first "security vulnerabilities" reported in SP2 had to do with the "no warning on launch" behavior of files initially saved from Internet Explorer or Outlook Express that were directly executed from the command prompt. You see, XP2 introduced a new ZoneID mechanism to track and mark files downloaded using Zone-Aware applications (like IE and OE) with an ID representing the zone they were saved from. If you downloaded an un-trusted file from the Net with IE, and later tried to launch it with a zone-aware application like Explorer, you would be warned that the file came from an untrusted source.

The exploit method for this "vulnerability" is to send a user some malicious code, get them to save it locally, and then persuade them to open up a command prompt and launch manually or drag-and-drop the file into the shell.

Gaping Holes!
The fact is, the XP command interpreter is not ZoneID aware, and it is not supposed to be. It is as simple as that. In regard to CMD's ignoring of ZoneIDs at execution, the end result is no different than ftp'ing the file from a DOS window, using an alternate download assistant to save it, or even using an alternate browser for that matter. As far as the user interaction is concerned, you may as well send them source code with detailed instructions on how to compile and run it. This one wins the "Totally Lame" award.

The details didn't seem to matter to the security media, and the matter received wide coverage -- it was published everywhere, along with a related (and equally-silly) caching issue. And of course, as is always the case, new stories and articles were based on earlier ones, with each subsequent article stealing just a tad of glory from the original to spice it up. A ZDNet columnist even went so far as to classify these red herrings as "gaping holes in SP2."

And then there's the one about disabling or spoofing the Windows Security Center's monitoring of your AV and firewall status. This one is just great. If you're an attacker, all you have to do is get some malware loaded on a vulnerable system (running as Admin of course) and, according to a Special Security Watch report on PC Magazine's website, you now have the dastardly power to use WMI to disable or change notifications of AV and firewall state so that the malicious code can then go undetected. Pretty scary, huh? But they missed a highly-technical, difficult-to-grasp subtlety here: if the malware got onto the system and executed the privileged code required to perform such an action, then it would already be running undetected in the first place. At that point, it could do anything it wanted. The WSC interface really has nothing to do with it. If arbitrary code has been run on your computer, then it's not your computer anymore.

Yet they called this a security "crater." Not just an issue, not even a "gaping hole," but a crater. They labeled it a "Top Threat."

Come on people! Enough of the "Ooh, looky!" exploits that require the side-step of having someone load exploit code on their machine first. If your patch status/firewall config/AV software/security settings allow the code to get onto your box, then nothing matters after that. And they obviously didn't bother examining an XP domain member, or they would have seen that the AV/FW/AU integration and notification applet is disabled anyway.

These wild reports become a security problem themselves when users end up refusing the service pack because they're scared of all these "gaping holes" and "security craters." Even "http-equiv," the one who released proof of concept code for the "drag-and-drop" vulnerability in IE, still recommended that people install XP SP2, even as he described one of the few real issues that were found in the service pack (it was actually an IE problem that worked with SP1 as well).

This industry suffers enough from the real problems we face on a daily basis. We have plenty of work defining who the "bad guys" are in the first place and trying to build effective, manageable defenses from them. The last thing we need is for those in a position we want to trust, security researchers and the press, to have personal agendas and shameless hype taint the issues. Let go of the fluff, and stick to the facts. Simply put, Leggo your Ego.



SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
Feast of Egos 2004-09-07
Beryllium Sphere LLC (1 replies)
Feast of Egos 2004-09-13
Anonymous
Feast of Egos 2004-09-08
Todd Knarr (2 replies)
Feast of Egos 2004-09-09
Troll (2 replies)
Feast of Egos 2004-09-10
Todd Knarr (2 replies)
Feast of Egos 2004-09-13
Anonymous
Feast of Egos 2004-09-14
Angus (1 replies)
Feast of Egos 2004-09-16
Anonymous
Feast of Egos 2004-09-13
Ed
Feast of Egos 2004-09-14
Anonymous
Feast of Egos 2004-09-08
Anonymous
Feast of Egos 2004-09-08
Mat, CISSP
Feast of Egos 2004-09-08
Anonymous (1 replies)
Feast of Egos 2004-09-08
Anonymous
Feast of Egos 2004-09-08
Problem Updates (1 replies)
Feast of Egos 2004-09-14
Anonymous
I Agree 2004-09-08
Lucas
Feast of Egos 2004-09-09
Some Hacker (3 replies)
Feast of Egos 2004-09-14
Anonymous (1 replies)
Feast of Egos 2004-09-19
Anonymous
Feast of Egos 2004-09-14
Brutal Dictator
Feast of Egos 2004-09-14
Angus (1 replies)
Feast of Egos 2004-09-19
AWKz
SP2 = MS-hyped Snake Oil 2004-09-14
Matthew Murphy
Feast of Egos 2004-09-14
Anonymous
Feast of Egos 2004-09-17
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus