Microsoft tells US Air Force to bug off

[barrk]

By: John Leyden
Posted: 02/05/2001 at 12:21 GMT


Microsoft's security patch for Outlook, which is designed to protect users from the effects of another Love Bug-style virus, has come under fire from no less a body than the US Air Force.

In a paper to be presented at a security workshop in June, an assistant professor of computer science at the US Air Force Academy will deliver a devastating critique of Microsoft's approach to security in general and Outlook in particular.

Martin Carlisle will tell an audience of security experts that a security patch to Outlook, which is designed to stop viruses spreading via automated messages through requiring user's authorisation via a dialog box, can be easily circumvented.

This "Object Model Guard" prompts a user with a dialogue box when an external program tries to access a user's Outlook address book, a trick used by the Love Bug and other similar viruses.

Carlisle said this idea has promise but Microsoft's implementation is flawed.

"It is possible, with a small amount of code, to create a program that hides and answers the dialog box automatically," said Carlisle.

In a paper to be presented at the workshop Carlisle explains how Microsoft dismissed the significance of the potential vulnerability. Its security team argues that to get around the dialog box they would have to get executable code running on a victims machine, and if an attacker could do that getting around the dialog box would be "the least of your worries".

This, frankly astonishingly arrogant response, is given short shrift by Carlisle: "The Microsoft Security Team seem to have missed the significance of their own security patch because their view neglects the ability of viruses of this class to replicate."

Carlisle and colleague (and co-author) Scott Studer have produced a detailed rebuttal of Microsoft's argument and suggestions of improvement to the dialogue box security, which involve protecting the lowest level of an application.

In a statement we find hard to disagree with the researchers state that reinforcing dialogs based security in Windows can only go so far.

"Given the current limitations of the Windows operating system, this [improving dialogue box security] turns to be similar to trying to secure a parked car at an airport. You can make it harder to break in but you can never make you car totally secure."

The researchers said that Microsoft should consider modifying its operating system in order to verify that messages received come from users rather than other programs. Carlisle and Studer also cover a variety of other ideas for dealing with Love Bug-style viruses (such as blocking Visual Basic Scripting) and their paper is well worth a read. ®

http://www.theregister.co.uk/content/8/18679.html

[parksie]

Hehehehehe

[chrisjk]

It's about time someone with muscle publically humiliated MS

[barrk]

Not that it will really do any good

[barrk]

Wall Street Journal
May 1, 2001

U.S., Chinese Hackers Break Into One Another's Sites, Trade Insults

By Ted Bridis, Staff Reporter of The Wall Street Journal

WASHINGTON -- Chinese and U.S. hackers traded insults across the Internet as part of a threatened weeklong "Net War," breaking into dozens of corporate and government computers on both sides of the Pacific and replacing Web pages with political statements.

U.S. officials said there was no evidence of Chinese government coordination of the hacker attacks against U.S. sites, which they described as embarrassing to victims but otherwise harmless. There appeared to be little impact on consumers world-wide.

U.S. officials identified at least eight federal Web sites taken over since Saturday night, including one for the clerk of the U.S. House of Representatives. A hacker, presumed to be Chinese, taunted: "What happened to this American site?" At a site run by the Philadelphia mayor's office, other hackers wrote: "Beat down Imperialism of American!"

In public discussion forums, Chinese hackers have described plans for a May 1 "Net War." The attacks are to continue through next Saturday, the anniversary of the accidental bombing by a U.S. warplane of the Chinese Embassy in Belgrade, Yugoslavia.

These hacker groups alternately call themselves the "Honker Union of China" and the "Red Guest Alliance." Most of the organization for the attacks apparently took place Monday in a single publicly accessible Internet chat room operated in China, where participants identified vulnerable computers. Within minutes after Web sites were so identified, vandals attacked them.

While there was no proof of Chinese government coordination of the attacks, some said Beijing clearly was tolerating them. "It's safe to assume they're not making any strenuous efforts to shut this down," said James Lewis, who once negotiated technology policy with China for the State Department and is now an expert on tech policy for the Center for Strategic and International Studies, a Washington think tank.

On the U.S. side, there apparently have been no arrests of hackers targeting Chinese servers.

The Federal Bureau of Investigation's National Infrastructure Protection Center issued a public warning last week about the threat from Chinese hackers, telling computer operators to monitor more closely their systems and asking them to report attacks to law-enforcement officers. Officials from the NIPC declined to comment.

Ever since a Chinese fighter jet collided with a U.S. surveillance plane last month, groups of hackers from the U.S., Brazil and Europe have been attacking Internet sites in China. Those attacks appear to have increased in reaction to the online discussions about hitting vulnerable U.S. sites this week.

The online vandalism could escalate with the discovery of a serious flaw that will make it easier to break into some Web sites. The bug was found in Microsoft Corp.'s popular Internet-server software in Windows 2000 by eEye Digital Security Inc., of Aliso Viejo, Calif.

The vulnerability, which Microsoft is expected to warn customers about Tuesday, allows hackers to send a command of about 500 characters and take complete control of a server computer. Microsoft said it would offer a patch Tuesday to fix the problem, but users must download and install it themselves.