[Chaos CD]
[Datenschleuder] [58]    Re: MS on the CCC ActiveX virus
[Gescannte Version] [ -- ] [ ++ ] [Suchen]  

 

Re: MS on the CCC ActiveX virus

 
Date: Fri, 21 Feb 1997 11:46:11 -0800 (PST) 
From: fc@ca.sandia.gov (Fred Cohen) 
Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83) 
 
Re: SBN Wire: News Flash, Brad Silverberg 
 
> You may have heard reports about a malicious software program created and 
> demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany. 
> I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has 
> the appropriate safeguards to protect against this type of threat.  By using 
> its default security level (High) that comes pre-set, Internet Explorer 3.0 
> will not download and run any "unsigned" control such as the one from the 
> CCC. 
 
I appreciate your insightful opinion on this matter, however... 
        Anyone can get a signature key without authenticating their 
        legitimacy.  It's relatively easy to break into a system and take a 
        legitimate key.  The default may be changed by the user for one use 
        and remain changed.  Other flaws in Explorer may be used to turn 
        that feature on - then look out. 
 
> The CCC demonstrated its malicious executable code running on Microsoft 
> Internet Explorer 3.0, though they could just as easily have demonstrated a 
> similar attack on any other browser.  While it is unfortunate that hackers 
> have created this harmful program, it does point out the need for users to 
> act cautiously and responsibly on the Internet, just as they do in the 
> physical world. 
 
I appreciate your insightful opinion on this matter, however... 
        This is not accurate.  The very nature of ActiveX makes it 
        impossible to operate it securely.  Unlike other vendors who 
        make attempts at providing improved protection, ActiveX is a 
        hole waiting to be exploited. 
 
> Malicious code can be written and disguised in many ways - within 
> application macros, Java(tm) applets, ActiveX(tm) controls, Navigator 
> plug-ins, Macintosh(R) applications and more.  For that reason, with 
> Internet Explorer 3.0, Microsoft has initiated efforts to protect users 
> against these threats.  Microsoft Authenticode(tm) in Internet Explorer 3.0 
> is the only commercial technology in use today that identifies who published 
> executable code you might download from the Internet, and verifies that it 
> hasn't been altered since publication. 
 
I appreciate your insightful opinion on this matter, however... 
        No disguise is needed for malicious ActiveX programs.  Any ActiveX 
        program can potentially - either maliciously or by accident or even 
        as a result of configuration differences, cause a system crash, the 
        corruption or destruction of information and/or unlimited leakage 
        and it doesn't depend on some hard-to-find hole in an otherwise 
        secure application.  It is a direct result of the methods used by 
        Microsoft, cannot be easily cured with any bug-fix. 
 
> If users choose to change the default security level from High to Medium, 
> they still have the opportunity to protect themselves from unsigned code. 
> At a Medium setting, prior to downloading and running executable software on 
> your computer, Microsoft Internet Explorer presents you with a dialog either 
> displaying the publisher's certificate, or informing you that an "unsigned 
> control" can be run on your machine.  At that point, in either case, you are 
> in control and can decide how to proceed. 
 
I appreciate your insightful opinion on this matter, however... 
        Even if you choose wisely, ActiveX is a hole waiting to be exploited 
        and provides essentially no protection.  As the folks at Microsoft 
        know well, impediments are easily and commonly removed - and the 
        use of the display box for popular applications is likely to result in 
        the question being turned off in favor of easy access. 
 
> As you know, Microsoft is committed to giving users a rich computing 
> experience while providing appropriate safeguards.  Most useful and 
> productive applications need a wide range of system services, and would be 
> seriously limited in functionality without access to these services.  This 
> means that many Java applications will have to go "outside the sandbox" to 
> provide users with rich functionality.  By signing code, a developer can 
> take advantage of these rich services while giving users the authentication 
> and integrity safeguards they need.  Other firms such as Sun and Netscape 
> are following our lead, and have announced that they will also provide code 
> signing for Java applets. Microsoft will also be providing an enhanced Java 
> security model in the future, giving users and developers flexible levels of 
> functionality and security. 
 
I appreciate your insightful opinion on this matter, however... 
        "...while providing appropriate safeguards" is just not true. 
        Microsoft has a long history of providing systems with no 
        protection, and only recently introduced the first system with 
        even mild protection in it's NT product.  Java provides a lot of 
        functionality within the "sandbox", but I am not an advocate of 
        Java either. The syle of computing being pushed out to consumers 
        is inherently risky and must be implemented with substantial controls 
        if it is to be used safely. But this is not Microsoft's goal. 
 
        There is nothing wrong with having signatures, but it is no 
        guarantee either. 
 
> Microsoft takes the threat of malicious code very seriously.  It is a 
> problem that affects everyone in our industry.  This issue is not tied to 
> any specific vendor or group of people.  All of us that use computers for 
> work, education, or just plain fun need to be aware of potential risks and 
> use the precautions that can insure we all get the most out of our 
> computers. For this reason, we are committed to providing great safeguards 
> against these types of threats in Internet Explorer.  We expect hackers and 
> virus writers to get increasingly sophisticated but we pledge we'll continue 
> to keep you and us one step ahead of them. 
 
I appreciate your insightful opinion on this matter, however...  Microsoft 
        still has not addressed Work Macro viruses, PC viruses, Windows 
        viruses, etc.  The claim that "Microsoft takes the threat of 
        malicious code very seriously" is ludicrous on its face.  This is 
        the same company that has distributed viruses to its customers because 
        it didn't do adequate checking of its distributions for known viruses. 
        This is the company whose Windows installation deleted all of the 
        README files on a system when the user upgraded.  This is the same 
        company that continues to ship software with inadequate protection. 
        All of this "perception management" doesn't change the fact, and it 
        shouldn't sway the readers of this letter either. 
 
FC  [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225] 
 
  [NOTE: I usually truncate all but a salient excerpt from included message 
  text on which a responder is commenting.  In this case, it would have 
  required too much editing effort to delete the interstitiated originals 
  and still convey the sense of the relevant references.  Your cross-reading 
  effort would also have been much greater.  PGN] 

 

  [Chaos CD]
[Datenschleuder] [58]    Re: MS on the CCC ActiveX virus
[Gescannte Version] [ -- ] [ ++ ] [Suchen]