Re: MS on the CCC ActiveX virus
Date: Fri, 21 Feb 1997 11:46:11 -0800 (PST)
From: fc@ca.sandia.gov (Fred Cohen)
Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83)
Re: SBN Wire: News Flash, Brad Silverberg
> You may have heard reports about a malicious software program created and
> demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany.
> I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has
> the appropriate safeguards to protect against this type of threat. By using
> its default security level (High) that comes pre-set, Internet Explorer 3.0
> will not download and run any "unsigned" control such as the one from the
> CCC.
I appreciate your insightful opinion on this matter, however...
Anyone can get a signature key without authenticating their
legitimacy. It's relatively easy to break into a system and take a
legitimate key. The default may be changed by the user for one use
and remain changed. Other flaws in Explorer may be used to turn
that feature on - then look out.
> The CCC demonstrated its malicious executable code running on Microsoft
> Internet Explorer 3.0, though they could just as easily have demonstrated a
> similar attack on any other browser. While it is unfortunate that hackers
> have created this harmful program, it does point out the need for users to
> act cautiously and responsibly on the Internet, just as they do in the
> physical world.
I appreciate your insightful opinion on this matter, however...
This is not accurate. The very nature of ActiveX makes it
impossible to operate it securely. Unlike other vendors who
make attempts at providing improved protection, ActiveX is a
hole waiting to be exploited.
> Malicious code can be written and disguised in many ways - within
> application macros, Java(tm) applets, ActiveX(tm) controls, Navigator
> plug-ins, Macintosh(R) applications and more. For that reason, with
> Internet Explorer 3.0, Microsoft has initiated efforts to protect users
> against these threats. Microsoft Authenticode(tm) in Internet Explorer 3.0
> is the only commercial technology in use today that identifies who published
> executable code you might download from the Internet, and verifies that it
> hasn't been altered since publication.
I appreciate your insightful opinion on this matter, however...
No disguise is needed for malicious ActiveX programs. Any ActiveX
program can potentially - either maliciously or by accident or even
as a result of configuration differences, cause a system crash, the
corruption or destruction of information and/or unlimited leakage
and it doesn't depend on some hard-to-find hole in an otherwise
secure application. It is a direct result of the methods used by
Microsoft, cannot be easily cured with any bug-fix.
> If users choose to change the default security level from High to Medium,
> they still have the opportunity to protect themselves from unsigned code.
> At a Medium setting, prior to downloading and running executable software on
> your computer, Microsoft Internet Explorer presents you with a dialog either
> displaying the publisher's certificate, or informing you that an "unsigned
> control" can be run on your machine. At that point, in either case, you are
> in control and can decide how to proceed.
I appreciate your insightful opinion on this matter, however...
Even if you choose wisely, ActiveX is a hole waiting to be exploited
and provides essentially no protection. As the folks at Microsoft
know well, impediments are easily and commonly removed - and the
use of the display box for popular applications is likely to result in
the question being turned off in favor of easy access.
> As you know, Microsoft is committed to giving users a rich computing
> experience while providing appropriate safeguards. Most useful and
> productive applications need a wide range of system services, and would be
> seriously limited in functionality without access to these services. This
> means that many Java applications will have to go "outside the sandbox" to
> provide users with rich functionality. By signing code, a developer can
> take advantage of these rich services while giving users the authentication
> and integrity safeguards they need. Other firms such as Sun and Netscape
> are following our lead, and have announced that they will also provide code
> signing for Java applets. Microsoft will also be providing an enhanced Java
> security model in the future, giving users and developers flexible levels of
> functionality and security.
I appreciate your insightful opinion on this matter, however...
"...while providing appropriate safeguards" is just not true.
Microsoft has a long history of providing systems with no
protection, and only recently introduced the first system with
even mild protection in it's NT product. Java provides a lot of
functionality within the "sandbox", but I am not an advocate of
Java either. The syle of computing being pushed out to consumers
is inherently risky and must be implemented with substantial controls
if it is to be used safely. But this is not Microsoft's goal.
There is nothing wrong with having signatures, but it is no
guarantee either.
> Microsoft takes the threat of malicious code very seriously. It is a
> problem that affects everyone in our industry. This issue is not tied to
> any specific vendor or group of people. All of us that use computers for
> work, education, or just plain fun need to be aware of potential risks and
> use the precautions that can insure we all get the most out of our
> computers. For this reason, we are committed to providing great safeguards
> against these types of threats in Internet Explorer. We expect hackers and
> virus writers to get increasingly sophisticated but we pledge we'll continue
> to keep you and us one step ahead of them.
I appreciate your insightful opinion on this matter, however... Microsoft
still has not addressed Work Macro viruses, PC viruses, Windows
viruses, etc. The claim that "Microsoft takes the threat of
malicious code very seriously" is ludicrous on its face. This is
the same company that has distributed viruses to its customers because
it didn't do adequate checking of its distributions for known viruses.
This is the company whose Windows installation deleted all of the
README files on a system when the user upgraded. This is the same
company that continues to ship software with inadequate protection.
All of this "perception management" doesn't change the fact, and it
shouldn't sway the readers of this letter either.
FC [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225]
[NOTE: I usually truncate all but a salient excerpt from included message
text on which a responder is commenting. In this case, it would have
required too much editing effort to delete the interstitiated originals
and still convey the sense of the relevant references. Your cross-reading
effort would also have been much greater. PGN]
|
![[Chaos CD]](../../images/chaoscd.jpg)
![[Gescannte Version]](../../images/scan.jpg)
![[ -- ]](../../images/prev.jpg)
![[ ++ ]](../../images/next.jpg)
![[Suchen]](../../images/search.jpg)