Saturday, July 10, 2004

LINUX: Commentary: Patched in 60 Seconds

NewsForge | Commentary: Patched in 60 Seconds

Title Commentary: Patched in 60 Seconds
Date 2004.07.08 19:08
Author ValourX

Today it was announced that a vulnerability in the Mozilla and Firefox Web browsers allows the execution of arbitrary code in Windows NT, 2000, and XP systems. It doesn't affect GNU/Linux, FreeBSD, Solaris or anything else -- just Windows. I'd imagine that Microsoft's head honchos will be mentioning this exploit whenever they want to attack open source software security for years to come. Ironically OSS advocates might use the same story to attack Microsoft's security record. Why? Because a patch was released before the vulnerability was widely reported.

The specific vulnerability in question affects the Mozilla suite (1.7.0 and earlier), Firefox browser (0.9.1 and earlier), and Thunderbird email client (0.7.1 and earlier). Here it is, barely a day since the bug was initally reported, and all these programs have updated versions available as well as a binary patch for those needing a quick fix (if you're currently using one of these programs in Windows, just click here to download the patch right now).

To many of us in the free software community this is somewhat disappointing, yet the speed of the patch's release is not at all unusual. The initial notice was posted to Full Disclosure, a mailing list that helps software be more secure by exposing security flaws as soon as possible, on July 7. A patch was issued the same day, with no known compromises to any systems. Three bug reports were issued on the topic the same day.

The hole

Specifically the vulnerability is a feature: it allows Windows programs to be run remotely through clicking on a link like one of these. The links use the shell: command to run arbitrary Windows programs or, at its most destructive, a denial of service attack on an individual machine by opening up programs that don't exist.

The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project.

Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.

He who patches first, patches best

So we had a fix in less than 24 hours, and the exploit wasn't that bad to begin with.

Let's compare this to Microsoft's handling of a recent Internet Explorer exploit that was taken advantage of by the Scob trojan, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained!

One day for the community to discover, discuss, and patch a Windows security flaw through Mozilla, one week for Microsoft to incorrectly patch a serious IE exploit. Now tell me, Mr. Ballmer, Mr. Gates: Which is the better development model?


1. "attack open source software security" - http://www.internetnews.com/ent-news/article.php/3337401
2. "binary patch" - http://update.mozilla.org/extensions/moreinfo.php?id=154&vid=261&category=
3. "click here" - http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.1/shellblock.xpi
4. "The initial notice" - http://lists.netsys.com/pipermail/full-disclosure/2004-July/023645.html
5. "Full Disclosure" - http://lists.netsys.com/mailman/listinfo/full-disclosure
6. "Three bug reports" - http://bugzilla.mozilla.org/show_bug.cgi?id=250180
7. "one of these" - http://www.mccanless.us/mozilla/mozilla_bugs.htm
8. "Scob trojan" - http://netsecurity.about.com/od/antivirusandmalware/a/aa062804.htm
9. "the vulnerability remained" - http://netsecurity.about.com/gi/dynamic/offsite.htm?site=http://www.computerworld.com/securitytopics/security/holes/story/0%2C10801%2C94366%2C00.html%3Ff=x584


Post a Comment

<< Home

Get Firefox!