What's wrong with an exploit being sexy?

What's wrong with an exploit being sexy?

Summary: First off, let me start by saying _dietrich has been following our blog for quite some time and is a consistent poster, providing good advice on how to use Linux securely, sometimes as an alternative to Windows technologies.  I wouldn't have commented about this in a blog posting, except that I took some offense to the way that Dietrich characterized my article in remarks on his blog.

SHARE:

First off, let me start by saying _dietrich has been following our blog for quite some time and is a consistent poster, providing good advice on how to use Linux securely, sometimes as an alternative to Windows technologies.  I wouldn't have commented about this in a blog posting, except that I took some offense to the way that Dietrich characterized my article in remarks on his blog.  From Dietrich:

"Nearly every day, I read about Zero-Day exploits. The latest exploit, brought to you by Nate McFeters at ZDNet Zero-Day, entitled Another bug your tools won't find and your WAF won't prevent, is yet again another example of how profoundly bad Microsoft ActiveX technology is. The article goes into detail on how ActiveX repurposing exploits are being used, in this case against a Juniper VPN SSL Windows client."

So far Dietrich and I are in total agreement, now it shifts:

"It refers to the exploit as being 'sexy'. I find this to be a bit troubling. There's nothing to my mind sexy (or cool) about it. Not in the least. What type of public service this provides is in question. If it were me at ZDNet, I'd be providing information on how IT professionals and consumers can avoid ActiveX all together. Make a change. Linux has everything you need minus the Windows Viruses. openSUSE is safe, secure and not prone to the kinds of exploits which hamper Microsoft Windows products."

Is noting the savvy and elegance of an exploit as sexy a crime somewhere?  Code is simply an artistic form of expression in my mind.  It's functional, yet it can be elegant, and to some, that is art.  If the art is destructive or derisive in nature, does that prevent it from being art?  I think not.  My comment about the vulnerability being sexy speaks only to the simplicity of the flaw.  The fact that it is equal parts devistating, cunning, and unique (not just a common stack overflow) is interesting.  I disclose vulnerabilities responsibly, as did all involved in this article, so let's not get it twisted and make myself or Sensepost out to look like villains.

Dietrich then suggests that ZDNet (I assume he means me, since ZDNet didn't post the article, I did) should spend more time informing people on how they can protect themselves from ActiveX flaws.  Dietrich then goes on to suggest that people not use Windows to protect themselves from ActiveX flaws, suggesting instead openSUSE.  Well, I challenge you Dietrich, did you really explain how people can protect themselves from ActiveX flaws?  The fact of the matter is, companies use Windows products because they scale well to a large network of diverse uses quite simply.  Windows is also a platform that supports endless solutions for complex needs.  Additionally, Windows is still the most used operating system by end users, which I'm sure comes as no surprise.

While I might make my clients more secure by telling them to use openSUSE over Windows, I can't help them solve all of their complex solutions in a *Nix environment, some of the "requirements" cannot be met, such as having a VPN ActiveX object, or whatever it might be.  You can challenge the necessity of such a product, certainly, but do keep in mind that not all decisions can be made based off of security impact alone.  Real companies have to take many things into consideration for decisions on a platform, with one of those being flexibility to scale to needs.  I'm reasonably sure that MOST things can be done with *Nix that can be done with Windows, but I do challenge that you have to consider who is implementing.  Just because you and I can setup LDAP and Kerberos to support a network of 1,000 systems with complex business requirements doesn't mean that every companies IT department can, or more importantly, can do so in a cost effective manner.

Also, I think it is important to point out that Windows is not really at fault here, the code in the ActiveX control creates the security issue.  This code wasn't created by Microsoft.  You can say that Windows is at fault for providing ActiveX at all, but where does that line of thinking end?  Eventually we go back to the abacus because using anything else creates a security concern.

Just my $0.02.  Readers shouldn't take this as a personal attack on Dietrich, even though I was a little offended at his article, but I think it is important to shed a little light on the subject.

-Nate

Topics: Software, Enterprise Software, Operating Systems, Software Development, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

63 comments
Log in or register to join the discussion
  • Ignore the fanbois

    ActiveX gave us global computing. If we were stuck with *nix we'd still be back in the 70s with only the IT high priests and obsessive hobbyists playing with computers. Sure some people make mistakes in coding, but the benefits of having easily distributable code far outweighed the security considerations at the time. Now people, having achieved a multiplicity of successful apps, focus on security, as has MS and that has paid off. I can't remember the last time I had a virus and most malware has moved to social engineering.

    The problem with the *nix fanbois is their limited imagination fostered by their limited platform. They just can't conceive of all the tasks that Windows is used for and they make the mistake of thinking that their programmers are any different from MS. Well for the most part they are, as MS employs some of the best programmers in the world - but everyone makes mistakes and the platform they happen to be using has very little to do with it.

    Once you've actually done some coding (and no, 1000 line programs, javascript and changing installation scripts doesn't count) you realise every program has bugs and all you can do is try to minimise them. So should 95% of the world stop using Windows on the fragile belief that a 70s operating system is somehow more secure? Yeah right....
    tonymcs@...
    • ActiveX gave us global computing?

      ROTFL!

      And now, please explain away the move to *nix design concepts by Microsoft.
      zkiwi
      • Good points

        Zkiwi makes a good point, Windows has made a concerted effort to move to more of the secure design concepts employed by *Nix.

        I do also agree that Windows is the forerunner in global computing. Say what you will, it is the most used operating system, and it has pushed forward the world of computing, even for *Nix, if not from a security perspective, certainl from a human interface perspective.

        I wish we could get to the point where our posts move away from digressing into my OS has a bigger ePenis than your OS and start getting into real discussions about the limitations and merrits of each, without bias.

        -Nate
        nmcfeters
        • Just a question...

          I've been seeing on and off recently what I'd describe (inadequately) as a kind of "man in the middle" thing going on recently. There's stuff out there that appear to want to "prod" systems (at the moment it appears to be servers) into doing things they shouldn't. It kind of looks like an old "I'll trust you, so please trust me" trick, but I'm not sure if that's what's actually happening.
          zkiwi
          • I'll bite

            If you have anything specific you want me to take a look at, my email's listed on the site... nate.mcfeters@gmail.com

            -Nate
            nmcfeters
          • Chew on :P

            I think it's to do with automatic proxy (or something) detection. That's the only common theme I can see at least on the surface. I guess I'll be testing into the night to see if that's it. Ah well, it's probably daytime somewhere in the world. I'll try and think I'm in "wherever that is time."
            zkiwi
          • Not sure

            Without more info, not sure what you are looking at... were you familiar with the WPAD attacks that were hitting Windows Automatic Proxy Detection? Maybe that is what you are seeing.

            -Nate
            nmcfeters
          • Yes..

            I am, but it's not that. After a sleepless night it appears to be a bit more broad in its attempts. It's trying to be trusted by pretty much any type of "automatic" routine (like auto-detecting proxies, but not limited to that) that happens when things are started. I thought it was aimed mostly at the servers, but it's not.

            Ah well, and now I guess I should try to identify a source for this stuff, now that I'm sure it's not anything normal but odd that I'm seeing.
            zkiwi
        • The forerunner?

          From what I've seen, the issue seems to be that Windows isn't a "forerunner" in the sense of innovating and creating new and useful products. Instead, they take other people's ideas and technologies and produce lower-quality versions of them. This isn't some "my OS is better than your OS" ideological bashing, it's a simple fact.

          About 11 years ago I saw a website that had run a pretty comprehensive study of Microsoft's products and technologies, looking for something--anything--that they had innovated themselves. They came up with a grand total of one product: Microsoft Bob. (Remember Bob?) That really caught my attention, and things just haven't changed since then.

          DirectX: Bought from another company.
          DirectX shaders: based on OpenGL shader technology.
          Silverlight: Based on Macromedia (Adobe) Flash.
          Cool Vista "innovations": Copied wholesale from Mac OSX. (see http://www.youtube.com/watch?v=TaIUkwPybtM for a hilarious illustration)
          .NET programming environment: Brain-drained from Borland. (see http://delphi.about.com/od/delphifornet/a/conspiracydnet.htm for the details)

          I could go on, but you get the point. As long as Microsoft continues 1) not inventing anything, 2) doing a bad job of implementing other people's technology and 3) foisting the resulting crap on the computing public, there are going to be a lot of people who are (quite justifiably) angry at them.
          masonwheeler
          • Really?

            I disagree with you on this. I do see a lot of innovation coming out of Microsoft. If you have a look at DEP and ASLR as security protections, that's been huge. They may have hopped on the band wagon with some of the SDL stuff, but they've become a primary driver behind that and to be honest, they were the original pioneers in my eyes of the visual operating system and office suite of tools.

            As much as I have a strong distaste for some of Word's features, I'm not sure there is another office application I would use.

            -Nate
            nmcfeters
          • Not sure what you mean by pioneers...

            ...but MS didn't invent the graphical operating system (or any significant components of it), or the integrated office suite. The GUI was originally created by Xerox and refined by Apple, and almost every major innovation in it has come either from Apple or (for a while) NeXT. I'm not certain who first created the office suite, but I remember playing around with AppleWorks, a fully integrated word processor/spreadsheet/database package, on my old Apple IIe, way back in the mid-80s. MS Office wasn't introduced until 1989.

            Office is best known for Word (brain-drained from Xerox PARC), Excel (developed in-house as a competitor to an existing product, Lotus 1-2-3) and PowerPoint (originally invented by an independent developer and bought out by Microsoft).

            ALSR was originally developed as part of a Linux patch in 2001; Microsoft didn't implement it until Windows Vista (2007). This same patch included functionality to prevent data-execution exploits, (years before Microsoft's DEP,) but managed to get it right by mixing it in with ALSR. Microsoft released DEP but didn't include ALSR features with it, which left it vulnerable in a lot of places.

            This isn't ideology. It's not fanboyism. This is straight-up hard facts. Where's the innovation from Microsoft?
            masonwheeler
          • not facts, idealogical fanboyism.

            Your history needs some refinement,

            - appleworks was 84, while wordstar was on it's way out and wordperfect was still on it's ascent, first released for the IBM PC in 82.

            - apple's GUIs have been arguably "refined", but have rarely been innovative or pioneering.

            -PARC has nothing at all to do with Word

            -Apple didn't implement ASLR until Leopard, for those keeping score, that was after Vista was already on the market.

            If anything, your post proves Linux and Windows are pioneers, while Apple are refiners.
            rtk
          • Great points

            I may stand corrected on some of these issues; however, I think I said that Microsoft pioneered the idea of graphical operating systems, not invented it... maybe terminology there cause I think you could say that Windows was the first OS to bring this mainstream and really continue to build on the experience. Others may have other examples, I'm still young and I'm going on what I saw when I was a kid, but it could be wrong.

            I was a bit surprised by this:

            "ALSR was originally developed as part of a Linux patch in 2001; Microsoft didn't implement it until Windows Vista (2007). This same patch included functionality to prevent data-execution exploits, (years before Microsoft's DEP,) but managed to get it right by mixing it in with ALSR. Microsoft released DEP but didn't include ALSR features with it, which left it vulnerable in a lot of places."

            I didn't realize that *Nix had integrated ASLR that far back. Interesting thoughts, do you have some references on that?

            -Nate
            nmcfeters
          • Facts and sources

            RTK wrote:

            >- appleworks was 84, while wordstar was on it's way
            >out and wordperfect was still on it's ascent, first
            >released for the IBM PC in 82.
            See the original post, where I explicitly stated that I wasn't sure who first invented the office suite, but I know for sure it wasn't Microsoft.

            >-PARC has nothing at all to do with Word
            From Wikipedia:
            [i]Concepts and ideas of Word were brought from Bravo, the original GUI word processor developed at Xerox PARC. Bravo's creator Charles Simonyi left PARC to work for Microsoft in 1981. Simonyi hired Richard Brodie, who had worked with him on Bravo, away from PARC that summer. On February 1, 1983, development on what was originally named Multi-Tool Word began.

            Having renamed it Microsoft Word, Microsoft released the program October 25, 1983, for the IBM PC.[/i]
            - http://en.wikipedia.org/wiki/Microsoft_Word

            >-Apple didn't implement ASLR until Leopard, for those
            >keeping score, that was after Vista was already on
            >the market.
            That's quite true. What I said, though, was that Linux had it 6 years before Vista.

            >If anything, your post proves Linux and Windows are
            >pioneers, while Apple are refiners.
            You seem to be trying to make me out to be some sort of raging Apple fanboy, which I'm not. If you have facts to rebut my facts, please present them. But take your straw men elsewhere.

            And just for the record, Apple was the first to bring widespread adoption to many important computing technologies. Just off the top of my head, the 3.5" floppy drive, the mouse, SCSI components, and the FireWire port (which was invented in-house by Apple) were all popularized by the Mac before they gained widespread adoption in the PC world.

            Nate:
            >I didn't realize that *Nix had integrated ASLR that
            >far back. Interesting thoughts, do you have some
            >references on that?
            I'm referring to the PaX patch. http://pax.grsecurity.net/ and http://en.wikipedia.org/wiki/PaX are good places to start if you're looking for more information.
            masonwheeler
          • @masonwheeler

            Actually, come to think of it I was aware of the PaX patches. The problem with that as I see it is that it isn't adopted by default. Although, I suppose that you could make the claim that while Windows includes it by default, they don't force use of it by default... so there you go.

            -Nate
            nmcfeters
        • RE:Good points

          I absolutely agree with you Nate! We need to get away from, as you put it "my OS has a bigger ePenis than your OS". The fact is since Windows has been around and used for ever and a day it has had more time to be evaluated and dissected by those who wish to do harm. If *NIX was as widely used the same issues would be apparent. But since it isn't *NIX hasn't been as scrutinized by potential villains the way Windows has.

          Its like with anything the more something is used the more likely someone will find a loop hole and the more likely that someone will do harm in using the loop hole.
          Jeanie2424
    • why are rootkits called ROOTkits?

      > the fragile belief that a 70s operating
      > system is somehow more secure?
      fjcaherfr
      • Hee hee hee

        Now that's crafty.

        I do believe Linux is more secure in general; however, I think a part of this is that there's just not nearly as much to support.

        -Nate
        nmcfeters
  • On sexy exploits...

    I can see where you were coming from. While I don't condone or encourage malware authors, I often admire their ingenuity. For instance, I read a story about a bot herder who would have his bots download a copy of Kasperky, as well as clean the machines of all other exploits. So, even though he/she/they now owned the machine, they actually made it smoother running than it was before. I thought that was quite creative. Like I said, I don't condone it, but I admire their ingenuity.

    That's my ten cents
    My two cents is free
    A nuisance. Who sent?
    You sent for me?

    MGP
    MGP2
    • Let me clarify further

      Let's be very clear here, I, nor the author of the original exploit, are "malware authors". I don't think that is what you intended to say MGP, but I just want to make sure everyone understands that this exploit, for which I admire the technical expertise, was not deployed as malware/exploit code, etc. It was responsibly disclosed to the vendor.

      -Nate
      nmcfeters