eEye’s patch can be bypassed as you see here. ZERT’s patch seems safe.
If only we didn’t need third party patches.

Marcus J Ranum (MJR) says (http://www2.csoonline.com/exclusives/column.html?CID=28072)

“After 10 years of full disclosure, security has not gotten any better”.

First off, how would we know what security would have been like without full disclosure? Perhaps it could have been said that security would have gotten exponentially (or even linearly) worse. In which case, statments like “security hasn’t gotten any better” and “the number of vulnerabilities is pretty much constant” would imply that full disclosure works? But, wait, that presupposes that only one factor contributes to the state of security - which is a logical fallacy as well. Hmmm, ok. I can’t draw any logical conclusions here. Let’s go to Bruce’s argument.

Bruce says: (http://www2.csoonline.com/exclusives/column.html?CID=280723)

“Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Bruce’s argument logically implies that with full disclosure we have a *potential* for better system security. Unfortunately, we can’t measure the rate at which these fixes actually get deployed and we can’t measure the rate at which crackers use publicly disclosed bugs to exploit unpatched systems. So, at the end of the day, I can’t say whether or not public disclosure actually helps the end user. I can say
that public disclosure at least creates a Potential ™ for better system security….and, that’s something.

A good portion of MJR’s article is devoted to the lambasting of security
researchers. Some quotes:

‘For longer than a decade, we’ve lived under the mob rule, where for some security consultants and companies, “marketing” has been replaced by “splashily announcing holes in commercial products to get 20 seconds of fame on CNN.” ‘

‘Now that we can look back at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent “vulnerability researchers” attempt to cash in by finding new attacks that they can sell to security companies or spyware
manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of “free” marketing exposure for companies that trade in exploits.’

‘The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.’

‘Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting “fire!” in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but
that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired “chief hacking officer” on CNN one more time. ‘

‘Unfortunately, if you look at the last 10 years of security, it’s a litany of “one step forward, one step back,” thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. ‘

I think I see a little bias creeping in here and perhaps even a bit of hypocrisy.
Marcus abhors the hacker/security-researcher type. I don’t know if he hates that they are getting attention that is undue, that they are making money off the attention, or that he isn’t getting the attention that he once did. At any rate, it’s getting damn old. The guy that shouts “fire” may very well be annoying. The guy that jumps up and down shouting “Hey, he’s shouting fire” is equally annoying.
In the past, MJR has been spot-on with his analysis. Now, his ‘analysis’ seems as much a PR-trolling rant as any of the mob that he is criticizing. And, let’s not forget that Marcus gets paid by a company that discloses holes in major products and perhaps benefits from the free ‘marketing’. I bet no one is inviting this motherfucker to the company barbecue

Anonymous

From “Schneier on Security“:

FLUNKY: Sir, that Schneier person called again. He left a detailed
message.
(more…)

Well, what happened:
1. They couldn’t spoof Gadi’s address.
2. They didn’t manage to do it right (a ‘.’ comes before ‘quit’, y’know).
3. They were mildly annoying with a silly spam.
4. They advertised Gadi’s lecture at defcon amazingly well.

As Gadi said: “So… who’s coming to my lecture? ”

The other ASCII art isn’t worth mentioning. just a swastika and “gay*”.

Cool ASCII art, stick to that guys. Other than that, can you please read some SMTP spoofing articles from the 1980’s?

Oh yeah, and don’t expect emails to arrive at the other side at the order you send them, mkay? Silly kiddies.

There’s a rumour going around about Michael Lynn doing a book signing at this year’s defcon.

What will he be signing, you ask? Why, last year’s BlackHat books. Yes, the ones with the pages of his presentation torn out!
If the whispers are to be believed the income from this book signing would be donated to the EFF! Now, ain’t that cool?

In our opinion some of that money should go to cover Mike’s huge legal costs due to Ciscogate, but we are just rumour mongers! What do we know?

We wonder how much these would sell for on eBay, before and after? If they are sold now, their price is about to go up!

MS06-015 is an example of exactly how wrong security at Microsoft can go. The company paid lip service to publicly disclosed vulnerabilities and released a badly-broken patch. Worse still, the (sleeping?) powers that be at Microsoft have come to this enlightened conclusion:

Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows [98 and Millennium] to eliminate the vulnerability.

This is because during the development of Windows 2000, we made significant enhancements to the underlying architecture of Windows Explorer. The Windows Explorer architecture on these older versions of Windows is much less robust than the more recent Windows architectures.

So… Windows 98 and Windows Me users, you’re not getting a patch. Even the “Critical patches only” support is apparently just advisory. If it’s just too hard to produce a patch for you, you won’t get one. This should sound familiar: Microsoft has previously failed to patch remotely-exploitable vulnerabilities on supported systems. One such example was the apparently devastating architectural complexity of (not) patching a null pointer dereference in Windows NT 4.0’s RPC Endpoint Mapper in 2003.

Then there’s this earth-shattering revelation:

Due to these fundamental differences, these changes would require reengineering a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

“No assurance that applications designed to run on these platforms would continue to operate on the updated system.”

Gee, that sounds familiar. Oh yeah… that described Windows 2000 and Windows XP after they were patched against MS06-015. Perhaps Microsoft thinks it is doing 98/Me customers a favor by giving them one more reason to upgrade and by not turning loose this hack of a security patch on their already fragile systems. They’re probably right, if they do.

The first step is recognizing you have a problem, and this is indeed a positive step… Microsoft is admitting that some of its software is so poorly engineered as to be beyond hope of repair. We wondered when they’d notice.

How do you tell that news in security has gone downhill? Well, if today is any indication, you tell when the headlines are: Microsoft Releases Flash Player Patch and TippingPoint Buys Vulnerability Information on its Own Code.

Here at SecuriTeam, we often read that vulnerability researchers provide free quality-assurance for vendors. Unless, of course, that vendor is Tipping Point. Yesterday’s ZDI disclosure avoided the “patch or run for the bunkers” theme of major vulnerabilities in widely-used software:

ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability

I don’t know about you, but if I have a choice between two IPS vendors with good products and one is willing to pay researchers who report even minor vulnerabilities in the code, I know where my money’s going.

One place your money probably didn’t go was on this:

MS06-020: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution

Yes, that’s right folks, a Microsoft patch for Flash Player. I was checking my eyes, too. This patch, for many desktop users, will be the only significant one from May.

After years of arguments about the validity of the Full-Disclosure mailing list, flame wars, endless kiddie arguments and trolling, there came the mail bombings.

People actually quit FD after that.

A year ago a friend told Ren the following: “I finally got promoted, now one of the new kids can read FD!”

This past week, that same friend said: “I love reading FD, for the funny stuff.”

Ren immediately asked: “You read n3td3v?”
Friend: “Yeah.”
Ren: “I figured.”
Friend: “Well, it’s like with Howard Stern, you just want to see what he’ll say next”.

Another friend of Ren quickly pointed out: “Such people are good for enjoyment, but tend to discourage productive work due to frequent, uncontrollable laughter.”

There you have it folks, n3td3v will now and forever be known as the very special person who saved FD.

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ’sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

Earlier today a surprising announcement came from the new Full-Dicklosure moderators. According to the announcement titled “Cheap pr0n, we believe in it!”, the well known cestpool spammers list Full-Disklosure is undergoing facial reconstruction following their synergy with Senunia.
“The first step in implementing the new changes is by making sure advisories will be sent to subscribers at the very least, 200 times. Then, to ensure delivery, we will send it 100 more times”. Other enhancements as reported by the new moderator, kiddiescript. “The list was recently declared PG-13. We don’t have the word ‘fuck’ on our posts, so we were able to dodge the X rating. Shit, I guess we lost that now”.
In response to kiddie’s appointment, the old moderation crew went to their local pub.

The renowned researcher Dave Aitel said to us in an interview: “What? Who told them about my latest Gay Shit 0day overflow?! It was to be used in the next super secret NSA worm!”

Many other self-proclaimed security researchers also showed their amazement with this revolution “How will we get our pr0n now?! Well, at least I hope they will revive the old Guillotine” said the MicroSn0t MSRC director.

In a press conference this afternoon, Gadi Evron, another self-proclaimed “expert” said: “I thank the committee for choosing me as the best FD spammer for the year of 2006 but I cannot accept this reward, as I believe I can do even better by the year’s end!”

In shocking surprise (or was it a surprising shock?), the US Army Remote Viewing and Psy-Ops division came out with the following prediction:
“In the following weeks, there will be several email threads dominating the mailing list, starting with “Gadi sucks”, going through “Yeah, we already knew Dave sucks” and ending with an extremely unexpected thread on the moderation of the mailing list. The corps is Mother. The corps is Father. Trust the Corps.”

And now for the “facts”:
Massive mail bombing hit the Full-Disclosure mailing list this morning. Joe Jobbing many known security professionals and vendors such as Ilja van Sprundel, Gadi Evron and iDEFENSE Labs, forging their email addresses to send fake advisories declaring vulnerabilities in ISC Bind, SourceFire Snort, Microsoft products, VMware, “Immunity Dave Aitel” and other applications.

As one of our readers put it:
“I’ve been trying to unsubscribe all morning, the server must be over-loaded relaying spam!”

The mail bomb is done from one machine:

Received: from www.c0replay.net (unknown [206.251.72.74])
by lists.grok.org.uk (Postfix) with ESMTP id 3BF512123
for ;
Sun, 12 Mar 2006 07:27:17 +0000 (GMT)

www.c0replay.net, according to another reader, has interesting open ports. The server however is “known” according to some to serve a kiddies group.

ARIN Whois information:

RTechHandle: DU24-ARIN
RTechName: Unfried, David
RTechPhone: +1-909-727-5045
RTechEmail: dru@linkline.com

OrgAbuseHandle: LINKL-ARIN
OrgAbuseName: LinkLINE Communications
OrgAbusePhone: +1-909-972-7118
OrgAbuseEmail: abuse@linkline.com

OrgNOCHandle: LCN3-ARIN
OrgNOCName: LinkLINE Communications NOC
OrgNOCPhone: +1-909-972-7118
OrgNOCEmail: noc@linkline.com

OrgTechHandle: MB1596-ARIN
OrgTechName: Benzakein, Marc A
OrgTechPhone: +1-909-972-7111
OrgTechEmail: mbenz@linkline.com

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Apparently, both H D Moore and our very own Matthew Murphy worked all night to write working exploit code for MS06-006.

Head to head they coded, and we honestly can’t tell who wrote the first working code!

H D Moore’s code can be found here.
Matthew Murphy’s code can be found here.

Both guys are amazing and H D Moore as always know more than most of us put together. We think that Matthew’s code however is universal and he is the first who hit the lists with full code.

His code should work on NT/2000/XP/2003, pretty much anything and everything Windows Media that is vulnerable.

That was not even 2 days for a not (that) trivial to exploit vulnerability. Lucky for us there are responsible researchers such as these to help US in the security world do our job, as those on the dark path have their own resources while we deal with legal b/s from people who JDGI. Just Don’t Get It.

Update:
Gadi asked us to update that both these cool guys mentioned they used techniques by Skylined. Thanks Skylined!

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Two years ago Bill Gates came up with a proclamation saying that in two years spam will be gone.

We’ve been considering what to write about these claims (now known as wrong, what a shock), for about three weeks now. We ended up deciding the regular press will cover it.

Anyway, today on funsec Paul Ferguson (Fergie) saved us the trouble:
http://ars.userfriendly.org/cartoons/?id=20060130

“Spam is dead in two years!” was one in a series of such predictions, starting with the classic:
“640K ought to be enough for everybody”
– Bill Gates, 1981.

Bill Gates is obviously a genius, but as Gadi keeps insisting on writing in his blog; prophecy was given to fools. Bill Gates is no fool and should stay away from such prophecy. It’s obviously not his thing.

Bill, you might be an anti-spam kook if…
http://www.rhyolite.com/anti-spam/you-might-be.html

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Ahm ahm.

We suppose Microsoft may have good reasons for what we discuss below and attribute to malice, but we don’t care. We are a satirical rumour-mongers column. Word.

“Never attribute to malice what can be adequately explained by stupidity.”
We are not sure if that is doubly true with Microsoft, or the exact reverse. We lost all faith in them.

SP2 brought many good additions and changes to help make Windows XP more secure. It is still Windows and inherently insecure on many levels but in our opinion the update was yummy (except for slowing down our machines and demanding an upgrade, yuck. The nerve).

Well, one amazing feature with XP service pack 2 was that it mostly was not effected by vulnerabilities released and patched by Microsoft for quite some time after it was released.
There was no special feature or fix in SP2 to warrant that success. True, SP2 brought on many changes but these could be disabled, put on a lower level (many times by default) or not be related to certain problems.

SP2 was not vulnerable to Microsoft released vulnerabilities because most of these have been stuck in MS’s queue for a long time, sometimes even more than a year.
What we (and pretty much most of the fscking industry, including several of our bloggers) understand from that is that patching was delayed on purpose so that a year or so after coming out, SP2 will not be “vulnerable”. That idea was quickly shot down by an unexpected vulnerability but generally held true.
And now… history repeats itself. Whatever other reasons MS may have for delaying SP3, marketing, technological, logistical or otherwise they delay it until Vista comes out.

That stinks of the same trick.

We are not quite sure how far Vista is different from older Windows versions but we doubt it is that different. Patching times stay long (very).

Stimpy put 50 bucks on a wager:
When Vista Comes Out (and SP3) It Will Not Be Vulnerable To Most “New” Vulnerabilities MS Releases. For about a year is his best bet.

This comes to show that no matter what Microsoft invests in security, they simply don’t get it.
Microsoft: its is not about how many vulnerabilities or PR (good or bad) you get from it. It’s about being serious and securing your users and operating system.

How can they expect us to take them seriously when they keep doing things such as these, whatever other reasons they had?

Prophecy was given to fools. We are fools but we will be proven right or wrong when Vista comes out.

Provided we are wrong, it is up to Microsoft to prove us so, as we just watch them and see what they do. Microsoft always acts the same way so learning from history is usually a safe bet.

You wanna show us SP3 is different from SP2? Just do it (unless that means you will delay patching even more).

GO GO GO Microsoft.

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

In a recent DD thread there was a discussion on the fonts vulnerability.

Apparently Piotr Bania discovered the same vulnerability eEye did and started working on an advisory when Microsoft released the patch.

We feel sorry for Piotr as he is a great guy, still, as he himself admitted there is no glory for coming in second.

Marc Maiffret was pretty decent about it too, and agreed that it was a shame, but still, eEye released it first.

So far so good… except for the fact these guys just don’t know when to stop!

“You’re cool.”
“No, you’re cool.”
“You are cooler.”
“No, you are cooler.”
“Nahh, you are so much cooler.”
“No way dude, you are the best.”

Come on guys, we can’t tell you apart anymore from so much mutua.. err.. we will use a big word.. erm… bilateral ass-kissing!

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

In a recent bugtraq post Gadi Evron (admittedly, also a blogger here) wrote about community standards and how “we as an industry” got used to lousy service from vendors when it comes to timely patches or high levels of false positives.

Word.

He had some good points and clarified them in a later bugtraq post, as well as in his blog. But…

Who cares?!
He compared us to ~@!Q#!~!~@@$ toads!
What’s that all about?

Good points or not… BURN!
Thor (Hammer of God) replied, completely burying Gadi. Yeah, we love our fellow blogger, all for one, fellowship of the ring and all but Thor - that is da shit!

BURN!

So Gadi, how does it feel to get smacked with a hammer from God?

Thor’s cool post can be found here. Thor definitely gets our Thumbs Up! for improving BuggyTraq(*) this month.

BURN!
We all love meaningful replies with the main idea of “You suck. You should not write what you wrote, and therefore I will post this, coz you did. But should not. And then I posted …”. Anyways, Gadi was completely “humbled” by this flame (or in other words, STFU). Finally some good flames on bugtraq. Since FD became moderated (almost ) bugtraq’s moderation could not resist the hammer of God’s strike.

Now Gadi - you know we love ya, but hey man, quit while you’re ahead. You’re not supposed to actually answer Thor!
BORING.

May that be the beginning of cool flame wars on bugtraq. Now that n3td3v is fading out and gobbles is gone, our little space is getting boring…

Kudos to Gadi for being a sport and not getting mad about this post. But here’s a suggestion for you: take our advice and stay quiet for a while of course, except for this blog.

(*) Credit goes to Larry Seltzer for this perfect name/description. What’s with all the out of office messages? Recent count showed there are more OOO bounces than actual bugtraq subscribers.

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

So, Microsoft released a patch ahead of schedule. We can only applaud that.

But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).

Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.

We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?

What’s that all about? It makes you wonder, doesn’t it?

Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.

Old GDI32 has the bug here:

.text:77F24914                 movzx   eax, word ptr [ebx+6]
.text:77F24918                 cmp     eax, 0Fh
.text:77F2491B                 jz      loc_77F25067    ; default
.text:77F24921                 push    0               ; LPVOID
.text:77F24923                 lea     ecx, [ebx+0Ah]
.text:77F24926                 push    ecx             ; LPCSTR
.text:77F24927                 movzx   ecx, word ptr [ebx+8]
.text:77F2492B                 push    ecx             ; int
.text:77F2492C                 push    eax             ; int
.text:77F2492D                 push    dword ptr [ebp-7Ch] ; HDC
.text:77F24930                 call    Escape
.text:77F24935                 jmp     loc_77F23F23

The patched GDI32.DLL contains this code instead:

.text:77F24914                 movzx   ecx, word ptr [ebx+6]
.text:77F24918                 push    ecx
.text:77F24919                 call    _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E                 test    eax, eax
.text:77F24920                 jz      loc_77F2506C    ; default
.text:77F24926                 push    0               ; LPVOID
.text:77F24928                 lea     eax, [ebx+0Ah]
.text:77F2492B                 push    eax             ; LPCSTR
.text:77F2492C                 movzx   eax, word ptr [ebx+8]
.text:77F24930                 push    eax             ; int
.text:77F24931                 push    ecx             ; int
.text:77F24932                 push    [ebp+var_7C]    ; HDC
.text:77F24935                 call    _Escape@20      ; Escape(x,x,x,x,x)
.text:77F2493A                 jmp     loc_77F23F23

… and the new function itself:

.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near         ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACD
.text:77F42D66
.text:77F42D66 arg_0