Microsoft urges computer users to install security tool

Discussion in 'Computers' started by scotjimland, Sep 18, 2012.

  1. scotjimland

    scotjimland Funster Life Member

    Joined:
    Jul 25, 2007
    Messages:
    28,934
    Likes Received:
    25,574
    Location:
    .
    Microsoft has urged Windows users to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.

    The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said customers should install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

    It affects Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7 operating systems. IE 10 is not affected. Malicious code is downloaded to computers when users visit infected websites.


    Read more: http://www.smh.com.au/it-pro/securi...curity-tool-20120918-263vv.html#ixzz26nj4H7A9

    Microsoft Security Advisor
     
    • Like Like x 2
  2. GJH

    GJH Funster Life Member

    Joined:
    Aug 20, 2007
    Messages:
    27,260
    Likes Received:
    34,540
    Location:
    Acklam, Teesside, originally Glossop
    When will Microsoft learn that simply publishing untested software is not acceptable?

    It doesn't help when journalists publish statements like "Zero-day vulnerabilities are rare, mostly because they are hard to identify - requiring highly skilled software engineers or hackers with lots of time to scrutinise code for holes that can be exploited to launch attacks."

    Is there anything which is more round objects than something like that? You don't "scrutinise code for holes" any more than you build a ship and launch it into the water to discover whether any welds have gaps. You construct a watertight business specification and then test code against that.
     
    • Like Like x 2
  3. scotjimland

    scotjimland Funster Life Member

    Joined:
    Jul 25, 2007
    Messages:
    28,934
    Likes Received:
    25,574
    Location:
    .
    Are Microsoft and Fiat sister companies ? :Laughing:
     
    • Like Like x 3
  4. injebreck99

    injebreck99 Funster

    Joined:
    Dec 5, 2011
    Messages:
    1,119
    Likes Received:
    1,169
    Location:
    norfolk
    Microsoft security

    I was advised to download a anti virus called Microsoft Essentialls by a so called "Expert",looked and appeared to be a genuine Mocrosoft addition, I did so and it completely ****ed up my laptop, had to have it completely wiped and start again, now back with my origional Norton AV, which has been no trouble at all. :Doh:
     
  5. dellwood33

    dellwood33 Read Only Funster

    Joined:
    Apr 25, 2009
    Messages:
    3,449
    Likes Received:
    887
    Location:
    Newcastle
    That explains why my desktop starts to judder when I use the Backspace Button :RollEyes::BigGrin:
     
    • Like Like x 10
  6. ShiftZZ

    ShiftZZ Funster Life Member

    Joined:
    Feb 19, 2008
    Messages:
    19,821
    Likes Received:
    35,897
    Location:
    Leicestershire
    This is version IE9 and they are still finding holes, Microsoft, far too big, far too lazy and making far too much money..
     
    • Like Like x 2
  7. GJH

    GJH Funster Life Member

    Joined:
    Aug 20, 2007
    Messages:
    27,260
    Likes Received:
    34,540
    Location:
    Acklam, Teesside, originally Glossop
    Only finding holes or creating more? :BigGrin:

    As I've often said, a computer system is like a pyramid.

    Properly designed it starts life sat on a firm base. Some, as they are added to over the years, without any proper consideration of what effect changes have on the original specification and without proper testing, gradually turn until they are completely upside down and teetering on a tiny point.
     
  8. Geo

    Geo Trader - Funster

    Joined:
    Jul 29, 2007
    Messages:
    9,546
    Likes Received:
    5,596
    Location:
    Mansfield,Notts
    Australian Pyramids:thumb:
     
  9. slobadoberbob

    slobadoberbob Read Only Funster

    Joined:
    Jun 1, 2009
    Messages:
    6,159
    Likes Received:
    1,970
    Location:
    Kent, garden of England
    so much better with an MacBook Pro etc.,

    Do not seem to get these continued issues with a MAC:Rofl1::Rofl1::Rofl1:

    Bob:Blush:
     
    • Like Like x 1
  10. Chris

    Chris Funster Life Member

    Joined:
    May 5, 2010
    Messages:
    16,443
    Likes Received:
    34,535
    Location:
    kent
    Indeed Bob. My ipad seems to be running very smoothly (and securely):Wink:
     
  11. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK

    I can't believe I am going to come to Microsofts defense here.

    Graham, I have to ask you when was the last time you developed a program that included millions of lines of code, linked to external libraries and ran on the worlds most popular target for hackers? How did that go was every single line of code perfect in every way? did you anticipate every stupid thing your users could do? Did you you rely on any calls to the operating system and if so did you always sanitise all parameters you passed before passing them? Did you always check returns and ensure they within bounds even for something that should not fail? Did your unit testing cover every possible not just conceivable problem?

    I could go on...

    Writing software is incredibly difficult to get 100% right. I used to slam Microsoft for the security and reliability in their software but over the last 10 years they have done a lot and keep doing more. I now believe it is their top priority and I do applaud the progress they have made. They introduced DEP and ASLR in previous releases of windows which has improved thing dramatically. Zero day exploits that don't require a dumbass user to do something stupid are rare these days in comparison to what they used to be.
    If you want to launch at a company for insecure software I personally hate Adobe and Oracle, I refuse to have their crap on any of my computers.
     
    • Like Like x 2
  12. GJH

    GJH Funster Life Member

    Joined:
    Aug 20, 2007
    Messages:
    27,260
    Likes Received:
    34,540
    Location:
    Acklam, Teesside, originally Glossop
    Never millions of lines of code (only thousands) and in pre-hacking days but that is not the point. To test properly, data has to be set up to test against the (business not program) specification not against the program as coded.

    Very nearly.

    It doesn't matter what stupid things users do as long as every condition which can be returned is trapped and dealt with.

    Yes.

    Yes.

    Yes - and so did system testing.

    All of the above was what we did as a matter of course 40 years ago. It was in later years that companies started cutting corners by reducing testing. That does not make it acceptable or excusable.

    Software development is no more incredibly difficult than any other engineering. It would be unacceptable if something like The Shard fell apart and it should be just as unacceptable if software on which people rely falls apart.
     
    • Like Like x 2
  13. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    I disagree. The shard falling apart is a much bigger problem than a computer being exploited. There are cost/benefit/risk issues here.

    For instance aircraft manufacturers and NASA for example use three computers running different systems which each comparing their results against each other. They still make cock ups such as the Airbus crash (Air France Flight 296). Where the system was not designed to anticipate the situation. If Microsoft were to apply the same engineering principles (disregarding risk and cost benefit analysis) they would insist that it was only run on computers with 3 different processors. Internet explorer would be written in 3 different languages by three different teams and they would have to compare results before displaying them. Each instance would be run in a sandbox with an extra program monitoring all memory and transactions for out of bounds or other risk indicators. The security restrictions alone would make the internet unusable. Internet explorer wouldn't be free it would cost £5,000 per copy to reflect the cost of development and would only run on these triple cpu computers. With computers you have to balance ease of use against security. It is possible to make a close to 100% secure computer but it wouldn't do anything useful.

    Another example is of the twin towers. They were very well engineered but didn't anticipate jets being flown into them. In the same way a computer programmer will write software designed for a purpose. He will attempt to test every input/output operation but there will always be some unanticipated input that will cause the system to fail. New tower blocks are now built with the jet impact possibility in mind. The terrorists will have to come up with a new way of destroying big buildings or move to a different target. This is what is happening in the software engineering world. With the addition of DEP and ASLR the "building" is now engineered to withstand all the old school attacks and makes the cost to the hackers so much higher. This is why we have fewer 0 days now. Hackers are now finding ways around these because the value in exploiting a computer is so high that the benefit outweighs the cost.

    I am an old school programmer who started off on Z80 assembler moving through 6510, 68K asm. Then through C and C++ these days I mainly do server admin but still develop in PHP.. I regularly study up on best practices and security as this is essential to my living. I consider myself a competent programmer with a firm understanding of the underlying architecture and system security. However I am not complacent or conceited enough to think that my software would withstand a full on attack by expert or experienced security professionals if they set their minds to it.

    I will add one more question.. Was your software a huge target for hackers due to it being installed on 100's of millions of computers world wide? Are you confident that your software could have stood up to extremely close scrutiny by security experts who specialise in exploiting systems?

    PS: I am not denigrating your obviously vast experience of programming. I just believe your expectations are way too high.
     
  14. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    :Rofl1::Rofl1::Rofl1::Rofl1::Rofl1::Rofl1::Rofl1:
    http://www.zdnet.com/blog/ou/extremely-critical-mac-os-x-zero-day-exploit-released/163

    This guy has a regular punt at OS/X he may be due for another look... Last time he found 20 Zero Day expoloits.
    http://www.engadget.com/2010/03/19/charlie-miller-to-reveal-20-zero-day-security-holes-in-mac-os-x/

    He also has the odd pop at IOS
    http://www.engadget.com/2011/11/07/charlie-millers-latest-ios-hack-gets-into-the-app-store-gets-h/

    He even has goes at the processor in the battery pack :Rofl1::Rofl1:
    http://www.engadget.com/2011/07/22/charlie-miller-finds-macbook-battery-security-hole-plans-to-fil/

    He can even hack your iPhone using a single character SMS message:Doh:
    http://appleinsider.com/articles/09/07/29/sms_hack_could_leave_every_iphone_vulnerable.html

    I could list more but you get the idea:Eeek:

    Just imagine how bad Apples security reputation would be if Apple had 50% market share and became of interest to the majority of the black hats? Imagine 1000's of Charlie Millers all gunning for your secure Macs and iDevices?
     
    • Like Like x 3
  15. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    I was searching for a quote by Charlie Miller for my previous post but couldn't find it. I have found it now...

    Full article here
    http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-charlie-miller/2941

    Another quote for those who won't read it..

     
    Last edited: Sep 18, 2012
  16. GJH

    GJH Funster Life Member

    Joined:
    Aug 20, 2007
    Messages:
    27,260
    Likes Received:
    34,540
    Location:
    Acklam, Teesside, originally Glossop
    I think the salient point in your argument, Karl is "Where the system was not designed to anticipate the situation." That is where the upside down pyramid comes from - companies cut back on design and testing in order to save money and so what if the consumer suffers. Hacking has been a problem for long enough now for us to expect that combating it is part of the design and that the software has been properly tested against that design.

    That is not, though, what Microsoft and other companies do. They take short cuts and do not trap the full range of invalid conditions. A few years ago I discovered a bug in IE which meant that it just stopped if anything other than two values appeared in a particular field. That should never, ever happen. Properly written software should always return an error condition when a test on a field identifies an invalid value. Microsoft admitted at the time that they only undertake field trials not proper testing - note the end of the last sentence below
    That is not an acceptable standard of testing.

    If IE (and other Microsoft software) were simply sold as part of hobby systems (which is what the vast majority of PC owners run), then it would be a different matter. The thing is, though, that it isn't; it is sold as a a business tool - so what would be wrong with IE costing £5,000 a copy if that is what it takes to engineer it to the claimed standards?

    With all due respect, Z80 assembler is not old school programming. We were producing far more complex systems before Zilog was even formed. Obviously that software wasn't vulnerable to hackers because it was run on closed systems. That, though, is immaterial. The testing regimes we ran were the equivalent of hackers because the testing regimes were deliberately designed to find any faults
     
    • Like Like x 1
  17. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    I think we will have to agree to disagree Graham:thumb:

    Google has chucked vast amounts of resources at making Chrome secure and fast. They have some of the best programmers around and they are still suffering from zero day exploits... You can't design for something you can't anticipate.

    What I meant by old school was I understand things at the processor level. I started writing games where individual instruction timings and every byte of memory mattered. I had to do everything within a fixed amount of time (vblank) consistently and reliably.

    In comparison to todays kids who only learn high level languages, don't understand the underlying processor and build against vast libraries of code rather than writing everything themselves.

    How many kids today could write a simple bubble sort in asm? How many could write a version of space invaders that would fit on the boot sector of a floppy disk (just under 1K). I will let even them use mode 13h:thumb:
     
    Last edited: Sep 18, 2012
  18. GJH

    GJH Funster Life Member

    Joined:
    Aug 20, 2007
    Messages:
    27,260
    Likes Received:
    34,540
    Location:
    Acklam, Teesside, originally Glossop
    But the point is that you can anticipate if you undertake a rigorous requirements definition - which says what the resulting system must allow and what it must reject (i.e. anything which is not allowed). Problems arise when testing is not done against what the requirements say but against what the design says (or, even worse, what the code says). If a data field has valid values of 1, 2 and 3 the lazy programmer (probably coder these days) will test for 1 and 2 and, if it is neither, assume the value must be 3. A real programmer will test for 1, 2 and 3 and trap anything else as an error. Scale that up to the level of the business requirements and it is still only, logically, the same.

    Now there we do agree :Smile: Although 1K is rather a large amount of space isn't it? :Smile: Seriously, it pains me when I see business systems running like 3 legged tortoises on modern hardware when they have no more functionality than their counterparts of the early 70s which ran much more efficiently on a 360/30.

    It doesn't matter if kids at home are simply plugging modules from code libraries together like Lego blocks. It does matter when major software companies do the same.
     
  19. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    I totally agree on all of that....

    Any software that gets exploited through a simple example like yours deserves for the author to be birched. Even stack overflow exploits are extremely rare now. The blackhats have moved beyond such simple problems. With garbage collection and high level memory management routines problems like you list and stack overflows are rare now. DEP makes even stack overflow exploits difficult.

    I think if you were to look into this a little more you would see that it is not simple bugs that are being used by the blackhats.

    Not checking the validity of variables is the equivalent of leaving your keys in the ignition and walking away. That is not what happened in this case.

    This particular zero day exploit involved downloading a flash file which amongst other things did heap spraying. It was another running program that did the damage possible by changing the environment in which IE was running.
     
  20. Gromett

    Gromett Funster

    Joined:
    Feb 27, 2011
    Messages:
    7,942
    Likes Received:
    14,024
    Location:
    UK
    Here is a simplified example (not technically accurate but for explanation purposes)

    In the old days a plugin would run with the same execution privileges as the browser. All a naughty plugin had to do was run. Back then they didn't anticipate things like online banking and how important the internet would become.

    The browser makers then changed the privileges at launch of a plugin so that the plugin ran as a different user to the browser and didn't have access to certain features of the underlying operating system. It could no longer modify system files. In IE this is called security zones and levels.

    The blackhats then had find a new trick. This time they had to look for privilege escalation bugs. What they looked for was buffer overflow or stack overflow bugs. For many years this was the main security risk to browsers and still occasionally happens today. This is now well tested for so is increasingly rare.

    To stop these the OS writers created DEP. Data Execution Protection. This prevented blackhats pushing data onto the stack or into a buffer and causing it be executed. So should a programmer make a mistake that isn't caught by unit testing or other tests it is mitigated by the OS itself.

    The blackhats then had to find a different method. They started loading registers with specific values and jumping to system memory at specific places. You can imagine how this caused problems. Other methods involved changing system data tables manually. Routines that were not designed to be jumped directly into were exploited sidestepping checks.

    To prevent this the OS creators implemented ASLR. Address Space Loading Randomisation. This is where the modules that make up the OS are loaded to a different place in memory each time (other things are randomised as well). This makes the above attacks difficult if not impossible,

    Browser makers are also working just as hard with things like sandboxing and virtualisation.

    Each time one means of attack is discovered the programmers of Browsers and OS step up the defences. It is a war and nothing like the clean and predictable science of engineering.
     
Loading...

Share This Page