Is DoS a vulnerability?

15 Apr 2007

The latest round of Microsoft Word 2007 issues has triggered one of my rants… namely, is denial of service (DoS) a vulnerability?

Let me begin by stating that DoS is not a vulnerability — it is a result; it is an effect of an underlying issue. The fact that a DoS occurs may be an indication of a vulnerability. A long input string leading to a crash may stem from a failed buffer overflow that is exploitable under the correct conditions. Malformed TCP packets that cause the network interface to lock up, may be caused by an invalid memory allocation or a NULL pointer dereference, either of which may be exploitable.

Now, back to the Word 2007 DoS 0day claims. The so-called MS security-guru David LeBlanc touts these claims as “security features”. Word crashed due to a protection mechanism that causes a crash instead of allowing for a possible exploit. Nobody is going to argue that a crash is much preferred over an exploit, but people, such as myself and ComputerWorld’s Frank Hayes, will argue that DoS should be classified as a security concern.

LeBlanc claims that crashes and DoS conditions fall into one of three categories:

1. “Your code blew up, and you’re about to get 0wn3d. Yup, it’s exploitable, and the customers are not going to be happy.
2. Your code blew up, and maybe it is exploitable, maybe not.
3. Your code blew up, and you meant it to blow up, and it’s clearly not exploitable.”

And states that 0days fall into the third category and are unexploitable.

Hayes points out that a crash could lead to further, systemic issues. For example, researchers have found exploits (e.g., CVE-2006-3648) regarding the exception handling in other MS products (see Exploiting the Otherwise Non-exploitable on Windows). So, just because a bug (or “feature” in MS lingo) isn’t exploitable, it still may have a security impact.

Also, I would like to call into account Microsoft’s own history regarding “unexploitable crashes”. For example, the Javascript window() issue in IE was publicly reported as a DoS in May 2005 and was ignored by MS, until being reported as exploitable in November 2005. It was finally patched in MS05-054 in December 2005.

Finally, in a comment to MS, exactly how are researchers suppose to know the exploitability of your code? With everything being closed source, we cannot tell if such issues are anything beyond a denial of service.

PHP == “mainstream” security issue

10 Apr 2007

After reading Bill O’Reilly’s Radar that PHP has now entered the mainstream as shown by evidence of the increased sale of beginner PHP books, I can only say that I am frightened.

Coming from the security and vulnerability space, PHP is the worst offender of security. PHP is easy to use, but hard to use securely. Stefan Esser’s Hardened PHP project goes to show how much more improving PHP needs. Giving the PHP development some credit, they have starting taking some steps to improving security, like finally disabling the register_globals and allow_url_fopen options by default. However, this is too little too late.

You can tell a language is a threat, when the vulnerability researchers have to come up with new classes of vulnerabilities just to describe the language’s security deficiencies — PHP Remote File Inclusion and Dynamic Variable Evaluation come to mind. Let’s see, how many hundred (thousands?) of websites have been compromised due to PHP’s mainstream exposure and “ease-of-use”. All of that in addition to the increased XSS threat from global variables and multiple problems with CSRF and session handling.

Even the PHP language (and Zend Engine) has had its share of critical issues: CVE-2006-3017 and CVE-2006-5465. According to NVD’s CVE data, in 2006 and 2007, PHP has had 90 reported vulnerabilities (quite a few of which were from Esser’s recent Month of PHP Bugs (MoPB)). [Sorry, I can't find a way to link to the NVD search results.]

At least people other than O’Reilly can profit off of PHP’s mainstream recognition.

Solving the unsolvable?

26 Mar 2007

Imagine you are living in a beautiful house, but the walls are constantly needed to be patched, the floor is not level, and the house tends to flood. You keep hiring contractors to fill the holes in the dry wall, add supports, re-lay tiling, and clean up the water damage. You can maintain this process for the next several decades before the house becomes hazardous, but most people would become suspicious after the first year or two. It is only then to they step outside the problem and look at the structural foundations, only to realize that the house was built on top of sand and right next to an ocean…

So, what is the point? What does that have to do with computer security?

That house is the computer and Internet — the icons of the Information Age, and we’ve been living in a rotting house since 1970 (but did not start to notice until the mid 1990′s). Security has become a huge issue, and we are just trying to survive by throwing technology and halfbaked ideas at the problem.

When it comes to digital security, why do we always try to bandage and mitigate problems instead of solving them? Anti-virus is just about dead. Firewalls can do only so much. IDS systems are fairly error prone and don’t do well as preventing new attacks. Our authentication and permissions systems consist of archaic passwords and rwx file permissions.

The chips and memory and programming techniques have advanced, but security has done very little to keep pace. We cannot do much to stop e-mail spam, control network activity, or prevent against attacks because the network, hardware, operating systems, and applications either don’t support security or implement it as an afterthought. I mean, how are we suppose to protect ourselves if we are facing more than 15 new vulnerabilities per day!

Most users cannot and do not track and maintain their installed programs. Most don’t know how to be more secure and are not savvy enough to even understand how to work today’s complex (security) software. Remember: Your security is only as good as your weakest point; I only need to find one hole in order to slip past your security.

Security is a never ending battle for the defenders, which becomes more bleak when you realize that there is absolutely no way of winning. I think the only way we are going to have any real success is to compile all of our lessons learned from the past few decades, go back to the drawing board, and redraft the architecture of networks, computers, and software. Build security and usability into the design from the start. Take the bullet out of the gun and enable the safety to prevent people from getting attack (or shooting themself in the foot).