June 10th, 2008
What's wrong with an exploit being sexy?
First off, let me start by saying _dietrich has been following our blog for quite some time and is a consistent poster, providing good advice on how to use Linux securely, sometimes as an alternative to Windows technologies. I wouldn’t have commented about this in a blog posting, except that I took some offense to the way that Dietrich characterized my article in remarks on his blog. From Dietrich:
“Nearly every day, I read about Zero-Day exploits. The latest exploit, brought to you by Nate McFeters at ZDNet Zero-Day, entitled Another bug your tools won’t find and your WAF won’t prevent, is yet again another example of how profoundly bad Microsoft ActiveX technology is. The article goes into detail on how ActiveX repurposing exploits are being used, in this case against a Juniper VPN SSL Windows client.”
So far Dietrich and I are in total agreement, now it shifts:
“It refers to the exploit as being ’sexy’. I find this to be a bit troubling. There’s nothing to my mind sexy (or cool) about it. Not in the least. What type of public service this provides is in question. If it were me at ZDNet, I’d be providing information on how IT professionals and consumers can avoid ActiveX all together. Make a change. Linux has everything you need minus the Windows Viruses. openSUSE is safe, secure and not prone to the kinds of exploits which hamper Microsoft Windows products.”
Is noting the savvy and elegance of an exploit as sexy a crime somewhere? Code is simply an artistic form of expression in my mind. It’s functional, yet it can be elegant, and to some, that is art. If the art is destructive or derisive in nature, does that prevent it from being art? I think not. My comment about the vulnerability being sexy speaks only to the simplicity of the flaw. The fact that it is equal parts devistating, cunning, and unique (not just a common stack overflow) is interesting. I disclose vulnerabilities responsibly, as did all involved in this article, so let’s not get it twisted and make myself or Sensepost out to look like villains.
Dietrich then suggests that ZDNet (I assume he means me, since ZDNet didn’t post the article, I did) should spend more time informing people on how they can protect themselves from ActiveX flaws. Dietrich then goes on to suggest that people not use Windows to protect themselves from ActiveX flaws, suggesting instead openSUSE. Well, I challenge you Dietrich, did you really explain how people can protect themselves from ActiveX flaws? The fact of the matter is, companies use Windows products because they scale well to a large network of diverse uses quite simply. Windows is also a platform that supports endless solutions for complex needs. Additionally, Windows is still the most used operating system by end users, which I’m sure comes as no surprise.
While I might make my clients more secure by telling them to use openSUSE over Windows, I can’t help them solve all of their complex solutions in a *Nix environment, some of the “requirements” cannot be met, such as having a VPN ActiveX object, or whatever it might be. You can challenge the necessity of such a product, certainly, but do keep in mind that not all decisions can be made based off of security impact alone. Real companies have to take many things into consideration for decisions on a platform, with one of those being flexibility to scale to needs. I’m reasonably sure that MOST things can be done with *Nix that can be done with Windows, but I do challenge that you have to consider who is implementing. Just because you and I can setup LDAP and Kerberos to support a network of 1,000 systems with complex business requirements doesn’t mean that every companies IT department can, or more importantly, can do so in a cost effective manner.
Also, I think it is important to point out that Windows is not really at fault here, the code in the ActiveX control creates the security issue. This code wasn’t created by Microsoft. You can say that Windows is at fault for providing ActiveX at all, but where does that line of thinking end? Eventually we go back to the abacus because using anything else creates a security concern.
Just my $0.02. Readers shouldn’t take this as a personal attack on Dietrich, even though I was a little offended at his article, but I think it is important to shed a little light on the subject.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
