Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Of Bad Patches and Rootkits

When a company releases patches to fix their software, it gives hackers and security researchers a chance to 'reverse engineer' them to work out how the company has actually fixed the vulnerability, and in the case of the hackers it gives them a chance to understand how to create a workable exploit against the patched vulnerability. Sometimes companies will 'slipstream' patches to unannounced vulnerabilities in with the patch for an announced vulnerability. This can cause problems for end users who are expecting to have a certain subsystem repaired, only to discover that the 'slipstreamed' vulnerability patch has caused an unrelated subsystem to fail. Unfortunately, this only adds to the mystery as to what happens within a user's computer whenever they are trying to do things.

One of the patches released by Microsoft with their October Security Patch release, MS05-049, was being reverse engineered by an Argentinian security consultant, who discovered that it repaired a vulnerability that was improperly repaired by an earlier patch, MS05-018. According to the researcher, the earlier patch only blocked one particular avenue of attack, rather than repairing the underlying vulnerable function.

In Microsoft's defence, code maintenance is one of the most frustrating and time consuming elements of the overall development process. Developers assigned to code maintenance have to apply extreme caution to the process, in order to avoid inadvertently introducing new vulnerabilities, and to minimize the disruption to services and third party software which relies upon the code being maintained. Sometimes it is code that is several years old, and core elements of applications which needs the most urgent maintenance, but it is usually this code that causes the most issues for maintenance due to the reliance that subsequent software releases has placed upon the behaviour of the code. For such a large company (i.e. with a lot of inertia), their commitment to secure development practices, and a focus on security, can take some time to filter through their product lines.

The alternative viewpoint put forward by observers is that Microsoft should adopt a development process which enables code modularization, whereby the complete codebase is reduced into separate modules that are clearly defined (in their interface with other modules), and which can be handled by an individual coder, or a small team of coders. Others rush to point out that Microsoft is more of a marketing company than a software development company, cynically observing that Microsoft is probably the only company which can get away with creating a problem, then being elevated to hero status for fixing the issues that they have caused. It is suggested that the combined size of all the patches and security updates for Windows 2000 is greater than the size of the original Operating System installation. If true, it would call into serious doubt the quality of the software produced by the company.

If that isn't enough to keep people awake at night, numerous countries and companies rely upon software from the largest software company in the World for critical functions (even though it says not to in the EULA), when it is apparent that they have some difficulties correcting vulnerabilities in their code.

Other software companies are not immune to such patterns, with Oracle known to have ignored vulnerabilities for extended periods (years), and IBM patches to software only fixing the known attack vector and not the underlying problem (the same thing Microsoft has been vilified for).

Ultimately, it is the human factor which leads to such situations, and the human factor which can remedy it. Developers are not able to produce quality, flawless code for extended periods of time, and this varies greatly with the external pressures applied by a management structure which has deadlines to meet, and also by the ability and experience of the developer. It also comes down to the humans who use the software, happily clicking their way past warning screens and alert boxes, opening email attachments and running the software they found there, downloading and installing software from as many sites as they can and a number of other actions which strike fear into the hearts (and cash into the wallets) of the security industry.

The human factor in computer security really became a problem over the last week, when it became known that Sony appears to be secretly installing a 'Rootkit' on Windows computers when certain Sony/BMG audio disks are attempted to be played on them. While the disks will function correctly in a stand-alone CD player which is 'Red Book' standard, which means that they can probably still be classed as legitimate CDs, the sneak-installation of a Rootkit is considered extremely unethical (at best), and possibly illegal.

Even taking measures to clean the system requires specialised tools (which will either leave the system damaged, or install further secret software). Even rebooting into Windows 'Safe Mode' will not stop the Root kit from running. While it has been restricted primarily to technical news reporting, the issue did start to make an appearance with a number of main stream media outlets. There was an almost universal condemnation of the action, along with forecasts of further malicious software to make use of the unique features of the particular Rootkit. Various small groups have called for boycotts of Sony/BMG music products, all the way up to boycotts of all Sony products, as a sign that such actions are not appropriate.

Already, software to allow cheating on the popular online role-playing game, World of Warcraft, has surfaced, which makes use of various features of the Sony Rootkit to hide its presence from the 'Warden' system monitoring / cheat scanning software which runs alongside World of Warcraft.

This move could bring Blizzard (publisher of World of Warcraft) into the fray, on the side against Sony. Historically, Blizzard have taken a dim view of applications that let players cheat, or use their games online through services not Blizzard's own. Two very recent cases of this were when the developers of Bnetd were essentially forced to halt development, and when Blizzard's 'Warden' application was considered not to be a Root kit or spyware (despite what it does). If enough players make use of Sony's Root kit to install cheat software for World of Warcraft, Blizzard is very likely to take some sort of action.

The information that accompanies the CDs indicates that Administrator privileges are required to use the CD with a PC. This then allows the software to install itself, call back to the Sony servers (if the computer is online), and then hides itself inside the Operating System. Through the investigative efforts of one particular security researcher, it was discovered that this particular software has a number of bugs, which makes it an extremely inviting prospect for other malicious software authors to hide their software behind, such that it will not show up on any scans of the system.

The known spread of the infected CDs is North America, but it is probable that samples exist outside of that market. It has already been observed that requests have been made for complete CD images of infected disks (i.e. .iso files), in order to install and play around with the Rootkit.

Some observers have quipped that instead of advertising that something is protected by DRM (Digital Rights Management), a more appropriate usage would be 'Infected with DRM'. Others are complaining that the Rootkit only hurts those who are purchasing their music legally, and is more likely to have the reverse of the intended effect in the long run. That is, it is more likely that people will look for their music via electronic download (Kazaa and the like), than through a purchased CD which will infect their computer with nasty software.

The security implications from this are massive. Companies which allow their employees to run as Administrator, and home users who do the same, are likely to discover that their system security has been significantly weakened just by playing an audio CD. For people employed to remove spyware, adware, viruses, worms, and other malware from infected computer systems, they will need to ask their customers whether they have bought and played any music CDs through their computer lately.

Finally, as this article was being prepared for publication, it was identified that Cogent (one of the Tier 1 ISPs involved in the recent peering issue) started suffering some significant network reliability issues. Network traffic was passing through at a reasonable rate, but their end of their connections to the other Tier 1 ISPs was suffering an availability issue, with as little as 75% network availability to some of the other ISPs. After about three hours, the issue appears to have been resolved, with the network availability rising back up over 90% for most connections, and the remainder also climbing. It will soon be a month since the Cogent / Level3 connection was re-established, and it will be interesting to monitor what happens over the next few weeks, to see whether the peering point will be shut down, or not (even with the other agreements in place).

7 November 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.