Another vulnerability in code that integrates browser and desktop

A new vulnerability, #15 on TBTF's 1997 list [1], has been reported in Internet Explorer 4 and several other Microsoft products. It seems that Microsoft has introduced a buffer overflow in code that recognizes the new res:// scheme, which allows browsers to read DLL resources. The problem was discovered by one "dildog" and publicized by the hacker organization The L0pht [2]; Wired picked up the story [3]. The cause of the security hole, according to dildog, resides in code used by several Windows programs to parse HTML, including Internet Explorer, Windows Explorer, and Outlook Express (both mail and news). When any of these programs attempts to parse a res:// URL longer than 256 characters, the resulting buffer overflow allows an intruder to introduce arbitrary executable code onto a machine's stack. Exploiting such overflows has been a staple of the hacker's toolkit since the earliest days of hacking. Dildog's exploit HTML page (included on [2] in uuencoded form) adds text to the bottom of a victim's autoexec.bat file. Clearly, this security hole could be used to do greater damage, for example by invoking the newly discovered "f00f" Pentium flaw (see next story) to freeze the victim's machine. No IE security setting offers any defense against this problem. I learned from Microsoft's PR firm that they intend to post a patch at [4] for the problem by the morning of 11/12. Microsoft believes the bug affects only the released Windows 95 version of Internet Explorer 4, and not the versions for Windows NT, Macintosh, or Unix. There was no mention of the problem extending to Windows Explorer or Outlook Express, as dildog claimed. Here is a late report from c|net [5] on Microsoft's reaction to the buffer overrun bug. Thanks to David Black <d.black at opengroup dot org> for the first word on this bug.

Here thanks to Lloyd Wood <L.Wood at surrey dot ac dot uk> is a timely example [6] of how this bug and the one described next can be combined to demonstrate the law of emergent behavior. Wood writes:

If you're running Internet Explorer 4 on a Pentium, you can
easily verify for yourself that these problems exist by
attempting to load this page [6] -- but do save your work
first. (Internet Explorer 3 is immune.) This page auto-
matically exploits both the recently-discovered Pentium
bug, and the recently discovered Explorer 4 res:// buffer
overflow bug, via a trivial piece of autoexecuting HTML --
which could easily be emailed.

[1] http://www.tbtf.com/resource/ms-sec-exploit.html
[2] http://l0pht.com/advisories/ie4_x1.txt
[3] http://www.wired.com/news/news/technology/story/8429.html
[4] http://www.microsoft.com/ie/security/
[5] http://www.news.com/News/Item/0%2C4%2C16258%2C00.html
[6] http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/

Remember the Pentium floating-point glitch and "Intel Inside, Can't Divide?"

Another Pentium error has come to light [7], [8], this one potentially exploitable in denial-of-service attacks. The problem affects all Pentium processors (but not Pentium IIs), of which there are hundreds of millions in the world, no matter what operating system they are running. Whenever a Pentium executes the instruction f00fc7c8 it shuts down instantly and goes cold. No special privilege is needed to execute the deadly instruction. The only relief is provided by rebooting. The so-called f00f bug has been discussed for some time on linux-kernel and other mailing lists. It shuts the chip down cold, quite literally: the internal logic locks up and the chip stops generating heat. (Some Cyrix CPUs exhibit a similar flaw, according to articles on linux-kernel, which causes the chips to seize up but not to stop drawing power -- a situation that has been summarized as "Pentium dies, Cyrix goes into a coma.") Intel clearly learned a lesson from the PR damage it sustained in the earlier Pentium defect incident -- the company has been working furiously on the problem since it was publicized last Friday. Intel seems to be working toward a software fix, but I can't see how this is feasible. Trapping the bad instructions in kernel microcode could severely degrade the overall performance of the chip. Thanks to Robert S. Thau <rst at ai dot mit dot edu> for insight on the early discussions of this defect.

[7] http://www.news.com/News/Item/0%2C4%2C16173%2C00.html
[8] http://www.wired.com/news/news/technology/story/8390.html

Overstepping on CaffeineMark optimization

On 11/4 Pendragon Software, developer of the widely used CaffeineMark benchmarking suite for Java, shone a cruel light on Sun's claim to the fastest implementation of its portable language. On 10/20 Sun issued a press release [9] stating that its Web-enhanced Solaris environment delivers the world's fastest Java performance. The release also said that the new Solaris Just-In-Time compiler established a new speed record, as measured by CaffeineMark -- 50% faster than the highest Windows NT score. Pendragon engineers analyzed Sun's results and noted that in one benchmark module, the Logic test, Sun had achieved a score 50 times higher than any previous result. Pendragon made minor syntactic changes in the test's source code and watched the Sun JIT compiler's performance drop by a factor of 300; other vendors' Java compilers exhibited no such drop. Looking deeper, Pendragon found that Sun's JIT compiler contains a block of 600 bytecodes exactly matching part of the CaffeineMark code. Apparently Sun had special-cased the benchmark to achieve exceptional results that would not translate into good Java performance in the general case.

Everyone tunes compilers to perform well on common benchmarks, but Sun clearly overstepped this time. Their initial public response [10] amounted to "We didn't do anything wrong, and Microsoft does it too."

Pendragon asked Sun to retract their press release. When Sun did not do so, Pendragon went public with their findings [11]: "The fastest overall CaffeineMark 3.0 scores we have seen to date are from Windows NT systems running on Intel Pentium II processors at 300 MHz."

Sun now admits [12] that it matched Pendragon code in its Java compiler, but says it did so in a lab experiment that should never have been posted to the Web [13].

[9] http://www.sun.com/smi/Press/sunflash/9710/sunflash.971020.1.html
[10] http://www.wired.com/news/news/technology/story/8351.html
[11] http://www.pendragon-software.com/pr1197-2.html
[12] http://www.news.com/News/Item/0%2C4%2C16257%2C00.html
[13] http://www.sun.com/software/caffeinemark.html

The bureaucrats get it backwards, again

Last week the President's Commission on Critical Infrastructure Protection declassified its report [14], which had been in the President's hands for a month. Withering fire [15], [16] was immediately trained on the White House for asserting that in order to protect US information assets, the government will require new exemptions to the Freedom of Information Act, wider use of its power to classify documents, and creation of a new "infrastructure assurance" bureaucracy. The report backs the FBI's desire for a key-escrow infrastructure -- ignoring the significant new vulnerabilities such a structure would introduce to any secure transaction. And the report virtually ignores the one policy that could actually afford positive protection: the widespread promotion and deployment of strong encryption.

[14] http://www.pccip.gov
[15] http://www.wired.com/news/news/politics/story/8355.html
[16] http://www.internetnews.com/Reuters/hit.html

The Council of Registrars, or CORE, has taken over the work of rejuvenating the domain-naming system from its predecessors, the interim Policy Oversight Committee and the International Ad Hoc Committee. CORE has signed up 86 companies [17] to register people for the seven new top-level domains it expects to activate in March 1998. CORE has signed a contract with Emergent Corp. of San Mateo, CA to design and operate the database for the new TLDs [18]. All of this forward movement is being effected in blithe disregard of the US government's moves to retain influence over Net governance [19]. C|net's Margie Wylie discusses what she perceives as the steep odds facing the CORE plan [20]. She points out the critical event that needs to happen for CORE's seven new domains to appear on the Internet: each one of 13 root server operators has to agree to add seven lines to a data file. The head of the Internet Assigned Numbers Authority, Jon Postel, is the man who can order them to do so. I'm much more willing than Wylie is to believe that when Postel speaks next March the root operators will comply.

[17] http://www.gtld-mou.org/docs/reg-results.html
[18] http://www.techserver.com/newsroom/ntn/info/110697/info8_18816_noframes.html
[19] http://192.215.107.71/wire/news/1997/11/1105domain.html
[20] http://www.news.com/Perspectives/mw/mw11_5_97a.html

Just who is the DoJ's antitrust concern aimed at?

An Austin, TX newspaper reports [21] that the deal is on hold. Sources at Power say that the DoJ's request for documents ranges far beyond the Apple acquisition and raises suspicion of a fishing expedition for information in Justice's ongoing investigation of Microsoft.

[21] http://www.austin360.com/tech/stories/11nov/06/power6.htm

The inventors of the Web wanted you to be able to annotate anyone's site. Now, thanks to the inventor of the mouse, you can

The Foresight Institute, a research organization created by computing innovator Douglas Englebart, held its annual conference last week in Palo Alto. Foresight concentrates resources on topics in nanotechnology, but maintains ongoing projects related to hypertext and the World Wide Web -- see [22] for a discussion of the Institute's Web Enhancement Project. Last Wednesday the Institute demonstrated "The Other Half of the Web," an approach to enable freeform community commentary on any Web page by anyone. An overview is available at [23]. At the center of this scheme for universal Web annotation is the Backlink Mediator [24], developed for the Foresight Institute by Ka-Ping Yee [25], [26]. He has placed the code in the public domain. To see how it works, visit TBTF via the Crit site [27]. You will receive in return an annotated version of the page. I have added an annotation in the "Tasty Bit of the Day" section by way of demonstration. You can do the same, if you'd like, and all future visitors (who enter via the crit.org portal) will see your annotations along with everybody else's.

This technology demonstration made my jaw drop. Just as we were getting used to the personal publishing empowerment that the Web enables, here come a few smart people to turn the medium inside out, again. In fact the Foresight Institute is working to actualize on the Web the ideas of open collaboration that fired its earliest developers (themselves inspired by the still earlier work of Englebart and Ted Nelson), but that didn't make the cut as the standards emerged from CERN.

The Backlink Mediator might be important on the public Internet -- if it catches on, if it becomes standard, if a sufficient infrastructure of annotation processors develops. It could also hasten the arrival on the Web of the "tragedy of the commons," which many of us will assert has already arrived at Usenet and is fast overtaking email. It is in the context of corporate intranets that standardized, proxy-based annotation of Web pages could be a clear winner.

[22] http://foresight.org/WebEnhance/index.html
[23] http://foresight.org/WebEnhance/Progress9711.html
[24] http://crit.org/
[25] http://www.lfw.org/ping
[26] http://foresight.org/WebEnhance/DemoPics.html
[27] http://crit.org/http://www.tbtf.com/

India opens up its market for Internet services

India has ended the monopoly on Internet services maintained until now by the state-controlled Videsh Sanchar Nigam Ltd. [28]; a new policy fostering ISP competition takes effect immediately. A government spokesman said, "We cannot continue to be on the information sidewalk." He predicted between 1.5 and 2 million Indian users by the year 2000. (Of the 40,000 users currently accessing the Internet from India, at least 1/2 of 1% read TBTF every week by email, while an estimated 10% read the newsletter through TBTF's republishing arrangement with PC Quest, India's oldest personal computing magazine [29].)

[28] http://www.zdnet.com/zdnn/content/reut/1105/206170.html
[29] http://www.pcquest.com/

In the purest demonstration of list hijacking [30], [31] yet seen on the Internet, online auctioneer Onsale [32] harvested tens of thousands of email addresses from its rival eBay [33] and spammed the list offering a competing service [34], [35]. Onsale claims its actions weren't spammous because the recipients were appropriately "targeted." In the time-honored tradition of American spammers, Onsale threatens to sue eBay for damage to its reputation.

[30] http://www.tbtf.com/archive/1995-09-24.html
[31] http://www.tbtf.com/archive/1995-12-06.html
[32] http://www.onsale.com/
[33] http://www.ebay.com/
[34] http://www.news.com/News/Item/0%2C4%2C16051%2C00.html
[35] http://www.zdnet.com/zdnn/content/zdnn/1105/206415.html

Fans of random numbers, Blum primes, and 1960s kitch will want to know about a service provided by engineers at SGI: they are using Lava Lite lamps [35a] as a source of true randomness [36]. (I enjoyed one of these lamps in my dorm room as a freshman in college. Don't ask when.) The site for the original randomness server, HotBits [37] (covered in TBTF for 1997-03-09 [38]), adopts a tone that is breezy but technical. The Lavarand site [36] aims to be educational and is pitched a few degrees lower -- a PhD or Masters is not strictly required for comprehension. The source of randomness in Lavarand is a collection of six Lava Lite lamps that are photographed periodically by a digital camera. A hash of the bits from the resulting image seeds a pseudo-random number generator, the Blum Blum Shub [39] of the subtitle.

[35a] http://www.lavaworld.com/history.html
[36] http://lavarand.sgi.com/index.html
[37] http://www.fourmilab.ch/hotbits/
[38] http://www.tbtf.com/archive/1997-03-09.html#s05
[39] http://sunsite.informatik.rwth-aachen.de/dblp/db/journals/siamcomp/...

Lenore Blum, Manuel Blum, Mike Shub: A Simple Unpredictable Pseudo-Random Number Generator. SIAM J. Comput. 15(2): 364-383 (1986); published by the Society for Industrial and Applied Mathematics

Starting tomorrow your correspondent takes on full-time responsibility as Director of Internet Strategy for a startup that will for the moment remain nameless. When the time comes you'll hear plenty about it, believe me.

The startup is Sitara Networks, Inc. and its mission is to speed up the user's experience of the World Wide Web. In laboratory testing we've seen pages from an accelerated site load 3 to 8 times faster than the same pages without Sitara; the worse the Internet congestion the greater Sitara's advantage. Visit the pre-announcement Web site [41] for an idea of the dimensions of the problem we're tackling. Sitara will be announcing products on December 10 at Internet World in New York. Pay another visit to the site [41] a few days beforehand; there just might be something new. If you could use two free passes to the show floor at Internet World, send a request including your street address to press@sitara.net. Tell them TBTF sent you.

[40] http://www.tbtf.com/archive/1997-07-14.html
[41] http://www.sitara.net/

TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.