Microsoft
|
|
cDc
|
On July 21, a self-described hacker group known as the Cult of the
Dead Cow released a tool called BackOrifice, and suggested that
Windows users were at risk from unauthorized attacks.
|
|
Actually, we released it on August 3rd.
Incidentally, it's been downloaded at least 35,000 times as of 11:55pm, August 7th.
|
Microsoft takes
security seriously, and has issued this bulletin to advise customers
that Windows 95 and Windows 98 users following safe computing practices
are not at risk...
|
|
This is simply false. Our view is no degree of "safe computing practices"
can compensate for the security bugs and lack of functionality
in Windows 95 & 98.
|
...and Windows NT users are not threatened in any way by this tool.
The Claims About BackOrifice
|
|
For the present.
But remember that the tool has been around for less than a week.
|
According to its creators, BackOrifice is "a self-contained,
self-installing utility which allows the user to control and monitor
computers running the Windows operating system over a network". The
authors claim that the program can be used to remotely control a
Windows computer, read everything that the user types at the keyboard,
capture images that are displayed on the monitor, upload and download
files remotely, and redirect information to a remote internet site.
|
|
Back Orifice does not do anything that the Windows 95/98 operating
system was not intended to do. It does not take advantage of any bugs
in the operating system or use any undocumented or internal APIs. It
uses documented calls built into Windows to do such things as:
- Reveal all cached passwords. This includes passwords for web
sites, dialup connections, network drives and printers, and the
passwords of any application that stores user passwords in the
operating system.
(This Windows feature was implemented apparently so the user won't be
inconvenienced by having to remember his
passwords every time he uses his computer.)
- Create shares hidden to the user and list the passwords of existing
shares.
- Make itself mostly invisible. Back Orifice does not appear in the
control-alt-delete list of running programs, and can only be killed by
a low level process viewer which Windows 95 does not ship with. To
their credit, Windows 98 does ship with a process viewer, but it is not
installed by default.
|
The Truth About BackOrifice
|
|
BackOrifice does not expose or exploit any security issue with the
Windows platform or the BackOffice suite of products.
|
|
Back Orifice has nothing to do, at all, with the Back Office suite. In
fact, the Back Office suite only runs on NT, which isn't even supported
by Back Orifice yet. Apples and Oranges.
|
BackOrifice does not compromise the security of a Windows network.
|
|
cDc would like to know where exactly Microsoft is getting its definition
of 'compromise the security'.
|
Instead, it relies on the user to install it...
|
|
Back Orifice does not rely on the user for its installation.
To install it,
it simply needs to be run. Thanks to some actual exploits, there are
several ways a program could be run on a windows computer, not only
without the user's approval, but without the user's knowledge.
|
...and, once installed, has only the rights and privileges that
the user has on the computer.
|
|
This is correct. Once installed, Back Orifice can only do what the user
sitting at the computer could do, if he has programs that do everything
that Back Orifice does.
This includes:
- seeing what's on the screen
- seeing what's typed into the keyboard
- installing software
- uninstalling software
- rebooting the computer
- viewing stored passwords
- viewing and editing the system registry
- connecting and disconnecting the machine to other network hosts
using anyone's username & password
- running arbitrary plugins or programs, which of course could
employ any manner of exploit or attack
|
For a BackOrifice attack to succeed, a chain of very specific events
must happen:
|
|
- The user must deliberately install, or be tricked into installing the
program
|
|
Not at all.
Thanks to various security bugs and common system misconfigurations,
there are often ways
to deliver and execute arbitrary code on a Windows machine.
Even lacking such an exploit, it's easy enough to provide the average
Windows users a reason for downloading & installing programs
from untrusted sources. It happens all the time.
|
- The attacker must know the user's IP address.
|
|
Untrue.
Back Orifice can sweep a range of IP addresses and network blocks
to hunt for installations
of its server software.
|
- The attacker must be able to directly address the user's
computer; e.g., there must not be a firewall between the attacker
and the user.
|
|
Incorrect.
The mere presence of a firewall or proxy server is not in itself a
complete solution.
For good, reliable protection for Windows machines on the internet, the cDc
can recommend nothing better than a good, properly configured
firewall.
However, a firewall that permits ANY traffic is still a potential risk.
Back Orifice can communicate over any available port. Therefore, if
the firewall lets through any UDP packets at all, two-way communication
can be established.
As for file transfers originating at the remote machine, Back Orifice can
use TCP to send data out through the firewall.
Not to mention the hundreds of thousands of Windows 95
and 98 boxes connected to the internet via a dialed connection through
their local or national isp. For mass ip vendors like those, a
firewall simply isn't reasonable. Most of the internet simply wouldn't
be accessible anymore.
|
What Does This Mean for Customers Running Windows 95 and Windows 98?
|
|
BackOrifice is unlikely to pose a threat to the vast majority of
Windows 95 or Windows 98 users, especially those who follow safe
internet computing practices. Windows 95 and Windows 98 offer a set of
security features that will in general allow users to safely use
their computers at home or on the Internet. Like any other program,
BackOrifice must be installed before it can run.
|
|
Clearly, users
should prevent this installation by following good practices like not
downloading unsigned executables, and by insulating themselves from
direct connection to the Internet with Proxy Servers and/or firewalls
wherever possible.
|
|
cDc remembers a day when PC software was written by anyone who had a
creative idea for a cute, useful, interesting, or even just plain
silly program and being able to share that program with friends who
might also enjoy the program. It is unfortunate that the only software
we're allowed to run now is written by large companies. It's a good
thing we can still trust them not to do something unwanted to our
computer!
|
Generally, computers running Windows 95 and Windows 98 are not
vulnerable if:
|
|
- The computer is not connected to the outside world
|
|
Unless someone on the inside wants control of your machine.
Perhaps your employer is using B.O. to keep track of its human resources.
(As a matter of fact, in most states this would be entirely legal.)
Or suppose one of your coworkers is just plain nosy.
In these circumstances, it doesn't matter if your computer is on the
internet.
|
- The computer is connected to the Internet through an Internet
service provider that dynamically assigns IP addresses - as the vast
majority of ISPs already do.
|
|
Unless the dynamic address assigned is always in the same subnet, (as
the vast majority of ISPs do). In which case, B.O. can scan a range of
IP addresses to find your machine at its new address.
|
- The computer is on a network with a firewall or proxy server between
it and the attacker.
|
|
See above ("firewalls").
|
What Does This Mean For Customers Running Windows NT?
|
|
There is no threat to Windows NT Workstation or Windows NT Server
customers; the program does not run on the Windows NT platform.
BackOrifice's authors don't claim that their product poses any threat
to Windows NT. Windows NT Workstation and Server offer a
comprehensive set of security features that make it the best choice for
business users' mission-critical applications.
|
|
Don't go upgrade to Windows NT just yet.
We will be releasing a Windows NT version as soon as we
get around to installing that OS.
|
What Customers Should do
Customers do not need to take any special precautions against this
program. However, all of the normal precautions regarding safe
computing apply:
|
|
Customers should keep their software up to date and should never
install or run software from unknown sources -- this applies to
both software available on the Internet and sent via e-mail. Reputable
software vendors digitally sign their software to verify its
authenticity and safety. Companies should use the security
features provided by Microsoft products, to prevent the introduction of
this and other malicious software, and should monitor network
usage to prevent insider attacks.
|
|
Rather than having to abstain from using non-big company "Reputable
Vendor" software, how about providing some protection?
How about the ability to monitor and even prevent disk and registry
access so people can run software with confidence, so that even if the
author has malicious intent, the software has become infected with an unknown
virus or trojan, or there is a bug or malfunction, there is no damage it
can do.
|
Incidentally, Microsoft is also falsely claiming that they tried to contact
us regarding BO. On the contrary, Microsoft has repeatedly shown little
interest when contacted about security holes in their products in the past.
In general, they have needed to have their noses rubbed in it before
acknowledging any problems.
cDc issued a preliminary press release about Back Orifice more than a month
before releasing the software. A wider-distribution Press Release was issued
on July 21st, more than a week before the demonstration at DefCon VI... and
again, nothing from Microsoft.
Other than issuing silly statements to the press, among other things calling
us irresponsible and comparing BO to Satan (again, apples and oranges), they
have never contacted us. For over 3 days at Defcon, no one from Microsoft
introduced or identified themselves to us. Immediately following our
presentation, we were swarmed by the media and the curious... but no one from
Microsoft.
It wasn't until August 4 that Scott Culp, Security Product Manager for
Windows NT Server contacted us in e-mail:
We immediately called him back. He was interested in learning about every
vulnerability we knew of. "The biggest one we know of is Windows 95/98
itself," to which he agreed.
Later that same day, Microsoft issued another statement -- this time
mentioning that they had tried to contact us and had gotten no response.
The goliath doth protest too much, methinks.
The fact remains that Back Orifice is only as dangerous as Microsoft's
security is deficient.
How about a for-instance?
Win95/98 caches frequently-used passwords in
, which BO has
access to. This often includes passwords users use for their ISPs. But if
one is to believe the missives which issue from the Microsoft Marketing
Department, ISPs have nothing to worry about. Either that or ISPs across the
globe should encourage all their customers to upgrade to NT?
Is Windows 95/98 the platform on which you perform 'secure' transactions?
Is a Windows 95/98 platform an endpoint of your corporate VPN? If so,
maybe you should be worried.
Back Orifice is a Rorschach for Microsoft credibility. Microsoft's own
official response to us was issued as a marketing bulletin! Does anybody
else besides cDc find it disturbing that the Marketing Department is running
the show over there?
Oh, never mind. Forget we ever mentioned it. Listen to Microsoft; don't
worry, be happy. Everything will be all right.