Who’s to blame? The hazard of “0-day”.

[This was originally published on the OSVDB blog.]

This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in pointing fingers. If you receive the “wag of my finger“, stop being part of the problem and wise up.

I blinked and missed someone disclosing that there was a dreaded 0-day vulnerability in Adobe Flash Player and that it was a big threat. Apparently Symantec noticed that evil Chinese sites were exploiting Flash and the current could be successfully exploited. When pressed for details, Symantec backtracked and said that they were wrong and it appeared to be the same exploit as previously disclosed by Mark Dowd (CVE-2007-0071). Bad Symantec, poor research.

To make matters worse, Symantec then further claimed that even though it was an old issue, the “in-the-wild exploit was effective against stand-alone versions of Flash Player” and that not all versions had been patched correctly. Way to save face Ben Greenbaum of Symantec!! Oh wait, today he changed his mind and said that Symantec’s claims were based on erroneous conclusions and that the behavior of Flash on Linux they were observing was indeed intended by Adobe and not proof it was vulnerable. To make matters worse, Symantec researchers downloaded the “latest” Flash and found it “vulnerable”, which lead to their sky-is-falling panic. Shortly after, they realized that they didn’t download all of the security patches and had been exploiting a known vulnerable version of Flash. Oops?

Two rounds of hype-driven 0-day threat warnings, and no real new threat. Whew, hopefully Symantec raised their THREATCON to blood red or whatever is appropriate for such 0-day threats. You do monitor that don’t you?

This fiasco lead many news outlets and vendors to issue warnings about the new 0-day threat. Secunia, SecurityFocus/BID, SecurityTracker, CERT, and FrSIRT all released new warnings and created entries in their respective databases as a result. In the VDB world, this is a royal pain-in-the-ass to deal with. Secunia ‘revoked’ their entry, BID ‘retired’ their entry, SecurityTracker flaged theirs ‘duplicate entry’, FrSIRT ‘revoked’ their entry and CERT still has it listed.

Fortunately for OSVDB, we were a few hours behind the rest and noticed the discrepancies and waited for more information. Unfortunately, the rest of the world, including ALL of the VDBs and news outlets listed above (and others) failed miserably in using common sense and a government funded resource to better prevent this kind of problem. As of this posting, Secunia, BID, SecurityTracker, FrSIRT, CERT, Dancho, ComputerWorld and eWeek still don’t link to the CVE ID for the vulnerability. Only Adobe’s updated blog entry actually references CVE-2007-0071 (but doesn’t link to it). Secunia links to a previous ID that has seven CVEs associated with it. The original CVE was assigned 2007-01-04 and published around 2008-04-08, a month and a half prior to this mess.

VDBs, shame on you for adding to the confusion. Symantec, shame on you for crying 0-day when your own engineers screwed up badly. Shame on everyone for not clearing it up fully by linking to the correct CVE entry or their own previous entries.

Before any of you receiving a “wave of the finger” bitch, consider the real world impact of your actions. In this case, only 12 MILLION people ended up seeing a vague warning when they loaded their favorite game. Blizzard included the correct fix information which was the same as a month or more before, but the sudden ‘security alert’ (that is extremely rare) only prompted their customers to wonder, possibly panic and definitely kill some demons as a result.

Hey asshole business (Chase)

Ranting on behalf of a friend. We were out grabbing vegetables for the guinea pigs, a quick dinner and some wine for her. Trying to purchase wine, her debit card was declined. Figuring it was a fluke and the bad mojo of our local Wine Nazi rubbing off, she tried again at Wahoo’s and it got declined again. She figured maybe her balance dipped below 0 as she just bought a new computer and paid for three months of rent at the same time. Before heading back we swung by her bank’s ATM to let her deposit a few checks she never did, and her ATM refused to let her do any transactions. Thinking her balance was below 0, the ATM wouldn’t let her deposit money to cover the balance, how stupid is that? That seems like the bank just being dickish to help garner overdraft fees.

The next morning I get a call at 8:30AM from her bank’s fraud department. entirely automated, it ask if I am X or someone that can speak on behalf of X. I hit 1 in case I can fix the problem. The system proceeds to ask me two multiple guess questions to validate who I am, but never makes me enter the PIN associated with her debit card. It then asks me to confirm the last four transactions; “21 dollars at a liquor store, declined” (1 for yes), “8 dollars at a restaurant, declined” (1 for yes), “1100 dollars at a computer company, accepted” (1 for yes), “10 dollars at a marketing firm” (1 for yes). I have no clue what the last one is, but she is fond of buying small art and guinea pig supplies over the net, many of which show up on statements with odd names. Since it was clear the system categorized the transactions (liquor store, restaurant, computer company) I figured it was one of those. After all of that, “thank you, your card is ready for use”.

So she never dipped below the minimum balance at all, her card was put on hold for potential fraudulent purchase(s) and they found it important to wake me up before business hours to fix it. Hours later after I woke up (again) and thought about it, it occurred to me just how stupid the entire system is. Calling at 8:32 I assume is intended to reach the person before work, but I know many people who leave well before 8:30 for their 9 – 5 job. Even if the goal is to reach them, calling me outside business hours to clear up your stupidity is absurd, especially when she can’t use your ATM or online system to fix the problem outside business hours.

  1. There was ONE abnormal purchase on her card (the computer). The declined wine purchase was at the same store she frequents several times a week. The declined restaurant was Wahoo’s, where we eat as many as 4 times a week. That one purchase for 1100 was considerably smaller than another single item purchase she made in the last 9 months. That total was roughly the same amount as half a dozen purchases in a three day period in another state. Why did this one flag her account and the others didn’t?
  2. The card was locked for potential fraud, but the ATM would not allow her to go through the same routine I did? She could have entered the card, the PIN and answered those questions and fixed it without waiting a day.
  3. The only security offered in the validation process was calling the number on record. not asking for the PIN to be entered and asking two very trivially guessed questions instead is absurd.

So Chase Bank, eat a big bowl of dicks. Your policies and procedures are laughable and annoying.

Hypersensitive Computer Displays

I’ve noticed this many times over the last decade. computerized display systems are often hypersensitive to the point of being silly and absurd. Years ago I noticed downloading files via some clients would show me the speed of the transfer to the Nth place, where N is totally ridiculous. I was getting 83.92384293842903k download and all but the first three numbers were a blur as they changed too quickly to read. Instead of updating the number every 1 second, it updated as fast as the computer could. What does that do for me exactly?

Along these lines are computerized estimates of time left. Microsoft Windows is well known for showing absurd times to complete a task. One minute it shows 4 minutes to copy that file, the next it shows 83 minutes. I’ve actually seen it show over 6,000,000 hours to finish a large file copy (that ended up finishing in about an hour). Some programs (names fail me right now) also have install progress meters that are totally worthless. as the bar reaches the right and you think it is finished installing, the bar resets and does it again. And again. And again. What is the purpose of the progress bar if there is no “overall % complete” or indication of how many bars we must suffer through?

Jump to today which triggered this. I’m driving through Atlanta in a PT Cruiser, feeling like a douchebag, I notice the readout showing me “291 miles until empty”. Yes, the car is so smart it can tell me how many miles I can drive before i have to refill the tank! Wait, it was 285 in the rental parking lot 15 miles ago. I pull in to my hotel some 8 miles later and it shows me 294 miles until empty. So apparently in the state of Georgia, driving the car actually fills the tank, not empties it. gas buyers rejoice!