TBTF for 11/10/97: Blum Blum Shub

Keith Dawson (dawson@world.std.com)
Tue, 11 Nov 1997 22:03:57 -0600


TBTF for 11/10/97: Blum Blum Shub

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/11-10-97.html >

C o n t e n t s

A new IE4 security hole: buffer overrun
Pentium flaw stops chips cold
Sun cheats on Java benchmark
Government "critical infrastructure" report blasted
IAHC/iPOC plan moves forward under CORE
Justice Department delays Apple buyout of Power Computing
Talking back to Web sites
Stepping off the information sidewalk
List hijacking update: Onsale mails eBay customers
Random numbers from Lava Lites

..A new IE4 security hole: buffer overrun

Another vulnerability in code that integrates browser and desktop

A new vulnerability, #15 on TBTF's 1997 list [1], has been reported
in Internet Explorer 4 and several other Microsoft products. It
seems that Microsoft has introduced a buffer overflow in code that
recognizes the new res:// scheme, which allows browsers to read DLL
resources. The problem was discovered by one "dildog" and publicized
by the hacker organization The L0pht [2]; Wired picked up the story
[3]. The cause of the security hole, according to dildog, resides
in code used to parse HTML by several Windows programs, including
Internet Explorer, Windows Explorer, and Outlook Express (both mail
and news). When any of these programs attempts to parse a res:// URL
longer than 256 characters, the resulting buffer overflow allows an
intruder to introduce arbitrary executable code onto a machine's
stack. Exploiting such overflows has been a staple of the hacker's
toolkit since the earliest days of hacking. Dildog's exploit HTML
page (included on [2] in uuencoded form) adds text to the bottom of
a victim's autoexec.bat file. Clearly, this security hole could be
used to do greater damage, for example by invoking the newly dis-
covered "f00f" Pentium flaw (see next story) to freeze the victim's
machine. No IE security setting offers any defense against this
problem. I learned from Microsoft's PR firm that they intend to
post a patch at [4] for the problem by the morning of 11/12. Micro-
soft believes the bug affects only the released Windows 95 version
of Internet Explorer 4, and not the versions for Windows NT, Mac-
intosh, or Unix. There was no mention of the problem extending to
Windows Explorer or Outlook Express, as dildog claimed. Here is
a late report from c|net [5] on Microsoft's reaction to the buffer
overrun bug. Thanks to David Black <d.black@opengroup.org> for the
first word on this bug.

Here thanks to Lloyd Wood <L.Wood@surrey.ac.uk> is a timely example
[6] of how this bug and the one described next can be combined to
demonstrate the law of emergent behavior. Wood writes:

> If you're running Internet Explorer 4 on a Pentium, you can
> easily verify for yourself that these problems exist by
> attempting to load this page [6] -- but do save your work
> first. (Internet Explorer 3 is immune.) This page auto-
> matically exploits both the recently-discovered Pentium
> bug, and the recently discovered Explorer 4 res:// buffer
> overflow bug, via a trivial piece of autoexecuting HTML --
> which could easily be emailed.

[1] http://www.tbtf.com/resource/ms-sec-exploit.html
[2] http://l0pht.com/advisories/ie4_x1.txt
[3] http://www.wired.com/news/news/technology/story/8429.html
[4] http://www.microsoft.com/ie/security/
[5] http://www.news.com/News/Item/0%2C4%2C16258%2C00.html
[6] http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/

..Pentium flaw stops chips cold

Remember the Pentium floating-point glitch and "Intel Inside,
Can't Divide?"

Another Pentium error has come to light [7], [8], this one poten-
tially exploitable in denial-of-service attacks. The problem affects
all Pentium processors (but not Pentium IIs), of which there are
hundreds of millions in the world, no matter what operating system
they are running. Whenever a Pentium executes the instruction
"f00fc7c8" it shuts down instantly and goes cold. (Some accounts
claim that "c8c70ff0" works as well.) No special privilege is needed
to execute the deadly instruction. The only relief is provided by
rebooting. The so-called "f00f bug" has been discussed for some time
on linux-kernel and other mailing lists. It shuts the chip down
cold, quite literally: the internal logic locks up and the chip
stops generating heat. (Some Cyrix CPUs exhibit a similar flaw,
according to articles on linux-kernel, which causes the chips to
seize up but not to stop drawing power -- a situation that has been
summarized as "Pentium dies, Cyrix goes into a coma.") Intel clearly
learned a lesson from the PR damage it sustained in the earlier Pen-
tium defect incident -- the company has been working furiously on
the problem since it was publicized last Friday. Intel seems to be
working toward a software fix, but I can't see how this is feasible.
Trapping the bad instructions in kernel microcode could severely
degrade the overall performance of the chip. Thanks to Robert S.
Thau <rst@ai.mit.edu> for insight on the early discussions of this

[7] http://www.news.com/News/Item/0%2C4%2C16173%2C00.html
[8] http://www.wired.com/news/news/technology/story/8390.html

..Sun cheats on Java benchmark

Overstepping on CaffeineMark optimization

On 11/4 Pendragon Software, developer of the widely used Caffeine-
Mark benchmarking suite for Java, shone a cruel light on Sun's claim
to the fastest implementation of its portable language. On 10/20 Sun
issued a press release [9] stating that its Web-enhanced Solaris en-
vironment delivers the world's fastest Java performance. The release
also said that the new Solaris Just-In-Time compiler established a
new speed record, as measured by CaffeineMark -- 50% faster than the
highest Windows NT score. Pendragon engineers analyzed Sun's results
and noted that in one benchmark module, the Logic test, Sun had
achieved a score 50 times higher than any previous result. Pendragon
made minor syntactic changes in the test's source code and watched
the Sun JIT compiler's performance drop by a factor of 300; other
vendors' Java compilers exhibited no such drop. Looking deeper, Pen-
dragon found that Sun's JIT compiler contains a block of 600 byte-
codes exactly matching part of the CaffeineMark code. Apparently
Sun had special-cased the benchmark to achieve exceptional results
that would not translate into good Java performance in the general

Everyone tunes compilers to perform well on common benchmarks, but
Sun clearly overstepped this time. Their initial public response [10]
amounted to "We didn't do anything wrong, Microsoft does it too."

Pendragon asked Sun to retract their press release. When Sun did not
do so, Pendragon went public with their findings [11]: "The fastest
overall CaffeineMark 3.0 scores we have seen to date are from Win-
dows NT systems running on Intel Pentium II processors at 300 MHz."

Sun now admits [12] that it matched Pendragon code in its Java com-
piler, but says it did so in a lab experiment that should never have
been posted to the Web [13].

[9] http://www.sun.com/smi/Press/sunflash/9710/sunflash.971020.1.html
[10] http://www.wired.com/news/news/technology/story/8351.html
[11] http://www.pendragon-software.com/pr1197-2.html
[12] http://www.news.com/News/Item/0%2C4%2C16257%2C00.html
[13] http://www.sun.com/software/caffeinemark.html

..Government "critical infrastructure" report blasted

The bureaucrats get it backwards, again

Last week the President's Commission on Critical Infrastructure
Protection declassified its report [14], which had been in the
President's hands for a month. Withering fire [15], [16] was im-
mediately trained on the White House for asserting that in order
to protect US information assets, the government will require
new exemptions to the Freedom of Information Act, wider use of
its power to classify documents, and creation of a new "infra-
structure assurance" bureaucracy. The report backs the FBI's
desire for a key-escrow infrastructure -- ignoring the signif-
icant new vulnerabilities such a structure would introduce to
any secure transaction. And the report virtually ignores the
one policy that could actually afford positive protection: the
widespread promotion and deployment of strong encryption.

[14] http://www.pccip.gov
[15] http://www.wired.com/news/news/politics/story/8355.html
[16] http://www.internetnews.com/Reuters/hit.html

..IAHC/iPOC plan moves forward under CORE

The domain naming plan that began a year ago with the IAHC
continues to advance into an increasingly unpredictable
political environment

The Council of Registrars, or CORE, has taken over the work of
rejuvinating the domain-naming system from its predecessors, the
interim Policy Oversight Committee and the International Ad Hoc
Committee. CORE has signed up 86 companies [17] to register people
for the seven new top-level domains it expects to activate in March
1998. CORE has signed a contract with Emergent Corp. of San Mateo,
CA to design and operate the database for the new TLDs [18]. All of
this forward movement is being effected in blithe disregard of the
US government's moves to retain influence over Net governance [19].
C|net's Margie Wylie discusses what she perceives as the steep
odds facing the CORE plan [20]. She points out the critical event
that needs to happen for CORE's seven new domains to appear on the
Internet: each one of 13 root server operators has to agree to add
seven lines to a data file. The head of the Internet Assigned Num-
bers Authority, Jon Postel, is the man who can order them to do so.
I'm much more willing than Wylie is to believe that when Postel
speaks next March the root operators will comply.

[17] http://www.gtld-mou.org/docs/reg-results.html
[18] http://www.techserver.com/newsroom/ntn/info/110697/info8_18816_noframes.html
[20] http://www.news.com/Perspectives/mw/mw11_5_97a.html

..Justice Department delays Apple buyout of Power Computing

Just who is the DoJ's antitrust concern aimed at?

An Austin, TX newspaper reports [21] that the deal is on hold. Sources
at Power say that the DoJ's request for documents ranges far beyond
the Apple acquisition and raises suspicion of a fishing expedition
for information in Justice's ongoing investigation of Microsoft.

[21] http://www.austin360.com/tech/stories/11nov/06/power6.htm

..Talking back to Web sites

The inventors of the Web wanted you to be able to annotate anyone's
site. Now, thanks to the inventor of the mouse, you can

The Foresight Institute, a research organization created by com-
puting innovator Douglas Englebart, held its annual conference last
week in Palo Alto. Foresight concentrates resources on topics in
nanotechnology, but maintains ongoing projects related to hypertext
and the World Wide Web -- see [22] for a discussion of the Insti-
tute's Web Enhancement Project. Last Wednesday the Institute demon-
strated "The Other Half of the Web," an approach to enable freeform
community commentary on any Web page by anyone. An overview is
available at [23]. At the center of this scheme for universal Web
annotation is the Backlink Mediator [24], developed for the Foresight
Institute by Ka-Ping Yee [25], [26]. He has placed the code in the
public domain. To see how it works, visit TBTF via the Crit site
[27]. You will receive in return an annotated version of the page.
I have added an annotation in the "Tasty Bit of the Day" section by
way of demonstration. You can do the same, if you'd like, and all
future visitors (who enter via the crit.org portal) will see your
annotations along with everybody else's.

This technology demonstration made my jaw drop. Just as we were
getting used to the personal publishing empowerment that the Web
enables, here come a few smart people to turn the medium inside out,
again. In fact the Foresight Institute is working to actualize on
the Web the ideas of open collaboration that fired its earliest de-
velopers (themselves inspired by the still earlier work of Engle-
bart and Ted Nelson), but that didn't make the cut as the standards
emerged from CERN

The Backlink Mediator might be important on the public Internet --
if it catches on, if it becomes standard, if a sufficient infra-
structure of annotation processors develops. It could also hasten
the arrival on the Web of the "tragedy of the commons," which many
of us will assert has already arrived at Usenet and is fast over-
taking email. It is in the context of corporate intranets that
standardized, proxy-based annotation of Web pages could be a clear

[22] http://foresight.org/WebEnhance/index.html
[23] http://foresight.org/WebEnhance/Progress9711.html
[24] http://crit.org/
[25] http://www.lfw.org/ping
[26] http://foresight.org/WebEnhance/DemoPics.html
[27] http://crit.org/http://www.tbtf.com/

..Stepping off the information sidewalk

India opens up its market for Internet services

India has ended the monopoly on Internet services maintained until
now by the state-controlled Videsh Sanchar Nigam Ltd. [28]; a new
policy fostering ISP competition takes effect immediately. A gov-
ernment spokesman said, "We cannot continue to be on the infor-
mation sidewalk." He predicted between 1.5 and 2 million Indian
users by the year 2000. (Of the 40,000 users currently accessing
the Internet from India, at least 1/2 of 1% read TBTF every week
by email, while an estimated 10% read the newsletter through
TBTF's republishing arrangement with PC Quest, India's oldest
personal computing magazine [29].)

[28] http://www.zdnet.com/zdnn/content/reut/1105/206170.html
[29] http://www.pcquest.com/

..List hijacking update: Onsale mails eBay customers

I say it's spam and I say the hell with it

In the purest demonstration of list hijacking [30], [31] yet seen
on the Internet, online auctioneer Onsale [32] harvested tens of
thousands of email addresses from its rival eBay [33] and spammed
the list offering a competing service [34], [35]. Onsale claims
its actions weren't spammous because the recipients were appro-
priately "targeted." In the time-honored tradition of American
spammers, Onsale threatens to sue eBay for damage to its reputa-

[30] http://www.tbtf.com/archive/09-24-95.html
[31] http://www.tbtf.com/archive/12-06-95.html
[32] http://www.onsale.com/
[33] http://www.ebay.com/
[34] http://www.news.com/News/Item/0%2C4%2C16051%2C00.html
[35] http://www.zdnet.com/zdnn/content/zdnn/1105/206415.html

..Random numbers from Lava Lites

Beware the Blum Blum Shub, and dig the groovious Lavarand

Fans of random numbers, Blum primes, and 1960s kitch will want to
know about a service provided by engineers at SGI: they are using
Lava Lite lamps as a source of true randomness [36]. The site for
the original randomness server, HotBits [37] (covered in TBTF for
3/9/97 [38]), adopts a tone that is breezy but technical. The Lava-
rand site [36] aims to be educational and is pitched a few degrees
lower (a PhD or Masters is not strictly required for comprehension).
The source of randomness in Lavarand is a collection of six Lava
Lite lamps that are photographed periodically by a digital camera.
A hash of the bits from the resulting image seeds a psuedo-random
number generator, the Blum Blum Shub [39] of the subtitle.

[36] http://lavarand.sgi.com/index.html
[37] http://www.fourmilab.ch/hotbits/
[38] http://www.tbtf.com/archive/03-09-97.html#s05
[39] http://sunsite.informatik.rwth-aachen.de/dblp/db/journals/siamcomp/siamcomp15.html#BlumBS86

Lenore Blum, Manuel Blum, Mike Shub: A Simple Unpredictable
Pseudo-Random Number Generator. SIAM J. Comput. 15(2): 364-383
(1986); published by the Society for Industrial and Applied

N o t e s

> I wrote in TBTF for 7/14/97 [40]:

Starting tomorrow your correspondent takes on full-time
responsibility as Director of Internet Strategy for a
startup that will for the moment remain nameless. When
the time comes you'll hear plenty about it, believe me.

The startup is Sitara Networks, Inc. and its mission is to speed
up the user's experience of the World Wide Web. In laboratory
testing we've seen pages from an accelerated site load 3 to 8
times faster than the same pages without Sitara; the worse the
Internet congestion the greater Sitara's advantage. Visit the
pre-announcement Web site [41] for an idea of the dimensions of
the problem we're tackling. Sitara will be announcing products
on December 10 at Internet World in New York. Pay another visit
to the site [41] a few days beforehand; there just might be
something new. If you could use two free passes to the show
floor at Internet World, send a request including your street
address to press@sitara.net. Tell them TBTF sent you.

[40] http://www.tbtf.com/archive/07-14-97.html
[41] http://www.sitara.net/

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, < dawson@world.std.com >.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2