Microsoft, CNET, BUGTRAQ and the 'land' attack

Geoffrey King (geoff@AUSTLII.EDU.AU)
Sun, 07 Dec 1997 08:54:40 +1100

I wish to point out the risks of relying on poorly researched media
reports for information about security ...

The last issue of the RISKS digest [19.48] contained a report
passed on from the CNET news service about the 'land' attack. The
CNET report which appears at
<> carries
a date of 4 Dec 1997 at 5pm PST.

For a start, the way in which the article was written indicates a
general misunderstanding of the bug and the possible exploitation

More seriously, the article also appears some 14 days after the
first posting (including exploit code) of the 'land' vulnerability
to the BUGTRAQ list. But todays "news" does coincide quite nicely
with the announcement that Microsoft would release patches. And
please also note that the statement of "Jason Grams, a product
manager at Microsoft", that "[o]bviously, this isn't a
Microsoft-only problem, it's a pretty big problem" is not entirely
accurate. There are a number of operating systems which are not
vulnerable to this attack, including current releases of Linux,
Solaris, Irix, OS/2 and others ... other vendors, including CISCO,
acted immediately to warn of and patch vulnerabilities in their

Wired News published an excellent article as early as 21 Nov 1997.

While I'm writing about this particular problem, I might also quote
from a Microsoft executive asked recently about the possibility
that the Internet Explorer 'res://' bug and the Pentium bug could
be combined.

"It's not as simple as sitting down at an IE4 machine. We've
tried it on several [machines] and we get a crash but that's
it, which is certainly not a security hole," he said.


Is that really acceptable coming from a major OS vendor?

A demonstration of the exploitation of the 'res://' Internet
Explorer bug in combination with the recently discussed Pentium bug
is available at <>
[WARNING: this demonstration may crash your machine].

And here's a quote from a Microsoft technical note about security
risks in Windows95 file and print sharing:

"The SMBCLIENT Samba network client allows users to send illegal
networking commands over the network. At this time, the Samba
client is the only known SMBCLIENT that does not filter out such
illegal commands. SMBCLIENT users do not automatically gain access
to the Windows 95 drive; these users must know the exact steps to
send these illegal commands."


Glossary: Samba <> is an implementation of
the SMB protocols to allow UNIX servers to be used in a
Microsoft environment, as both servers and clients.

Does anybody here want to volunteer for a trip to Seattle to explain
to the Microsoft 'engineers' that client-server security mechanisms
probably shouldn't rely on the good behaviour of the clients ??

It looks to me like it might be time to encourage a little more
genetic diversity in operating systems ... lets not build the world
around this sort of nonsense ...

Hmmm ... and does anybody here still think todays "news" is news ??

Geoff <>

Geoffrey King
  Manager, Australasian Legal Information Institute
  Lecturer, Faculty of Law, University of Technology, Sydney
    phone  +61(2) 9514 3176
    fax    +61(2) 9514 3400
    email  (pgp key available)