1st > April > 2002 Archive

You've got Blogs! AOL buys into homegrown media

"AOL gets it! Steve Case gets it!" beamed Dave Winer today, after brokering a deal that sees two hundred of the most popular weblogs become part of the AOL-Time Warner publishing empire. The media giant has acquired rights to many of the most popular blogs including Instapundit, USS Clueless, and many hitherto unheard-of sites including Hello! Katty, ScratchMyselfRedAndYellow.org, Xanax Nation, and the Scottish blood transfusion service's samizdat news blog, Roamin' In The Haemoglobin. "The wind of the savannah pushes the pollen to the top of the mountain", said pioneer blogger Doc Searls, in a characteristically organic metaphor. "A mountain is bigger than a grain of pollen, but many grains together can create a stronger, more resilient outcrop, and they grow faster" he said. AOL-TW executives seemed pleased with the company's acquisition spree. "You can't really put figures on this," one executive told The Register, "but we think we have 78 per cent of the libertarian news blogs, 91 per cent of the ClueTrain Manifesto fan sites, and 59 per cent of all blogging female arts graduates, many of whom are Virgos," he said. "And the possibilities for vertical integration are endless," he enthused. "No cat will ever go ill again in America again in obscurity." Giving The Register his characteristic two thumbs-up gesture from his Burlingame hot tub, surrounded by two young female advisors sporting "I GET IT!" T-shirts, Dave Winer rejected accusations that he had sold out. "When I said Big Media was stupid, and that blogs would make them redundant," he told us, "I was simply inviting Big Media to pay me lots of money to tell them that they're stupid." "Er, the girls? AOL sent them along," he explained. "They're experts on the SOAP protocol. Ha ha." In related news, MetaFilter was said to be signing a merger agreement with Kuro5hin to pool content between the two sites. We'll bring you more news as soon as we hear it. Ralph Rumney is dead.®
Our correspondent, 01 Apr 2002

Cumulative IE patch for malicious cookies

A fairly serious flaw in Internet Explorer which would enable a malicious Web page or e-mail to drop a cookie containing an HTML script on a victim's machine and run it in the 'Local Computer' zone rather than the Internet zone to avoid restrictions has just been patched. The script would run with the user's level of permission, and could therefore do considerable damage depending on its design. The problem behind it is essentially an oversight by MS programmers, who failed to realize that once a cookie is stored locally, it's no longer restricted to the Internet zone, where, presumably, scripts and plugins should operate safely. Also patched is an item more irritating than dangerous, in which an object tag in a Web page or an e-mail is improperly executed outside the Internet zone and calls an executable on the local machine, as we reported here. In this case the file name and path must be known, so only programs in default locations can reasonably be activated. MS says that parameters can't be passed to the executable, so there's nothing terribly dangerous here. We've had anecdotal reports that the MS patch fails to fix this on a few systems, and we'd be happy to hear from other readers if they're having problems with it. The above-linked article contains a sample script which can be used to test the patch. Just make sure the path to calc.exe is the same on your system, or edit the path in the script as needed. The patches for IE 6; 5.5 SP-2; 5.5 SP-1; and 5.01 SP-2 for Win-2K and NT are located here. ®
Thomas C Greene, 01 Apr 2002

Win-NT, 2K debug process gives up control

A security hole in Win-NT and 2K could enable an attacker to take control by exploiting a flaw in the debugging subsystem (SMSS). Radim "EliCZ" Picha has demonstrated that it's possible for an unprivileged user to execute debug processes in the System context. At issue is an exploitable LPC (Local Procedure Call) port, to which any user or process has access. By exploiting the LPC flaw, an attacker can bypass the CSRSS (Client Server Runtime Subsystem) and avoid the normal privilege restrictions for debug commands. According to a recent posting to the BugTraq mailing list, an attacker would cause SMSS.exe to duplicate a handle to the target, which can be any running process. He connects to the debug LPC, requests CreateProcess SsApi with the target's client ID, receives the duplicated handle, and owns the box. At this point the attacker can execute external programs in the System account. A working exploit called DebPloit with source code is located here, so you can verify the vulnerability. MS hasn't managed to patch it yet, but has managed to complain that the exploit was released without its approval. In the mean time, the author of the BugTraq post also provides a hotfix which he says will make the LPC port available only to processes running in the System account. Both items are mirrored here as well. We haven't verified either of these files, so check them out thoroughly before mucking about with critical systems. ®
Thomas C Greene, 01 Apr 2002