-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IRIS 1.01 "BETA" ISSUE

I want to clear up a few comments about USSR Advisory #52.  One
regarding
the DoS against Iris 1.01 "BETA", and the other regarding "in this
case
Eeye"

First:

The bug which we found in Iris 1.01 was tested with more than 3
machines
in our lab, including other machines outside our lab.  Each target
machine was a PII with 64mb, 10mb network, with service pack 6a.

The first time I noticed the problem was when I was flooding a target
machine on the network and realized that Iris was acting rather
perculier
until it crashed. After flooding the target machine on the local
network
with random protocols and ports, I had isolated the problem.

As I looked into it, I noticed that one of the 13 threads that Iris
spawned was getting an invalid memory direction in the paint, or
possibly the refresh function.  The problem doesn't lie with Windows'
refresh function, rather with the poor code of Iris 1.01.
Maybe Eeye thinks that stability is less important than updating the
screen in realtime.

Some people have said that if one floods any bound port on said
target 
setup, that the CPU will be at %100 utilization.  I beg to differ.

Why doesn't someone go ahead and flood IIS 5.0's web server with
random
urls, and tell me if their load gets close to %100?  If anyone has
actually attempted this, they will realize that the utilization goes
no higher than about %20. (Local network with more than 200
simultaneous
connections.)

The problem lies not with the Windows NT code, rather with the poor
code of Eeye.  Poor enough to allow us to write an advisory like the
Iris 1.01 DoS.

Here is another example of the poor code of Iris:

When you open up the Iris, it writes out a file called
"settings.html",
and upon closure, it deletes the file.  So far so good, however if
one
creates a "settings.html" and sets it to be readonly, the program
refuses to load.  Only until the removal of this file will Iris begin
to load properly.  This is a poor example, but it shows the laziness
of coding involved.

Second:

Regarding the beta thing, I can understand selling a product which is
in a beta release, but selling an unstable product for $550 seems
outrageous.  How long has this product even been on the market?  A
month?  Maybe even 3?  Very few vendors release software using the
title "beta" simply becuase they know their products are unstable or
have bugs.  In this case the vendor should be VERY clear and say that
their product is INDEED A BETA.  A beta which is unstable.

Final note:

I still wonder why people/vendors feel that finding a bug in their
product is such a bad thing.  Finding a bug and reporting it is
beneficial to the vendor, allowing a chance for a stronger product.

Extra special thanks to Evan Brewer. <dm@el8.org>

Thanks for listening.

Luciano Martins
Ussr

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOa9Kx63JcbWNj6DDEQJ5SACg7sF7bk5z0m5l0ffhMljX5IMzUDcAnj/u
8PYLuR+3OLZypLcdI46LSIn7
=3sgx
-----END PGP SIGNATURE-----