Abandon  |  All  |  Hope  |  Ye  |  Who  |  Enter  |  The  |  Hall  |  Of  |  Bloat

 Visual Basic

Findings of the Tribunal:

Submitted by Tom Liston of the Hackbusters.

Whoa. What a chunk. Makes you want to hurl 'em - chunks that is.

Nicula of eEye comes out with a free helper program to detect servers which can be compromised by the Apache Chunked Encoding vulnerability. Ok, Apache has already released a patch, but so what?

But what a program from eEye is what. Put together with the same level of engineering used by Maury with his megabyte sized SpamStopper (which Radsoft reduced from 990KB to 18KB on the Apple PowerPC platform and duplicated at 4KB on the Windows x86 platform), this one has it all - bitmaps, icons, dialogs - you name it, it's there. The kitchen sink? Yep, it's there too - and evidently eEye has a lot of kitchens.

Apache can now run on Windows platforms, so eEye thought they would oblige (thank you eEye) and spread a bit of the good word around (like any Apache admin is going to take eEye seriously). What they instead did was broadcast loud and clear how pitifully little they know about Windows software engineering.

The Win32 application comes unpacked at 618496 bytes, and has 121,496 bytes of resources. It's a typically spendthrift MFC application, but linked in such a sloppy way so the runtime is both statically linked and still used dynamically. It has old legacy modules which still haven't learned that MSVCRT20.dll doesn't exist anymore. It's got tons of OLE linkage. It's got a ridiculous three-way Winsock linkage. It's got incremental linking. It creates a walloping 15 (fifteen) OLE controls (good-bye Registry). It's got a nasty TerminateProcess call. It's a frightful mess.

Apache's already got the patch out; no one needs to corrupt their system with this monstrosity. Yet eEye has inadvertently done us all a favor by revealing their chunked level of engineering expertise. Hurl.


Abandon  |  All  |  Hope  |  Ye  |  Who  |  Enter  |  The  |  Hall  |  Of  |  Bloat
Copyright © bloatbusters.org. Web space courtesy Radsoft. We bust apps that suck.