Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: insecure <insecure () ameritech net>
Date: Wed, 18 Feb 2004 18:54:38 -0600
Tim wrote:


The first is that this IE bug is life-threatening. It's not.

<snip>

Where's the problem?
This is outrageous FUD. Web browsers are not used in medical
appliances.



Oh?  Have you worked in a hospital?  I haven't, but I am willing to bet
a lot of medical records and even appliances are run on Windows.
Correct me if I am wrong.


<snip>
I do work in a hospital in the US. No sane person would run a medical device on Windows, or at least connect same to a production network. However, insanity is rampant...
Many, if not most, medical record systems, diagnostic, and treatment devices run on Windows. The reason is simple: economics. The OS is cheaper than dedicated, hardened real-time OS's. Programming tools and programmers are cheaper, by far. The costs, as in the risk to patients' privacy and safety, can be easily shifted onto someone else.
One of the largest selling systems used for storing and annotating images of paper medical records is written in Word macros. It's a very unstable system, but who cares if it has to be rebooted every day? Probably only the patients whose records get corrupted or lost in the process.
Many of these systems come from the vendor with default shares enabled allowing anonymous access, no patches, default passwords, no anti-virus, etc. Many health-care organizations then proceed to plug them into the general network and pretend that nothing's wrong.
We've had both diagnostic and treatment devices infected with viruses and worms. We've had this happen such while devices were connected to patients.
So the next time you're at a hospital, consider that chances are anyone who has network access can find out more about you than you'd care to have them know, and may be able to modify records and treatment plans if they are feeling like it.
If you happen to be receiving some potentially dangerous computer-driven treatment, for example radiation therapy, be assured that the computer telling the linear accelator where to place to dose, and how much, is likely to be a Windows box that was set up and maintained by someone who has exactly zero knowledge and concern about security issues. 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: