Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Security Flaw in MSIE 5.01, 5.5

Posted by ryuzaki0 on from the patch-now-patch-now-patch-now dept.

Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the security bulletin and download the patches. Discovery props to Kriptopolis.

14 of 444 comments (clear)

  1. Recipe of disaster by Anonymous Coward · · Score: 4

    Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)

    1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
    2) Install timebomb into computer, which deletes all the files after few days
    3) Send all your previously written emails to random recipients taken from the address book.

    Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.

    Worm would be totally destructive, as all the files would be deleted.

    Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.

    Do you still have the gust to use Windows/IE/Outlook ?

  2. Re:Inaccurate by mcc · · Score: 4
    My apologies for being unclear. That comment was meant to refer to microsoft's *web browser* division, and microsoft's web brower division *only*. Yes, of course server OSes and server apps will have security issues from time to time. I don't expect them not to. The thing that leaves me a bit taken aback, though, is microsoft's tendencies to have security issues in a low-end *consumer-oriented* app like a web browser. WEB BROWSERS ARE NOT THE KIND OF THING WE SHOULD HAVE A SECURITY TRACK RECORD TO KEEP TRACK OF, and that was my only point.


    YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.


    --mcc
    it is late and i am spastic and bitter

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  3. Re:Inaccurate by mcc · · Score: 5
    > In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.


    The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
    i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
    Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.

    Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?


    I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  4. Re:Inaccurate by Malcontent · · Score: 4

    Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?

    --

    War is necrophilia.

  5. Re:Inaccurate by fanatic · · Score: 4

    That is inaccurate. It's thanks to an object oriented operating system that we have this problem.

    Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.

    --

    --

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  6. Re:Hmm.. by donutello · · Score: 5

    The way these things work is that whoever discovers the bug, if they are a white hats, sends a message to the software manufacturer. Usually it is of the form "Here's the bug, here's what it can do. You have XX days to issue a fix. After XX days I will post this to a security discussion alias with/without also posting the exploit".

    The fact that the bug was reported today does not mean that that is when Microsoft found out about it.

    I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

    --
    Mmmm.. Donuts
  7. Re:Not Suprising by crucini · · Score: 5
    I find it amusing that the worst purveyer of unprompted MS-bashing, Malda, is also the only editor who regularly admits to using Windows.

    I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.
  8. No problems here... by The_Messenger · · Score: 5
    I'm posting this from IE 5.5 on NT5 and ØÄȦ®$ûüè h4w h4w! I 0wn 4ll j00r b0X0rz!! ØÄȦ®$ûüève experienced absolutely no problems. Furthermore,ØÄȦ®$ûüè w0w d00d 1 4m 50 3l337 ØÄȦ®$ûüèsecurity issues on the web today. What about Netscape 6? For instance, NetØÄȦ®$ûüè m$ c4n suX0rz my c0ckz!!! llolololol ØÄȦ®$ûüèPerhaps Slashdot is blowing this out of proportion.

    --

    --

    --
    I like to watch.

  9. Web browsers belong in a jail by Animats · · Score: 4
    Web browsers should be running in a partition with very few privileges. They should be able to talk to the net, read their own code and resource files, write their own windows, see mouse and keyboard events in their own windows, and that's all.

    A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.

    Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

  10. New read and execute features in IE 5.5 by mr_gerbik · · Score: 5

    Combine this new exploit with this old one that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.

    -gerbik

  11. Re:Inaccurate by f5426 · · Score: 5

    > first off, Creating something like BIND is infinitely more difficult than something like MSIE--

    Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.

    A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.

    A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.

    So, IMNSHO, a MSIE bug is more serious than a BIND bug.

    Cheers,

    --fred

    --

    1 reply beneath your current threshold.

  12. Re:Not Suprising by Fervent · · Score: 4

    No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.

    --

    - I don't care if they globalize against free speech. All my best free thoughts are done in my head.

  13. Inaccurate by Reality+Master+101 · · Score: 4

    Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

    That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.

    KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.

    In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.


    --

    --
    Sometimes it's best to just let stupid people be stupid.
  14. previous versions by Anonymous+Admin · · Score: 5

    "Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.