MSIE Security Worsens: Patch Bungled

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

Biased

You guys sound like nobody ever finds any holes in Linux.

BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Slashdot
News for Linux. Stuff that's biased.

Re:Biased

[macpeep]

Yeah. I know.. I was just thinking that too.. Weird how people have such selective memories. Netscape.. let's see:

4.0
4.01
4.02
4.03
4.04
4.04a
4.05
4.06
4.07
4.08
4.5
4.51
4.7
4.71
4.72
4.73
4.74
4.75
4.76

and a few days ago, 4.77 appeared on Netscape's FTP sites even though Netscape 6 (don't even get me started!) was released.. Oh.. And Netscape 6 is actually at 6.01 now.. Yes, you guessed it.. a security patch release. I'm sure I left out some 4.x versions, but notice that only a couple of those are feature releases (4.5, 4.7 and 4.06 if memory serves). For many of those releases, way more than one bug has been patched. So to claim that this is a Microsoft-only problem is just plain wrong.

Cheap red herring/spin doctoring

[Tim+Doran]

"Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments."

In other words: "Chrysler spokesman Corporate G. Bastard said that although every Chrysler vehicle produced in the last year could be unlocked, its alarm disabled and driven away using Bic brand ballpoint pens, the vulnerability exists only for a few of several hundred colours available."

This is the worst (ie. least skillful) spin doctoring I've ever seen. Just because all MIME attachments don't open your machine's front door, well, we shouldn't worry about this "typical software error."

Com'on

[Repvblic]

No one honestly expects any microsoft product to be secure. It's the virus attacks that wipe out your system that keep it running so well, since we all know that after 6 months all versions of windows need to be re-installed or they stop running correctly.

...blow your byte limit, wipe your drive...

[leonbrooks]

If people get access to my PC, why should I worry?

...borrow your credit card details, passwords to any/all accounts you access through the machine, use your machine to break others (thus dropping you in the pooh en passant), post emails and the like in your name, yadda yadda yadda.

Trust me, it's not a good idea.

Overstating Things

[augustz]

"despite all claims to the contrary from Microsoft"

For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

Re:What if this happened to Linux?

[macpeep]

The guy goes "Modify the source to do all sorts of decryption and hacking" and gets modded up for "insightful". Hello?!

It doesn't matter if the source is available or not. A worm or virus that gains access to the system - any system - can do anything it wants. Period. There's absolutely no difference if it's Windows or Linux, except that on Windows (especially the non-NT variants) code would more easily be run under an account that has more access to the machine (administrator, system etc.). On Linux and other UNIX's, typically, the worm would be executed under some non-root account and have only limited access to do harm. On a properly set up Win NT box, it's basically the same tho.

market share

[macpeep]

The company I work for hosts a *large* number of sites for all kinds of companies - both B2B and B2C. For the record, the sites are in Finland *mostly* but they should reflect pretty good global market shares as well.. The combined stats from all those sites are as follows:

(btw, like for Slashdot polls, if it doesn't add up to 100%, it's due to rounding errors)

Browsers:

MSIE 5.x 75.79%
MSIE 4.x 13.67%
Netscape 4.x 9.28%
MSIE 3.x 0.44%
Netscape 3.x 0.36%
Netscape 5.x 0.22%
MSIE 6.x 0.15%
other 0.09%
Netscape 6.x 0.01%

Operating systems:

Windows 98 64.17%
Windows 95 18.18%
Windows NT 15.92%
Macintosh 0.95%
Linux 0.33%
Windows 3.1 0.23%
other 0.19%
Misc Unix 0.05%

I think these stats show a couple of things:

1) Windows OS's have a HUGE lead over anything else. Macintosh is lower in Finland than it is in the USA, I'm sure, but then you'd think Linux is higher here than over in the USA...

2) IE has a HUGE lead over Netscape and anyone else, with almost 90% market share

3) IE 5 has a surprising amount of users - I was expecting IE 4 to have a much higher number relative to IE 5. I think this shows that people are actually upgrading their version 4 IE browsers to IE 5 themselves and not just sticking with what came with the OS - otherwise we'd see more IE 4's.

4) Mozilla + Netscape 6 are completely marginal at this point, though I'm sure they will slowly grow. At this point, there are even more Netscape 3 users than there are Netscape 6 users! Even IE 6, which only has had a beta out for about two weeks is higher than Netscape 6 right now.

I don't know about the rest of you, but I'm pretty surprised at the huge Microsoft domination in these stats; both OS wise and browser wise. Considering security problems like today, it's a little scary, because Joe Sixpack will NOT install security patches. At least the stats seem to show that users do update their browsers every now and then..

Re:If Netscape would just get off their ass

[QuantumG]

downloaded the lastest mozilla build? No, of course not, you're opinion is completely based on last month's releases. Shit, I'm almost tempted to actually submit a patch or three, it's getting that good.

Re:April FOOLS!@!

[QuantumG]

do you think all them kids who used to type in CAPS back in the day are all lawyers now? It would explain a lot.

Re:Not on MS security notification service EITHER

[Cy+Guy]

While I agree that anyone who has admin responisbility for machines running MS must be on the Microsoft security notification service distribution, it would not have helped in this case as they haven't issued a notice of the faulty patch yet. The last bulletin to go out was MS01-020 on 3/29/01, and is still revision 1.0 (it hasn't been updated). While it does contain the caveat that the error message should be ignored, this is buried more than 2/3rds of the way through it and is not highlighted in any way other than being under the sub-heading caveats. The caveat MUST be displayed in as obvious a manner as the message will be that the patch is not necessary.

My question about this hole is that the MS Security Bulletin keeps phrasing it in terms of an "HTML email" but notes that the "HTML email" could be hosted on a website. This sounds like a deliberate attempt to downplay that is a hole in the MSIE browser itself, not in one of MS email products. I think this may relate to the fact that the Court of Appeals has yet to rule in US v. MS, since this hole demonstrates clear consumer harm from MS bundling/integrating the browser with the OS and MS's main argument before the Court of Appeals is that the government did not prove consumer harm.

Re:erk...

[mattcasters]

You're probably right in the end. I've been a unix sysadmin for a long time and I still have diffuculty adapting to the idea of only one person using one computer. (I think that the trend for the future will be different though.)

As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

- Fragmented use of software: people don't just use outlook & IE, they use a long list of different softwares and distributions. Fortunately, the competition between KDE & Gnome is still going strong, and there will always be different distributions people can use.

- The speed of development. By the time someone developed a concept virus, the mail-client wil have had 3 revisions of it's code base. As an example, KDE is releasing code at an amasing pace.

To finish, I don't really NEED a full blown attack, but it sure is fun to watch at times. ;-)

just my 2 -cents.

Matt

Talk about narrow minded.

[Inoshiro]

I laugh my ass off at the poor BIND using admins as much as I do the poor IE using clients.

Really, I use djbdns. It's an alternative that is available to me, just like Mozilla is an alternative available to me. I use these programs every day, and I don't have to deal with any problems.

BIND sucks, IE sucks, most code sucks. Go for the relatively open stuff, stuff that is designed well, and you don't get these problems.
--

But will IE use slacken?

[}{avoc]

Sure, IE / OE, MS's webserver, etc. have all shown great flaws in the ways of security, but let's focus on IE for the moment.

First I want to get a few things out of the way. IE is good for browsing, but not for security. It opens fast, renders fast, has great support for CSS and includes many MS-only features (like customized scroll bar color on websites). Sure, this is really screwing over standards, but hey, It's MS. Your average user runs Windows, which is so conviently bundled with a copy of IE. Also, with something that runs fast and apparently well, your average user wouldn't want to upgrade, much less learn a whole new program if they're newbies. Plus, think about the chance that an average user would even HEAR about this! Very poor.

Sure, IE has huge problems with security, but because it's bundled, and so many people learn how to use a computer with IE (and IE integration into the OS), Netscape, Mozilla, and Opera (heaven forbit lynx gets used more) don't have much of a chance to break into the market. This is the problem.

For the people that read /., most of us will either continue using Netscape / Mozilla / etc, or we will consider switching, but then patch up and continue using IE. We would worry about the security. Your average user would see the patch, install it, and be more motivated to use IE ("they fix thier problems!")

So how can we get this to change? Make a huge chonologically ordered list of MS's security problems? Sure, but how would we get your average user to see it, much les pay attention to it. Even if we got copmuter retailers to install Netscape with every computer, would the average user want to wait longer for it to load, or not have as many pages compatable with it, or have a browser with a different UI style than their OS?

So what do we do?
Any ideas?

-Dan
I'm not reading what I wrote, and I just woke up, so please, excuse my ignorance.

Your firewall avails you nought

[dingbat_hp]

What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

Mailers just shouldn't trust incoming email.

erk...

[bencc99]

This is really starting to get ridiculous. I suspect it would be far less of a problem were IE (and it's renderer/scripting) and the other parts of windows scripting not so heavily integrated into the shell - at least people would have some kind of control.

What's more worrying is that the increasing integration of things like KDE and Gnome are heading the same way. Admittedly the problems won't be around for so long, but as the number of unclued linux users goes up I suspect things may only start to get worse...

Wow! I guess RMS can give up gcc

[Christianfreak]

because now even tiny viruses can read source code and change it and just change the system. Are compilers obsolete now? I guess I better get rid of Linux with all that open source code and get nice secure windows...

Seriously this isn't possible, I can't believe that someone believed this FUD and modded him up.

"One World, one Web, one Program" - Microsoft promotional ad

Slightly O/T

[MonkeyMagic]

It's quite interesting how the average computer user is unused to patching applications for security concerns/product upgrades. Most people won't apply this patch regardless of any problems the installation may or may not cause. It's just not something they are aware of - they have never really been told (by the software houses) that the product must be upgraded. When I first became interested in the unix world it was quite a shock to see the rapidity with which everyone spread the word about a major bug or (minor) security issue. This information doesn't filter down to average users, and they don't go looking for it (I find most www.linuxrules.org or www.macrulez.com websites as boring as hell so god knows how most people would find them).

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone and not try to hide the whole process incase someone thinks their software is crap.


DILBERT: But what about my poem?

Re:If Netscape would just get off their ass

[DrSkwid]

hehe I see this kind of comment :

Poster A : Mozilla sucks
Poster B : You should see last night's build - awesome

one month later

A : Mozilla sucks
Poster B : You should download last night's build

and so the treadmill continues

.oO0Oo.

One more bug...

[rsteele19]

Ok, so they've found one more bug... how many more could there be? I mean seriously, IE's gotta be close to perfect now!

No need to worry

[CaptainZapp]

You are absolutely right and I wholeheartedly support your opinion, if:

you use your PC to play [insert favorite game]

the main purpose is to listen to ripped off MP3s

the sole purpose is to watch pr0n

it's mainly used to troll /.

However, you should recognize that some of us actually use computers for professional purposes, that others are in charge of multy terabyte databases, that some of us are responsible to guarantee a mere 3'000'000 transactions a day on our clustered systems and that - if our systems crash - every minute might cost 10'000s of $.

Go ahead, use your PC as a toy, but please don't slam us professionals whose lifehoods actually depend on the fact that the systems for which we are responsible don't get corrupted.

You can go now and play with your personal computer

IE used by other programs

[tomknight]

Okay, I thought, I'll have to sort my PC out, so I'll upgrade to IE5.02. I only have IE on there because InstallShield for Windows Installer requires IE4 or above to work. I have no problem with this, reusing components is a good thing, right?

Well, that's all fine, until installing IE5.02 shafts the software I use to earn money. As it happens, I only wasted a morning sorting this problem. I hardly minded this, as I was suffering an immense hangover from my stag days and nights, and couldn't cope with anything demanding.

Still, if I had a deadline, I would have been mightily pissed off!

Tom.

Re:Not on windowsupdate

[tomknight]

This is why I subscribe to the Microsoft security notification service (http://www.microsoft.com/technet/security/notify. asp), not to mention NTBugTraq (http://ntbugtraq.ntadvice.com/default.asp?pid=31& sid=1#020). As a sys admin (among other things), I've found these two lists damn useful. They give more information than the average user needs, but if you're tech-savvy, and interested about what's going on, they're useful lists to be on.

Tom.

In fairness to Microsoft

[phaze3000]

This was on the original bulletin:

Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

--

best foot forward

[deran9ed]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products,

First off its not ALL of the Linux zealots and in fact I've noticed the majority who get caught up in that (OS name calling) mix, tend to be newer users of Linux who could barely chop up source on their own often jumping on irc channels or mailing lists with the shittiest questions.

claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

Actually I don't think its the most worthless piece of shit OS on the market by any means, in fact I think MS has strategically placed itself on the markets for reasons like Ease of Use, familiarity, since OS's like Linux, NSD, etc., are almost impossible for Mary Joe Homemaker, and Sally Secretary to handle, however its bullshit to think anyone can keep a Windows machine up all day is a moron. E.g. there's been plenty of times I've seen Windows go bonkers for no reason especially Windows2000k with all the patches to date for the machine.

Last year when I was tinkering with codes on a DoS paper I wrote, I slightly modified my code to connect to a non open TCP port on my Windows laptop and it still crashed it for no reason. (FYI code is here) The OS did a great job of crashing from time to time when it wasn't online, no one touched it, just pooped out on its own.

Sure, you have to reboot to patch and install software, but who the hell cares?

I would care if I oversaw a network of 1,000 boxes which needed patch upgrades every week, only to be restarted. Think about it for a quick second as I outlined in the funny Microsoft Kills paper, 1,000 servers multiplied by about 3 minutes downtime, then you've got lost time spent and I don't think any administrator be it Microsoft or any other company is going to be kind enough to say "Hey don't worry I'll patch these on my own time, no need to pay me." Fuck no that shit costs money after a while.

Come on, get a damn clue and jump off that damn bandwagon.

I find it funny seeing OS wars go on when in reality 95% or more depend on Windows in some shape form or fashion, last time I checked accounting was looking for Excel files, secretaries were saving *.doc files... Sure Linux advocates have the right to moan its their choice, just sit back and get a kick out of it, I do.

Re:If Netscape would just get off their ass

[Rogerborg]

the next month or so while this would still be a big deal

That may be wishful thinking. Most corporate IT departments are already in the "all your soul are belong to Microsoft" category, and this is just another in a long, long list of screwups that they've already shown that they'll tolerate. My own employer doesn't bother putting out advisories or upgrading desktops any more. And how many personal users will even find out about this, much less care? If it doesn't hit the mainstream media, it's purely a geek issue.

If Netscape would just get off their ass

[MxTxL]

This is a wonderful opportunity for Netscape to release something that doesn't suck. And by being the least sucky browser, recapture some of the market.

Of course, I don't honestly think they HAVE the resources or ability to make their browser suck less than IE, especially within just the next month or so while this would still be a big deal. But it would be neat.

Not on windowsupdate

[AaaL]

Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$