Another Gaping Microsoft Security Hole Goes Unpatched

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

other browsers

[stew77]

I know this sounds like a stupid average comment but...who's using IE anyway? After I found Opera for Windows, I have no desire for another browser at all. Opera has some very useful UI details that make IE look as comfortable as reading web pages with wget | more.

Re:other browsers

[hammock]

No, it's because it is bundled with Windows.

The Internet = Internet Explorer to every single Windows user.

IE may be (in your opinion) the best browser right now, and that is because Microsoft (intentionally) destroyed all development of any other browser using anti-competitive tactics as determined by a court of law.

Using IE is immoral and unacceptable, I just with the American justice system enforced the law on Microsoft instead of letting them extend thier monopoly into schools as a "punishment" while giving them billions of dollars worth of tax credits.

Two and a half YEARS?

[JScarpace]

If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now? Could it be that (GASP!) security through obscurity actually worked in this case?

Re:Let's see..

[strAtEdgE]

Read the article, retard. It bypasses download security. Blind faith in microsoft... could you be any stupider?

Overreaction from Michael.

[Oily+Tuna]

Michael says : "completely open any time you browse the web with IE. "
Story says "who view a specially constructed Web page"

Okay, the hole isn't good - and MS must fix it - but the article as posted by /. is wrong.

Your computer is open if you stumble across a specially constructed site. If you browse /. the news, stock quotes etc. then you're prett much safe.

Re:Let's see..

[Cuthalion]

Read the article, retard. It still asks you if you want to open or save the file. Save is safe.

"Of the web"?

[Shmibbon]

You base all of the internet traffic on the web on 9688 hosts (not accesses or people) accessing one WWW server at a university? Geez, go take a statistics class.

-Shmibbon

Typical yellow journalism from Slashdot...

[taustin]

The lie:

..."the malicious content is automatically executed."

The truth, from the article that the clown how posted this didn't even bother to read:

"Any way to skip all dialogs, ie. to run an application without ANY dialog with this vulnerability has NOT been found."

C'mon, you morons. At least pretend to read this stuff before you start masturbating at how evil and stupid Microsoft is. Again.

Time to filter another author....

[DJ+Wipeout]

Geez, Michael, wth is your problem? All your articles are either wrong or have so much FUD in them it's not funny.