Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Gaping Microsoft Security Hole Goes Unpatched

Posted by ryuzaki0 on from the how-many-times-will-it-take dept.

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

11 of 1,035 comments (clear)

  1. Re-post? by Zspdude · · Score: 5, Funny

    Does anyone else notice that this story has been posted before, many times, with only slight variations each time?

    --
    What's in a Sig?
  2. Re:Now that this particular cat is out of the bag. by dsb3 · · Score: 5, Funny

    What kind of steps can people use to protect themselves now?

    If you really want to toggle IE into secure mode you just need to click the little "X" in the top right corner of the window.

    --

    Slashdot? Oh, I just read it for the articles.
  3. Re:Why this is'nt MS's responsibility by nEoN+nOoDlE · · Score: 2, Funny

    well, apparently you didn't read the new EULA for IE... it turns out it isn't free, it only costs your soul.

    --
    Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
  4. I can see it now by Jucius+Maximus · · Score: 2, Funny

    There must have been a huge party at FBI headquarters on Nov 19 (when this was reported to MSFT) since they finally had a viable delivery system for Magic Lantern.

  5. Just waiting for someone to... by scorcherer · · Score: 4, Funny

    post a link to the picture of 'another gaping security hole'.

    --

    --
    The Cap is nigh. Time to get a fresh new account.

  6. Re:Overreaction from Michael. by mandolin · · Score: 5, Funny
    No shit. I've think I've decoded the /. exploit-article posting formula:

    1) Take MS exploit.

    2) Rail about security through obscurity. Ignore similar linux issues.

    3) Rail about how long a bug has been open. Ignore similar linux issues.

    4) Ignore the linked article, and claim something stupid. In this case that MS isn't in a hurry to release a patch when in fact they have been testing a patch.

    5) Jump to conclusions, like " It's a fundamental design issue".

    6) Somehow tie the whole thing into the anti-trust suit.

    Did I miss anything?

  7. How is giving advice unethical? by roystgnr · · Score: 4, Funny

    I'd really like to know. Currently my choices are:

    1. Stop thinking about this question entirely. No, really, stop thinking about it. Try really hard... whoops, I thought about it again.

    2. Believe what the law student says, unless he's contradicted by an equally plausible source.

    3. Believe the "It's legal to download ROMs if you delete them within 24 hours" type rumors that get spread around the internet by the legally ignorant.

    4. Hire a real lawyer to talk to for hundreds of dollars.

    I'm sure law school grads (including your ethics lecturer) would love option 2 to be unavailable, but I'm just not seeing a superior alternative here.

  8. Re:Let's see.. by BiffJerky · · Score: 0, Funny
    ** Windows has detected a mouse movement.

    ** Please restart Windows so changes can take effect

    Linux has detected a 1997 device. Please recompile your kernel with the correct command line options so changes can take effect.

    --

    Love And Kisses,

    BiffJerky the Troll

  9. Be careful with that. by autopr0n · · Score: 3, Funny

    If you try that on a windows machine, make sure you don't have .bat files set as server side exicutables.

    you'd be just as likely to kill your server's hard drive while the user got a nice web page that said "please wait, unpacking..."

    --
    autopr0n is like, down and stuff.
  10. Re:Umm. Not really. by Anonymous Coward · · Score: 1, Funny

    [Scene: Historical tour of the Web, 2053]

    [Commentator: "And here we have another example of an irrational, intellectually empty text contribution to the website known as 'Slashdot.org' It was commonly refered to as a 'pro-Microsoft rant', something that occured more and more frequently after the website became increasingly popular. It was said that the increased popularity attracted more Microsoft 'fanboys' and ultimately lead to its demise.]

    [Audience. Sound of digital cameras taking pictures]

  11. Re:Your points? by Liquor · · Score: 2, Funny

    I'll bet that the patch will be available by the spring.

    (Note - I'm specifying neither the hemisphere nor the year.)

    --

    Liquor
    Sanity is a highly overrated commodity.