Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
80% of the web.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.
This is just not true. You specifically have to download things before they can do anything using IE and if you are dumb enough to use outlook and let it have the ability to execute file attachments automatically, you deserve what you get.
You ask if there is any toggle in IE? Did you read the article because it explained in there that there is indeed a toggle you can flip. Basically you have to turn off file downloads to protect yourself.
Your virus scanner will do little good when someone can cause your computer do download and run any executable the malicious website owner wants... all they need do is make your computer run a file that isn't a known virus and won't set off any of the general protection features in an antivirus program, which should still allow them to completely ravage your files.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
According to the article, the issue only comes up if you are prompted to save/download a file, and choose to open it from it's current location. The file may appear to be a .txt or whatever, but if you open it from its current location you can't know for sure whether it's an executable.
The suggested solution is to never open from the current location. Choose save instead, which will reveal the real file type.
But the file is identified as file.txt or whatever. There's no indication that it's an executable file. Done properly, this could fool any IE user.
There are those who don't have the choice all the time. Corporate policy may standardize on IE due it's being "free" with Windows. Nevermind that it means more time for patching or cleanup or tweaking a firewall.
I like Opera. I use registered Opera at home. But at work.. it's IE. Changing employers over a browser is not a serious option. (Besides, they're finally seeing the light - looking for non Microsoft solutions where they can. The problem is the lock-in of MS proprietary file formats that people use instead of open, documented formats.)
"If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
There use to be no such thing as an e-mail virus either until Microsoft came along and decided to give us one.
Yeah, the sendmail worm didn't even require user intervention.
The vulnerability was posted to Bugtraq on Nov. 26. One person tried to reproduce it the same day and failed. Its discoverer, Jouko Pynnonen, pointed out on bugtraq later the same day that:
Considering Microsoft's obstructionist response ("it's not a vulnerability, we'll fix it when we fix it, stop asking questions"), Jouko has been very kind not to publish any additional information about his discovery.
Nevertheless, other people tried to reproduce the exploit and succeeded. Jonathan G. Lampe posted on Nov. 29:
I'd say the odds are pretty good that this is already being exploited in the wild.
There was some discussion of whether IE6 was vulnerable in the same way as IE5; the published exploit didn't seem to work on IE6. Jouko had originally commented that "Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same."
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
- Copy your current explorer.exe, shell32.dll, comdlg32.dll, notepad.exe and wordpad.exe to a backup location in case things go haywire. (I've done this before on Windows 98 and ME boxes without problems, but it's always good to be safe).
- Insert the Windows 95 CD, and start a dos prompt.
- From the prompt, enter:
- You should have the files listed above appear on your desktop. Now shut down into DOS mode, and copy the new shell32.dll and comdlg32.dll into your Windows SYSTEM directory, and copy explorer.exe, notepad.exe and wordpad.exe into your WINDOWS directory, and reboot Windows. (If you're using ME, you can go into c:\windows\system.ini and change your shell to taskman.exe in order to be able to replace explorer and the other system files)
Your system should come up with the old Windows 95 shell, which doesn't have any of the IE integration bullshit. IE will still launch as a separate application (with an Office-style splash screen, even!) and since the IE dll's aren't stuck in your memory all the time, your system should be a bit faster too.d: (or whatever your CD drive is) /a /l c:\your\windows\desktop win95_02.cab comdlg32.dll explorer.exe shell32.dll notepad.exe wordpad.exe
cd win95
extract
Of course, after doing this, the next step is to replace your browser, but that goes without saying. :-)
Loneliness is a power that we possess to give or take away forever
the problem is that someone can tell your browser (via header information) that the file you are downloading is named (for example) "blah.txt", and actually send you "virus.exe".
.txt files (for example) without bothering to click "save".
IE prompts the user to open/download blah.txt - most people would click "open", and it then spawns the downloaded virus.exe.
the correct filename is displayed once you get to the "save as" box, however most people would just open
there are conflicting reports that ie 6 may/may not be vulnerable - the latest is that if you did a minimal install over the top of ie5, it may be (due to the fact that it didn't replace certain components of IE5.x)..
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
stew77 asks:
who's using IE anyway?
Roughly 85% of people surfing are using Internet Explorer. With computer software, there's alot to be said for "It's preinstalled so I don't have to do anything to get it". Otherwise, I'm positive their share would be much smaller.
----
Open mind, insert foot.
IE won't launch a file that is declared as a .EXE by the HTML header without asking permission. What we're saying here is that IE doesn't check the TLE of the file it downloads, just the type declared in HTML. So IE thinks it passed a text file to the OS, and doesn't pop a warning of a possible malicious executable.
However, once the OS gets a hold of it, it looks at the TLE and says, "Executable! Gotta run it!" And if the code slags your hard drive, you're just SOL.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Those of you who read the articles will consider this redundant, but I've seen so many different interpretations of how the exploit works (and many wrong ones modded up), so I thought I'd clear it up:
You make a trojan or other malicious executable, and name it 'something.txt'. Then you make your HTTP server tell browsers that this file has content type 'application/octet-stream'. IE will read the content type header and realize that it's an executable, and ask you if you want to open it or download it. But since the file name indicates a text file, there's absolutely no indication that a program will be executed if you choose "open".
DISCLAIMER: I haven't tried this. This is just my interpretation of what I've read in the various articles. Also note that some versions of IE will use the word "execute" instead of "open" in the pop-up dialog, which might help tip some users off.
-- If no truths are spoken then no lies can hide --
The article in question is available here:
SecurityFocus Mail List Archive - File Extensions Spoofable in MSIE download dialog
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
Mozilla has gestures as well.
We're going to make information free Mr. Anderson, whether you like it, or not.
Honestly? I seriously would recommend browsing the web only with Mozilla. I had been using IE, but I switched to mozilla full time after 0.9.1 (except for work related browsing on my company's web pages, which are written exclusively for IE browsing.) It's been buggy, it's still a little buggy, but I haven't had many real showstoppers because of it. And no one's published any attacks yet, but because it's NOT integrated into the OS, I'm somewhat less concerned about the damage it's capable of causing.
If you're stuck with IE, then might I recommend a proxy filter such as The Proxomitron? You can modify the incoming http headers to do anything you want, including altering file extensions!
John
John
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
That's a little like saying "an unlocked door is only insecure if a burglar enters through it," isn't it? Your computer is open and insecure; the existence or non-existence of special trickery sites is irrelevant, especially considering how little we can trust existing sites (some high-profile site gets cracked/subverted every few months at least) or even existing certificates (cf. the recent M$/Verisign debacle). The point is that having a broken security model is unjustifiable, and to claim that a breach this large is not a big deal because someone is unlikely to stumble across an exploit page is irresponsible at best and blatant shilling at worst.
Here is a site with some more info on the SliMP3..m l
http://www.mp3newswire.net/stories/2001/slimp3.ht
It has a bit more detail on the unit and a picture of it working. Quite and impressive peice of hardware.
--------------------------------------
58.0% slashdot corrupt
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
An argument that proceeds from false premises is flawed no matter how logical its conclusions may seem.The specific flaws in these premises are:
... the "ptrace() 'bug'" ... how the Microsoft apologists LOVE that one.A design flaw, rather than a true "bug". There is absolutely NO evidence that this vulnerability has ever been exploited, yet, please allow me to ask you one question ... the ptrace() system call worked exactly as designed ... that the design was flawed ... well, no one's perfect ... .believe it or not, I even cut Microsoft some slack on design flaws unless the flawed design is so totally bone-headed that a freshman Comp Sci student wouldn't have done it that way.
... HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it.A day or two?
2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].
The first link is to a story that questions Alan Cox's decision not to expose himself to a Sklyarov-type persecution under the DMCA by revealing the reasons for certain security bugfixes in a kernel patch-level release.Despite the fact that Alan didn't reveal the specific nature of the bug that was fixed, the bug was, in fact, fixed.
The second link refers to a remotely root-exploitable hole in wu-ftpd.Although almost every Linux distribution includes wu-ftpd, it is well-known as a source of security problems, and in those distros where it is installed and enabled by default the distributor usually takes fair pains to make sure that it is installed as securely as the state of reasonable knowledge of its problems allows.Also, IIRC, wu-ftpd also runs under Windows, where it serves the function of being an alternative to IIS's ftp server functionality.At this moment, I don't have the time to research the irrefutable facts, but my anecdotal impression, which comes from my experience as both a Windows and Unix admin indicates that the score in the IIS vs. Apache + wu-ftpd exploit game is more than a little lopsided in favor of IIS being the cracker's friend.
3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].
Ah yes
Now for the question
utter rubbish
Any Mac OS X users interested in changing Apple's policies on file extensions should see the Mac OS X Metadata Petition. Yes, online petitions normally don't count for much, but John Siracusa has been very active in trying to get Apple to rethink this subject.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Exactly! You can't put scripting and cookies in a Slashdot comment, yet you're still allowed to format it with HTML.
I've never got an HTML email that wasn't advertising, and worse, most of them make your browser dial again to get the non-embedded images.
If email wants to be pretty, it should look at Yahoo's IMVironments for ideas.
(Sorry this was about outlook not IE!)
URL: http://autopr0n.com/random.txt.
.exe file, rename it to .txt, and then send it as application/octet-stream IE will prompt to download/open, and if you click open it will open it in notepad. For example
Mime type: application/octet-stream
Actual type: text file
Action: shows up in IE as a regular text file.
Now, when you take a real
URL: http://autopr0n.com/random.txt.
Mime type: application/octet-stream
Actual type: win32 executable (shows you how long your computer has been running, actually)
autopr0n is like, down and stuff.
First of all: Test what? Details of the bug have not been released. So only your own arrogance validates your "test" of this bug.
Second of all: The harm in this bug lies in IE asking the user if he wants to open a file of one type (i.e. Text, which is safe), and then proceeding to run maliscious code.
Now this bug may not pose any threat to reasonably intelligent people, but I think we all know that the internet (and IE users even moreso) is not comprised solely of reasonably intelligent people. Hell, it might even get me, if I was an IE user. Why waste time/space downloading a txt file when I can open it in the browser? Trust issues? Who worries about whether or not to trust a txt file? Text is harmless, as long as it's treated as text.
Nothing to see here. Move along.
DUH.. think about program crashes OS; gotta be Windows®. If program causes death spiral that takes 2 hrs. for system to become unresponsive, that's probably linux/unix.
I've never had a system crash in 6 yrears of using linux®, sure I've had plenty of program crashes, I've had a few X windows lockups, two so bad I had to telnet in from the LAN to kill X-Windows to get the system back; but never a system crash.
I've never ever had a program execute without explict permission to execute in Linux®. This new (2 1/2 year old) security vulnerabilty in Microsoft Windows® systems definately makes all of those script=kiddies look pretty stupid, they've been using things as crude as viruses all of this time.
Apocalypse Cancelled, Sorry, No Ticket Refunds
still no.
you can send an executable file, and tell the browser that the filename is "readme.txt" and the content-type is, er, executable whatever.
For the purposes of the security dialog, it's readme.txt, you get the Open/Save box, not the Run/Save security warning box, and the name shows as readme.txt. But if you select Open, when it downloads, *poof* it runs the exe.
Basically.
This is all just more of the same. I have come to expect it from MS.
My experience with this is that certain web hosting providers (ConcordEFS, today's ebiz) refuse to send correct content-type headers for flash animations, since it "works in IE"(tm).
IE will guess the content type, and ignore what the server says -- real web browsers listen to the server. So it makes admins lazy, makes MS's browser monopoly stronger, and makes other browsers look broken.
I just wish that the people who don't think MS is a monopoly, abusing their power, had to deal with these little monopolistic tactics every day. If they did, then MS would be no more.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
And it isn't braindead enough to open a new main window just for each page you open.
And it makes it as easy as possible to turn on/off javascript/java/images.
And navigating the config isn't slow as fuck.
And it doesn't keep the history and cache in secret cryptic directories.
And it has a separate window dedicated to downloading files, so you don't have a little pop-up window for every downloading file cluttering up the place.
And when a download breaks you can select "resume".
Opera kicks the shit out of IE in every factor save price.
While they don't give specifics on which extension/content type combo exhibits the behaviour, I don't believe it would be too difficult to test. I remember reading an old MSDN article explaining how to spoof mime types to force IE to render your content using an unexpected application.
At any rate, here is an article explaining the tests IE uses to determine the mime type. Furthermore, one can manipulate the mime type reported by an IIS server simply by changing the text listed in the Folder Options > File Types property page in Explorer on the web server.
BRENT ROCKWOOD, EST'd 1975
I ran into an interesting passport issue today.
When you create a hotmail account, it also creates a passport account as well. But, after that initial creation, the 2 accounts are not tied together.
Hotmail will disable any account that hasn't been accessed in 60 days, BUT, it does not disable the passport account at the same time. So, if I create an account with hotmail, and use it mainly as a passport for buying stuff on websites, and I dont check my hotmail account for a while, it gets disabled. The problem is, I can still use that login to access passport.
Now, the even bigger problem, is that someone else can go to hotmail, and create the same account that I did (because mine was disabled) and the new password they chose for the hotmail account will affect the passport account. So, in essense, I just got my passport account stolen from me.
And with stuff like this going on, they really want me to use passport. I really dont have a problem with entering my credit card info manually, if it is going to stop people from stealing stuff, or using the card without my knowledge.
Anyway, im sure we will see more of this in the future, I hope the best for the liberty alliance..
this is too easy, I am not a programmer (unless html counts) but I do have an Apache/PHP setup and was able to test this out. get php to process .txt files in your php.conf file likle so:
.php .php4 .php3 .phtml .txt
.phps
AddType application/x-httpd-php
AddType application/x-httpd-php-source
then cread a whatever.txt file like so:
put the readme.txt file in your webroot, along with the exe file you want to execute.
user gets:you've chosen to download readme.txt..." and picks "open from current location"
instead calc.exe is executed as evidenced by the calculator opening on my workstation when I tested it.
dude this is way too easy. Someone who is a programmer could easily display a text document in addition to installing a rootkit/virus/trojan, and end user would be none the wiser.
good thing this information hasn't been released to the public.....doh!!!!
Basically, the first 256 bytes of the file are scanned, and compared with the Content-Type header. If the two results do not agree, the scanned type is used. If the scanned type is ambiguous, and the file is binary, then the user is prompted to save or execute the file. If the file is text, it is displayed.
Now, can someone explain what is wrong with these instructions that would cause executable content to be automatically executed? The text even gives an example of a file extension of .DLL and .BAT, and how those would be handled.
In addition, this is how IE determines MIME types. It does not completely ignore the supplied Content-Type, but it might as well be. Primarily, it is exmanining the first 256 bytes of the file to determine if it is a known type. So unless you can disguise an executable with an mpeg header or something, you're not going to be able to get native code to automatically run without a prompt.