Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
80% of the web.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.
This is just not true. You specifically have to download things before they can do anything using IE and if you are dumb enough to use outlook and let it have the ability to execute file attachments automatically, you deserve what you get.
Your virus scanner will do little good when someone can cause your computer do download and run any executable the malicious website owner wants... all they need do is make your computer run a file that isn't a known virus and won't set off any of the general protection features in an antivirus program, which should still allow them to completely ravage your files.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
"If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
The vulnerability was posted to Bugtraq on Nov. 26. One person tried to reproduce it the same day and failed. Its discoverer, Jouko Pynnonen, pointed out on bugtraq later the same day that:
Considering Microsoft's obstructionist response ("it's not a vulnerability, we'll fix it when we fix it, stop asking questions"), Jouko has been very kind not to publish any additional information about his discovery.
Nevertheless, other people tried to reproduce the exploit and succeeded. Jonathan G. Lampe posted on Nov. 29:
I'd say the odds are pretty good that this is already being exploited in the wild.
There was some discussion of whether IE6 was vulnerable in the same way as IE5; the published exploit didn't seem to work on IE6. Jouko had originally commented that "Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same."
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
stew77 asks:
who's using IE anyway?
Roughly 85% of people surfing are using Internet Explorer. With computer software, there's alot to be said for "It's preinstalled so I don't have to do anything to get it". Otherwise, I'm positive their share would be much smaller.
----
Open mind, insert foot.
IE won't launch a file that is declared as a .EXE by the HTML header without asking permission. What we're saying here is that IE doesn't check the TLE of the file it downloads, just the type declared in HTML. So IE thinks it passed a text file to the OS, and doesn't pop a warning of a possible malicious executable.
However, once the OS gets a hold of it, it looks at the TLE and says, "Executable! Gotta run it!" And if the code slags your hard drive, you're just SOL.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Those of you who read the articles will consider this redundant, but I've seen so many different interpretations of how the exploit works (and many wrong ones modded up), so I thought I'd clear it up:
You make a trojan or other malicious executable, and name it 'something.txt'. Then you make your HTTP server tell browsers that this file has content type 'application/octet-stream'. IE will read the content type header and realize that it's an executable, and ask you if you want to open it or download it. But since the file name indicates a text file, there's absolutely no indication that a program will be executed if you choose "open".
DISCLAIMER: I haven't tried this. This is just my interpretation of what I've read in the various articles. Also note that some versions of IE will use the word "execute" instead of "open" in the pop-up dialog, which might help tip some users off.
-- If no truths are spoken then no lies can hide --
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
Honestly? I seriously would recommend browsing the web only with Mozilla. I had been using IE, but I switched to mozilla full time after 0.9.1 (except for work related browsing on my company's web pages, which are written exclusively for IE browsing.) It's been buggy, it's still a little buggy, but I haven't had many real showstoppers because of it. And no one's published any attacks yet, but because it's NOT integrated into the OS, I'm somewhat less concerned about the damage it's capable of causing.
If you're stuck with IE, then might I recommend a proxy filter such as The Proxomitron? You can modify the incoming http headers to do anything you want, including altering file extensions!
John
John
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
That's a little like saying "an unlocked door is only insecure if a burglar enters through it," isn't it? Your computer is open and insecure; the existence or non-existence of special trickery sites is irrelevant, especially considering how little we can trust existing sites (some high-profile site gets cracked/subverted every few months at least) or even existing certificates (cf. the recent M$/Verisign debacle). The point is that having a broken security model is unjustifiable, and to claim that a breach this large is not a big deal because someone is unlikely to stumble across an exploit page is irresponsible at best and blatant shilling at worst.
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
An argument that proceeds from false premises is flawed no matter how logical its conclusions may seem.The specific flaws in these premises are:
... the "ptrace() 'bug'" ... how the Microsoft apologists LOVE that one.A design flaw, rather than a true "bug". There is absolutely NO evidence that this vulnerability has ever been exploited, yet, please allow me to ask you one question ... the ptrace() system call worked exactly as designed ... that the design was flawed ... well, no one's perfect ... .believe it or not, I even cut Microsoft some slack on design flaws unless the flawed design is so totally bone-headed that a freshman Comp Sci student wouldn't have done it that way.
... HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it.A day or two?
2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].
The first link is to a story that questions Alan Cox's decision not to expose himself to a Sklyarov-type persecution under the DMCA by revealing the reasons for certain security bugfixes in a kernel patch-level release.Despite the fact that Alan didn't reveal the specific nature of the bug that was fixed, the bug was, in fact, fixed.
The second link refers to a remotely root-exploitable hole in wu-ftpd.Although almost every Linux distribution includes wu-ftpd, it is well-known as a source of security problems, and in those distros where it is installed and enabled by default the distributor usually takes fair pains to make sure that it is installed as securely as the state of reasonable knowledge of its problems allows.Also, IIRC, wu-ftpd also runs under Windows, where it serves the function of being an alternative to IIS's ftp server functionality.At this moment, I don't have the time to research the irrefutable facts, but my anecdotal impression, which comes from my experience as both a Windows and Unix admin indicates that the score in the IIS vs. Apache + wu-ftpd exploit game is more than a little lopsided in favor of IIS being the cracker's friend.
3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].
Ah yes
Now for the question
utter rubbish
Any Mac OS X users interested in changing Apple's policies on file extensions should see the Mac OS X Metadata Petition. Yes, online petitions normally don't count for much, but John Siracusa has been very active in trying to get Apple to rethink this subject.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
URL: http://autopr0n.com/random.txt.
.exe file, rename it to .txt, and then send it as application/octet-stream IE will prompt to download/open, and if you click open it will open it in notepad. For example
Mime type: application/octet-stream
Actual type: text file
Action: shows up in IE as a regular text file.
Now, when you take a real
URL: http://autopr0n.com/random.txt.
Mime type: application/octet-stream
Actual type: win32 executable (shows you how long your computer has been running, actually)
autopr0n is like, down and stuff.
DUH.. think about program crashes OS; gotta be Windows®. If program causes death spiral that takes 2 hrs. for system to become unresponsive, that's probably linux/unix.
I've never had a system crash in 6 yrears of using linux®, sure I've had plenty of program crashes, I've had a few X windows lockups, two so bad I had to telnet in from the LAN to kill X-Windows to get the system back; but never a system crash.
I've never ever had a program execute without explict permission to execute in Linux®. This new (2 1/2 year old) security vulnerabilty in Microsoft Windows® systems definately makes all of those script=kiddies look pretty stupid, they've been using things as crude as viruses all of this time.
Apocalypse Cancelled, Sorry, No Ticket Refunds
This is all just more of the same. I have come to expect it from MS.
My experience with this is that certain web hosting providers (ConcordEFS, today's ebiz) refuse to send correct content-type headers for flash animations, since it "works in IE"(tm).
IE will guess the content type, and ignore what the server says -- real web browsers listen to the server. So it makes admins lazy, makes MS's browser monopoly stronger, and makes other browsers look broken.
I just wish that the people who don't think MS is a monopoly, abusing their power, had to deal with these little monopolistic tactics every day. If they did, then MS would be no more.
I've had enough abrasive sigs. Kittens are cute and fuzzy.