Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
Your virus scanner will do little good when someone can cause your computer do download and run any executable the malicious website owner wants... all they need do is make your computer run a file that isn't a known virus and won't set off any of the general protection features in an antivirus program, which should still allow them to completely ravage your files.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
The exploit is another one that allows a content type to be set that will cause executable code to download and execute without user intervention.
Hmm, did you read the story?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
"If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
The vulnerability was posted to Bugtraq on Nov. 26. One person tried to reproduce it the same day and failed. Its discoverer, Jouko Pynnonen, pointed out on bugtraq later the same day that:
Considering Microsoft's obstructionist response ("it's not a vulnerability, we'll fix it when we fix it, stop asking questions"), Jouko has been very kind not to publish any additional information about his discovery.
Nevertheless, other people tried to reproduce the exploit and succeeded. Jonathan G. Lampe posted on Nov. 29:
I'd say the odds are pretty good that this is already being exploited in the wild.
There was some discussion of whether IE6 was vulnerable in the same way as IE5; the published exploit didn't seem to work on IE6. Jouko had originally commented that "Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same."
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
stew77 asks:
who's using IE anyway?
Roughly 85% of people surfing are using Internet Explorer. With computer software, there's alot to be said for "It's preinstalled so I don't have to do anything to get it". Otherwise, I'm positive their share would be much smaller.
----
Open mind, insert foot.
IE won't launch a file that is declared as a .EXE by the HTML header without asking permission. What we're saying here is that IE doesn't check the TLE of the file it downloads, just the type declared in HTML. So IE thinks it passed a text file to the OS, and doesn't pop a warning of a possible malicious executable.
However, once the OS gets a hold of it, it looks at the TLE and says, "Executable! Gotta run it!" And if the code slags your hard drive, you're just SOL.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
That's a little like saying "an unlocked door is only insecure if a burglar enters through it," isn't it? Your computer is open and insecure; the existence or non-existence of special trickery sites is irrelevant, especially considering how little we can trust existing sites (some high-profile site gets cracked/subverted every few months at least) or even existing certificates (cf. the recent M$/Verisign debacle). The point is that having a broken security model is unjustifiable, and to claim that a breach this large is not a big deal because someone is unlikely to stumble across an exploit page is irresponsible at best and blatant shilling at worst.
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
Any Mac OS X users interested in changing Apple's policies on file extensions should see the Mac OS X Metadata Petition. Yes, online petitions normally don't count for much, but John Siracusa has been very active in trying to get Apple to rethink this subject.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
This is all just more of the same. I have come to expect it from MS.
My experience with this is that certain web hosting providers (ConcordEFS, today's ebiz) refuse to send correct content-type headers for flash animations, since it "works in IE"(tm).
IE will guess the content type, and ignore what the server says -- real web browsers listen to the server. So it makes admins lazy, makes MS's browser monopoly stronger, and makes other browsers look broken.
I just wish that the people who don't think MS is a monopoly, abusing their power, had to deal with these little monopolistic tactics every day. If they did, then MS would be no more.
I've had enough abrasive sigs. Kittens are cute and fuzzy.