Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
"The patch for Internet Explorer (IE) is currently in testing and could be released soon"
Second damned sentence. No wonder I don't come here anymore.
if you try and open an .exe that is named as a text file, the file associations within windows will launch notepad (or associated program) and NOT fire off the renamed application, ditto with .html and .wav files (or any other associated file), are they sure they arent talking about a file named something.txt.exe?
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
This sounds to me just like the GM/Ford cases at the 60's about negleting consumers. Isn't time to DOJ put a period on all these things?
First that stupidity of Nimda IIS bug, that can't be fixed until next IIS release. And now this Security through obscurity crap?
Now I want to ask. "Where will M$ take us". I know where I want to go, but what about them?
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Microsoft does it's best (or worst) to provide something. But, heck, it's FREE. IE costs us nothing.
What I DO pay for is my virus scan. I'd like to know that if something gets through and hurts my security, the virus scanning software would catch it.
I wish people would stop getting mad at people for providing otherwise OK software with bugs in it, when those programs are FREE, and wish people would start getting mad at the virus scan companies (who my company pays lots of money to) for not catching threats.
The Internet is generally stupid
There use to be no such thing as an e-mail virus either until Microsoft came along and decided to give us one.
Let's all put our hands together and thank Microsoft.
Pretty much safe ... UNTIL ... someone hacks a server (gee, let's take doubleclick.com for example) and re-writes the billion or two popup ads that get sent out a day.
Ooops. Guess everyone's exposed now.
Slashdot? Oh, I just read it for the articles.
Not exactly. Linux and Unix determine file type by magic number. Try renaming a postscript file (or whatever) as foo and type
file foo
and you'll see that it still returns the correct file type.
"Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)
From the article's intro:
"Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."
Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."
Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.
Nasty flaw nonetheless -- glad I switched to Mozilla.
I agree When ever you hear about a microsoft exploit you linux freaks are all over it but when a linux hole is opened most likely by the same wannabe h4z0r3s no body says anything the just patch and move on, maybe like the new Apache exploit which allows file system access.
( NO NOT APACHE THESE THINGS ONLY HAPPEN TO IIS )
I now return you to your regularly scheduled Windows bashing.
The concern, from what I understand, is that a user might be lead to believe that "readme.txt" will be opened and viewed as a text file by IE. This, when in fact the website has placed executable binary/script data in the file and changed the appropriate response headers so that IE is fooled in to executing it as a program if it is 'opened'.
All the user sees as a prompt is "Open" or "Save Target As" using the menu options OR again "Open, Save, Cancel" by clicking on the link.
For an inexperienced user, the appropriate option will probably not be obvious. This is because many users have a lot of trouble navigating the file system to find files that have been saved by applications and enjoy the shortcut of having the windows decide how the file should be 'opened'.
I agree that an experienced user would never choose open because they know this is very risky. But, in my mother's case, she has trouble deciding when to click and doubleclick.
In Microsoft's defence, however, the "Open" option is never the default. Thus, it's probably safe to say that an ignorant user will almost always be safe from this attack as they will be picking the default and saving the file to the disk. At that point, "readme.txt" will cannot be executed and only openable from a text editor.
Anyways.. no matter how you look at it, this is a problem that fundamentally involves the act of downloading a file. Something even my mother knows not do by herself. This is not a security issue in the same magnitude as the worm viruses that plagued IIS.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.
Unless you combine it with the fact that IE is set up to automatically execute certain MIME types (like audio/x-wav). Send a message with an attached .EXE file, but hack up the message so the MIME type reads something else, and -- presto! -- instantly executing attachments. That's one of the attacks Nimda used.
And what about when you click on that innocent little HOWTO.txt link for a problem that's been bugging you. Whether it's on slashdot.org, msn.com, or goatsex.com, they can all support links by anonymous (or registered) users. I've done this very thing quite often myself. Not to mention a wiki, or any other form of free-posting service of any sort on the web.
It all goes down to the level of trust you put in a site, it's users, and/or each specific link you click on. Do you want to have to worry about it?
The process goes:
1) Think
2) Type
3) Think some more
4) Preview/Proofread
5) Submit
etc..
- shadoi
-- "Chaos often breeds life, when order breeds habit." -Henry B. Adams
Those who use IE are probably those who have no reason to switch browsers, and those who visit sites that are "optimized" for IE. There are also those that don't want to use Opera because it has a huge ad banner, and don't want to pay to have it taken away or use an illegal serial number. Let's not forget those who use AOL. :P
You die too easily.
This is a shameless pandering to the preconceptions of the Slashdot crowd. The statement that "Nobody is willing to do an honest cost accounting for the top guys" is simply not true, and it's an unfair dismissal of IE's very real successes in that space.
IT guys can and do choose other browsers. Last I heard, Navigator still had over 1/3 of the corporate browser market. Suggesting that IT folk would be cowed by the "top guys" flies in the face of every experience I've had with them: that they're pragmatic, honest, and outspoken.
Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
Hey Malda and VA Software executives, or whoever is in charge of keeping a minimal amount of decency on this site: why do you keep letting crap like this make the front page? This is not informative, insightful, or in any way useful. This is just a rant by a pissed-off bigot, pure and simple.
The vulnerability is real, but it is presented in such a hate-filled manner that it's unbearable to read. Michael has done nothing but spew venom in this posting. He's doing the right thing by bringing this to the attention of millions, but he does so with only malicious subtext to his main point.
This reads like a stream-of-conciousness scream from a 13-year-old who's just had his Nintendo taken away from him. This isn't journalism, it isn't even information, it's just garbage.
Please, do us all a favor: if Michael can't clean up his act and give us his material in at least a somewhat-presentable manner, fire him. You're losing respect for your site with postings like this. And no, this is not a troll, I'm serious.
With all of the email viruses, internet borne viruses, worms, holes, DDOS attacks, it surprises me that anyone even uses the internet or related technologies at all. It will be a sad day when the whole idea of the internet is just "dumped" because of hackers (the bad kind), holes and bandwidth abuse. It seems like daily that I read through the articles on slashdot and find a new hole, exploit or virus that is being used or abused. Take for instance the recent decision to shut down the first IRC server, because of repeated DDOS attacks, that is truly a shame. As I have said often before, abuse it and lose it...
Nathaniel P. Wilkerson
www.haidacarver.com
My god, that entire post was one big MS bash fest.
They make ZERO mention of the fact that dialog boxes DO still appear.
From reading that article one is lead to believe that the file is just "silently" downloaded without any noticeable signs....
I'm getting a little sick of the way certain "journalists" will downplay anything decent MS does, and blow the bad things WAY out of proportion.
It's ludicrous!
From this particular crowd I expected a LOT more than sensationalist garbage! If I wanted that I would bookmark CNN!
Then you've probably clicked on some links that took you to sites that are very little known and that could contain rogue code that exploit this IE security hole.
I guess IE users will just have to stop using search engines then. I guess that will only affect about 80% of the Net users, so you're right, this isn't a big deal.
ayottesoftware.com
With both IE and Konqueror, you have a good web browser (excluding problems already mentioned with regards to IE...), and that web browser also acts as the file manager, except all that each is doing is mimicking what their predecessors did without providing any extra functionality that is inherent in a web browser.
Sure, IE has some neato wiz-bang "features", but it's ridiculous to claim that it adds anything to local file browsing that wasn't already provided by the previous program. Same goes for Konqueror.
Granted... they are both better file browsers than their predecessors, but that functionality is completely separate from web browsing and could be removed and used to create a totally separate file browser. There is absolutely nothing gained by integrating the two.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Until one of my users got an email with an attachment that would just execute itself from the preview pane, no matter what the security settings were.
I sat there and toyed with it (yanked the LAN cable first) and absolutely could not get it to *NOT* run automatically.
(Her Outlook Express probably had been upgraded a month before, I think, but downloading the latest version *did* take care of the problem.
The real question is, why does Outlook support *any* of these behaviors? Sure, occasionally it's nice to HTML-ify an email and stick in a picture, but do I really need DHTML, scripting, cookies and all of that other crap?
When was the last time somebody had a legitimate reason for sending an embedded script in an email?
Oh, sure, let me have my personal emails set a cookie when they get read. Sure, I'm really going to do that.
Why not just have a really scaled-back HTML renderer that ignores tags that you choose to ignore?
Cheers,
Jim in Tokyo
-- My Weblog.
Besides, it's not like Microsoft are the only folks who take forever to release patches.
(1) The exploit may work in IE5.5sp2 but not in IE6
(2) IE6 won't install on Win95
(3) Win95 became an unsupported product within the last month.
Is the message I'm supposed to get out of this that I must upgrade all the Win95 machines I might contact in order to keep them safe?
Hey!!! the parentheses are good for something
If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.
Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.
--
U.S. planned to attack Afghanistan before the second WTC bombing.
Bush's education improvements were
Actually, I.E. will automatically download (to the internet temp directory) and then 'run' certain documents - .doc files come to mind (not sure if this behavior only happens if Office is installed). Not to double guess the experts but it seems like if your .exe file was spoofed as a .doc file you *would* automatically download and execute it w/o any dialogue. For that matter, a .txt file, and even a .xml document will automatically load, or a .jpg, or blah blah blah.
Of course I can't test this because....
And I think I recall that ASP has the ability to control headers so you don't need to "control a web server," you just need to host your page on a web server with IIS installed so you can run ASP.
closed minded is as closed minded does
There may very well be similar linux issues, but couldn't you have found better examples?
2) The Alan Cox changelog story isn't about security through obscurity, it's a silly political statement regarding the DMCA. And the other link is about Red Hat preemptively releasing a security advisory in an attempt to *avoid* obscurity.
3) The bug in this story is a *local* root hole, which doesn't even apply to most windows versions, and which certainly doesn't make for a relevant comparison in this case.
-- If no truths are spoken then no lies can hide --
Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
/. article leads one to believe that they are brushing it off. When infact, they were just trying to wait until they actually had a worth while patch before they said anything.
The patch for Internet Explorer (IE) is currently in testing and could be released soon...
So, am I missing something? There is a patch in the works, it is just not released.
Sure, it should have been released a long time ago. Or, should never have had to become an issue.
Shame on MS for bad practices.
But the
Now the real question is.... will the patch just open 7 more holes?
-xtype
Because it's part of the Windows OS. When grandma goes out to buy herself a nice Dell computer, it comes with Windows preinstalled, and hence has IE installed by default. She would have to take extra steps to download and install a different browser. But why, when IE seems perfectly fine, and it's integrated so nicely into the desktop? And it's hard to argue that. Think of the average home user that isn't as aware of these issues as we are.
A big part of the problem is that the clues aren't easy to spot for non-technical people. They can't see a problem in IE, as it seems to work just great. There are all these refined features to play with so it must be a solid product. And there are a whole heck of a lot of people who don't think IE is a browser, they think it is the browser. When they hear about holes like this they don't think that IE is broke, they think that someone has found out how to break into web browser (as in all web browsers). It would never cross their mind that IE is at fault. Try explaining how IE has issues with content type vs. file extensions to random people on the street. They just won't get it.
And this is where their monopoly comes into play again. They're such a huge, enormous company with a huge, enormous user base that they all turn into lemmings. If something happens to their IE, it will happen to their friends IE. Soon they start to see lots of people having trouble with IE. Then they stop relating the problem (if they ever did) to IE and start to think everyone is being affected by "the baddies who broke the internet". By the time Microsoft releases a patch user believe it to be a general problem that must be affecting everyone. Finally, since the issue has been disrelated with IE in their minds, why would they have any reason to look for a different browser?
I'm against picketing, but I don't know how to show it.
...which means that it would still be live even if saved to disk and clicked on. It may not be run with notepad, but odds are good that one way or another it will ruin notepad...
Got time? Spend some of it coding or testing
Your computer is open if you stumble across a specially constructed site. If you browse /. the news, stock quotes etc. then you're prett much safe.
Wrong, if you have a gaping security hole on your computer, then you're vulnberable (open) even if no-one exploits the hole.
The story, as posted on /. has it right.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
The most anoying part is the fact that IE pops up to open readme.txt, but executes readme.exe, _this_ should never happen.
If IE ask permission to open some file with notepad, it should be opened with notepad, and nothing else.
If IE finds out it would rather open the file with run.dll (afterwards) , fine, but _ask me_, goddammit.
I really hate this 'ask once, do whatever I like' behaviour in M$ products
Hrm. I thought that they were saying that the method of execution is determined by the type (audio/x-wav in this case) and the displayed name is determined by the filename. This would mean that if they sent you an .exe as audio/x-wav it would attempt to play the executable as audio. Just ugly noise, no security problem.
Don't get me wrong, I think this is a big problem, but I think it's different than you describe.
There are no trails. There are no trees out here.
"The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. "
Correct me if I am wrong, but that doesn't sound like M$ refusing to fix the bug or not fixing it to me...
People should not be afraid of their governments - Governments should be afraid of their people.
3. Believe the "It's legal to download ROMs if you delete them within 24 hours" type rumors that get spread around the internet by the legally ignorant.
It's legal to download ROMs and keep them for as long as you want, mp3s or any other copyrighted content as well. What you can't do is give them to other people (so the site you nabbed it off is breaking the law, disclaimer or no)
autopr0n is like, down and stuff.
Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.
The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.
Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians
By "completely open" they mean you have to click on an EXE, download it, and choose to open it! WOW what a vulernability!!! OH NO! Opera and Mozilla are also vulernable!!! Ye gods what do we do now?!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
I think it's even worse than that. Why should a web browser parse a URL at all, except as far as the "http://" (or whatever), server name, and the rest of the URL? Everything after the third slash gets passed to the server as a "GET" request anyway, so why parse it at all?
Sure, but browsers don't use this mechanism to determin file type in the absence of a mime-type header. They all use a mapping from extensions to applications. Mozilla's is in the option dialog (I'm not sure where it's persisted), and IE's is in the registry.
I don't know what agenda I'm trying to push. I work in a MS shop and my programming resume is very MS focused. I have a lot to lose if Linux catches on very far. I don't even have it installed on my home machine right now. I don't think you are stupid or that you're trying to tell fibbies.
What I'm saying is that Slashdot used to be nothing but nerds - the clear Linux focus meant that only a certain kind of people came around. Now it seems everyone comes around - and there's little focus. And as more of the general populous comes in, some of the old nerds (who said things that interested me) leave.
I think it's great that Slashdot is more balanced in its coverage of MS now. But its bad that I have to read through a lot more things I don't find interesting. Moderation has become very predictable - moderators waste their points on safe targets like obvious trolls and "long comments with lots of links that sound intelligent". Sometimes I think they're just trying to get by without being meta'ed down.
I'm not saying that non-Linux nerds are stupid. I'm just saying that the crowd that Slashdot used to attract said things that were more interesting to me.
Let's not stir that bag of worms...
Simply put a 'text' file on MSN which is actually the patch. Users don't even have to know they've been patched.
(Which makes me wonder, was this security hole left in to allow the installation of magic lantern and similar software...)
- You don't know how to maintain a station wagon either!
Interesting to see these ideas all in one short post:
Trust the feds.
Trust microsoft.
Forget about privacy (the above will decide whether you need it or not).
Forget about security (the above will decide whether you need it or not).
I hope it was a joke.