Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Gaping Microsoft Security Hole Goes Unpatched

Posted by ryuzaki0 on from the how-many-times-will-it-take dept.

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

7 of 1,035 comments (clear)

  1. Hold on a sec . . . by Selanit · · Score: 5, Insightful
    From the article:

    "Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)

    From the article's intro:

    "Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."

    Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."

    Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.

    Nasty flaw nonetheless -- glad I switched to Mozilla.

  2. Intergating Web Browser and File Browser by Tachys · · Score: 5, Insightful

    I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.

  3. Re:Let's see.. by DeadMeat+(TM) · · Score: 5, Insightful

    Unless you combine it with the fact that IE is set up to automatically execute certain MIME types (like audio/x-wav). Send a message with an attached .EXE file, but hack up the message so the MIME type reads something else, and -- presto! -- instantly executing attachments. That's one of the attacks Nimda used.

  4. I would have agreed a week ago by wirefarm · · Score: 5, Insightful

    Until one of my users got an email with an attachment that would just execute itself from the preview pane, no matter what the security settings were.

    I sat there and toyed with it (yanked the LAN cable first) and absolutely could not get it to *NOT* run automatically.
    (Her Outlook Express probably had been upgraded a month before, I think, but downloading the latest version *did* take care of the problem.

    The real question is, why does Outlook support *any* of these behaviors? Sure, occasionally it's nice to HTML-ify an email and stick in a picture, but do I really need DHTML, scripting, cookies and all of that other crap?

    When was the last time somebody had a legitimate reason for sending an embedded script in an email?
    Oh, sure, let me have my personal emails set a cookie when they get read. Sure, I'm really going to do that.

    Why not just have a really scaled-back HTML renderer that ignores tags that you choose to ignore?

    Cheers,
    Jim in Tokyo

    --
    -- My Weblog.
  5. Technical Term: Fnord by Futurepower(tm) · · Score: 5, Insightful


    If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.

    Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.

    --
    U.S. planned to attack Afghanistan before the second WTC bombing.

    --
    Bush's education improvements were
  6. Re:Browser Wars.. by omega9 · · Score: 5, Insightful

    Because it's part of the Windows OS. When grandma goes out to buy herself a nice Dell computer, it comes with Windows preinstalled, and hence has IE installed by default. She would have to take extra steps to download and install a different browser. But why, when IE seems perfectly fine, and it's integrated so nicely into the desktop? And it's hard to argue that. Think of the average home user that isn't as aware of these issues as we are.

    A big part of the problem is that the clues aren't easy to spot for non-technical people. They can't see a problem in IE, as it seems to work just great. There are all these refined features to play with so it must be a solid product. And there are a whole heck of a lot of people who don't think IE is a browser, they think it is the browser. When they hear about holes like this they don't think that IE is broke, they think that someone has found out how to break into web browser (as in all web browsers). It would never cross their mind that IE is at fault. Try explaining how IE has issues with content type vs. file extensions to random people on the street. They just won't get it.

    And this is where their monopoly comes into play again. They're such a huge, enormous company with a huge, enormous user base that they all turn into lemmings. If something happens to their IE, it will happen to their friends IE. Soon they start to see lots of people having trouble with IE. Then they stop relating the problem (if they ever did) to IE and start to think everyone is being affected by "the baddies who broke the internet". By the time Microsoft releases a patch user believe it to be a general problem that must be affecting everyone. Finally, since the issue has been disrelated with IE in their minds, why would they have any reason to look for a different browser?

    --
    I'm against picketing, but I don't know how to show it.
  7. Slander? by tacocat · · Score: 5, Insightful

    Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.

    The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.

    Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians