Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
lets not get carried away here.
1) Go to www.mandrake.com 2)download the Mandrake 8.1 ISOs. 3) Burn them to a CD 4) Insert CD #1 5) Reboot 6) Follow on-screen instructions Voila!! No more security problems with IE. And I almost forgot...no more BSOD!!!
Finally someone who read the article!!!
Thanks, Timothy, for your unwarranted alarmism. Saying that "any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything," with the implication there's nothing you can do about it is ridiculous.
An accurate summary of the article:
Any web page you visit or any email you open can cause a dialog box to pop up, prompting you to save or open a file. The filename may be wrong on this dialog. If you choose open, you recieve no farther warnings before potentially malicious code is run. If you choose save, it prompts you where to save it, and saves it there. (At that point it's relatively safe - if the filetype is still wrong, you can't execute it, if it's not wrong, you can see it's an exe).
A patch wouldn't help much - the people who are up on things enough to install it are the same people who will know to take the SIMPLE PRECAUTION of not opening unknown files directly off the web.
It is a shame that due to a bug in their browser MSIE doesn't run sirens and blinking lights and threaten the possible destruction of your computer every time you try to run any code that you didn't write yourself, but it doesn't exactly open your box up to the world or anything.
In conclusion, let me say screw you and your shitty biased reporting, slashdot.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
How many fucking years have they had to do this? How many fucking years longer are we going to rely on GIF (fucking cringe) for transparency because 85% of web browsers are using IE?
How many other browsers have implemented alpha transparency in PNG's in absolutely no time at all? Mozilla, Konqueror, Opera... are there any more? Why the FUCK can't IE, which is supposedly the best browser there is, handle it?
Pardon my absolutely mindless lunatic ranting... just really pissed that PNG's still aren't an option... thanks to IE.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Good luck convincing IT to do an honest cost analysis. The collective IT folk use Microsoft software to feather their own nests.
Why go with Unix (where one $125,000/year guy runs 80 machines) or Mac (where each workstation is pretty much administered by the person using it), when you can run a Little Empire with 10-20 $40,000/year MCSEs keeping 100 stations and 10 servers up by ctrl-alt-del'ing every 54 days or so.
Potato chips are a by-yourself food.
I just don't understand it. Why do people use IE still? For a long time I understood them, it used a whole lot less memory than netscape, and rendered webpages a whole lot better than other browsers. But then I found Opera which completely blew me away. Not only does it only use 14 megs of memory, which is a lot, but not nearly as much as IE (25 Megs) or Netscape (35 Megs), and it renders webpages just fine. I will probably get modded down for being a troll, but could someone tell me why they still use Internet Explorer?
--------------------------------------
58.0% slashdot corrupt
I have run into the same problem using Mozilla and K-Meleon. I love Mozilla for blocking popups, but prompting me to download a file that should be displayed is annoying. Try downloading a hotmail attachment somtime.
But its not as annoying as the moment of panic I get in MSIE when the computer appears to lock up and then I realize its just another popup or popunder.
Of course if MS would have left "browse in a new process" as an option without doing a registry hack....Grrrrr. Some day I'll get a job in a Non-MS workplace....
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
The next gen of virus should spread by exploiting all of MS lovely holes. Modifing CodeRed to use this exploit would be very tasty. You could have 2 excellent attack methods: attacking by scanning for open IIS servers,once found you could spread to anyone who downloads from the infected server. one downloaded you could either email yourself out or start scanning from the download machine.
There are so many DIFFERNT holes in all of the connected products the virus's life cycle could be spread over many different stages. Let the fun begin! Thank you MS!
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
this should be marked "insightful". Dumb, trigger-happy moderators. How can someone be so quick to use up their 10 points?
graspee
??? Well, I haven't used the Mac for several years now, but this sound like eliminating one of the central strengths that the Mac had.
I suppose that Darwin implied changes, but I've always thought that the Mac resource fork (and file signatures: Application and file type specified separately) were a great source of strength and stability to the system. (Granted, they added a layer of complexity, required additional tools, etc.) I can think of several different, but logically equivalent, ways to merge that information into a ext2 file system (basically via the use of hidden files), so I don't see any reason that it should be a problem. After all, their UI sits well on top of the *nix underpinning, so their utilities could automatically open/copy/move/delete/etc. both files whenever the user used one. I guess that file signatures were the sticky part, but combined together they were only 64 bits (and letters at that), so it would be easy to just say the first line of the file was the signature (not elegant, but this is a shoe-horn job -- and that's basically what the #! line does, so the metaphor translates).
The Mac's weaknesses were (are):
1) It was one of the first GUI designs, so there are a lot of bumps, and places where it had to be patched. And it's relatively difficult for programmers.
2) It costs more than an equivalent PC.
3) It is sole sourced.
... That seems to be pretty much it.
Note that 1 and 3 are sources of strength as well as being weaknesses. But I think that over time they have become weaknesses.
The true strength of the Mac was that there was a good design behind the GUI, with careful attention given to all parts. Compare the use of command keys in the Apple GUI with the clumsy use of accelerator keys in Windows (I rarely bother) and Linux (well, I should learn to use them before I comment too harshly here, but I've been using Linux for 3 years now, and still don't use any of the accelerator keys).
.
I think we've pushed this "anyone can grow up to be president" thing too far.
Cnn is reporting Yet another Very Big and Annoying hole has been found at microsoft. To qoute the reporter, "THe Annoying Hole was found to be nothing other than Steve Balmers Big Mouth" Microsoft says they are in the process of working on a patch, but also commented "How do you stop verbal diarrihia?"
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org