Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
How many fucking years have they had to do this? How many fucking years longer are we going to rely on GIF (fucking cringe) for transparency because 85% of web browsers are using IE?
How many other browsers have implemented alpha transparency in PNG's in absolutely no time at all? Mozilla, Konqueror, Opera... are there any more? Why the FUCK can't IE, which is supposedly the best browser there is, handle it?
Pardon my absolutely mindless lunatic ranting... just really pissed that PNG's still aren't an option... thanks to IE.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Good luck convincing IT to do an honest cost analysis. The collective IT folk use Microsoft software to feather their own nests.
Why go with Unix (where one $125,000/year guy runs 80 machines) or Mac (where each workstation is pretty much administered by the person using it), when you can run a Little Empire with 10-20 $40,000/year MCSEs keeping 100 stations and 10 servers up by ctrl-alt-del'ing every 54 days or so.
Potato chips are a by-yourself food.