Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
I have a very basic understanding of the law, and I am wondering if MS could be sued for negligence.
-- "I'm open to falling from grace"
someone decides to put up a website to demonstrate this vulnerability. the site deletes everything on your harddrive. someone else decides to embed this into an HTML email. this email is sent to lots of people and deletes their harddrives.
will MS be held responsible? will the person who put up a website as a 'proof-of-concept' be held responsible? what about the guy who sends around the email?
ultimately folks, I think the end user is going to be held responsible. i don't know about the rest of you, but the company I work for will hold me responsible if our systems fail. and blaming MS isn't going to help me one bit.
now that this cat is out of the bag...what can we do to protect ourselves if we can't switch from Windows b/c our jobs won't let us?
And time exactly how long it takes for someone to make a virus out of this li'l puppy.
The best(?) part being that, after years of telling users that to get a virus via Outlook they had to click the attachment, it seems to be possible to write an executable-disguised-as-HTML message that will automatically execute, since there's no option to turn off HTML viewing in Outlook.
Second, don't just bitch about IE. If you haven't already, check out the alternatives:
-
Mozilla, now in Version 0.9.6, is very feature-rich and fast and the most standard-compliant browser in existence, but not for computers with less than 128 MB of memory.
- kmeleon (Windows) and galeon (Linux) are Mozilla derivatives with smaller footprint.
- Opera, which is closed source adware and requires registration, is a very fast browser that is especially recommended for "information surfers" because of its excellent navigation and caching.
- Konqueror is KDE's built-in browser. Thanks to Qt/Embedded and/or KDE-Cygwin, it might be ported to Windows as well.
- Lynx and W3M are up-to-date text mode browsers capable of displaying most pages which do not depend on images or animations.
There is a choice, you just have to make it. And no, I didn't copy&paste this from elsewhere and I actually tested all of these, so you may mod me up without guilt. My personal recommendation: Opera (and Mozilla once I've upgraded to 512 megs and V1.0 is out).The problem here is that some journalist got wind of a patch to soon and decided to write a story about it. I think that the media needs to think about what they write in terms of software security.
I mean even since Sept. 11 all media outlets are rethinking what is and what isn't safe to release to the public in the name of national security.
What they are overlooking is that security holes in software is also a breach in national security and they need to step back and decide if what they are releasing is appropiate. The argument could be made for this particular article either way.
But whatever you do, DO NOT USE WHAT I SAY AS LEGAL ADVICE. If you have a legal problem, get a lawyer.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
right click on a page and get a listing of all the images contain therein or all of the links contained therein
Which you've been able to do in Netscape since at least version 3
If anyone develops a real legal problem, they shouldn't listen to anyone except a real lawyer, and definitely not a law student. Don't assume that I know what I'm talking about.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
We law students are not lawyers. We law students are incompetent to give legal advice. When I say something about the law, it is only one man's opinion, and it cannot be anything more. Law students do not give legal advice.
Just remember, if you have a real legal problem, you need a real lawyer.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
If you develop a legal problem, you should talk to a lawyer. Never take legal advice from a law student.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.