Another Gaping Microsoft Security Hole Goes Unpatched

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

Negligence?

[joeb2001]

I have a very basic understanding of the law, and I am wondering if MS could be sued for negligence.

what will happen if

[elliotj]

someone decides to put up a website to demonstrate this vulnerability. the site deletes everything on your harddrive. someone else decides to embed this into an HTML email. this email is sent to lots of people and deletes their harddrives.

will MS be held responsible? will the person who put up a website as a 'proof-of-concept' be held responsible? what about the guy who sends around the email?

ultimately folks, I think the end user is going to be held responsible. i don't know about the rest of you, but the company I work for will hold me responsible if our systems fail. and blaming MS isn't going to help me one bit.

now that this cat is out of the bag...what can we do to protect ourselves if we can't switch from Windows b/c our jobs won't let us?

Whine, IE sucks, whine

[Eloquence]

First, there is really not enough information about this bug to draw any conclusions yet. It may be harmless, or it may indeed be devastating. That's the result of Microsoft's idiotic non-disclosure policy, which fits in well with their entire company philosophy.

Second, don't just bitch about IE. If you haven't already, check out the alternatives:

• Mozilla, now in Version 0.9.6, is very feature-rich and fast and the most standard-compliant browser in existence, but not for computers with less than 128 MB of memory.
• kmeleon (Windows) and galeon (Linux) are Mozilla derivatives with smaller footprint.
• Opera, which is closed source adware and requires registration, is a very fast browser that is especially recommended for "information surfers" because of its excellent navigation and caching.
• Konqueror is KDE's built-in browser. Thanks to Qt/Embedded and/or KDE-Cygwin, it might be ported to Windows as well.
• Lynx and W3M are up-to-date text mode browsers capable of displaying most pages which do not depend on images or animations.

There is a choice, you just have to make it. And no, I didn't copy&paste this from elsewhere and I actually tested all of these, so you may mod me up without guilt. My personal recommendation: Opera (and Mozilla once I've upgraded to 512 megs and V1.0 is out).