Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
You either get a warning that something is about to execute on your machine or you are prompted to download the file you just clicked on.
Sounds like a gaping hole to me.
Jeez, how about some perspective here?
If I disable downloads, how do I download the patch?
Oh yeah, install linux!
mk
"Memes do not exist! Tell everyone you know."
But I have been using a Win2k box at work, with IE 6.0 on it, for several hours a day now. In fact, we needed to temporarily install 3D Studio for one of my co-workers, so I visited astalavista and many "related sites" on that box - once for the software, twice for the dongle crack. And I can say for certain that my box hasn't been cracked.
So, as much as we want to believe that security through obscurity doesn't work, the vast majority of users have been safer because this sploit didn't show up on BUGTRAQ. Sure, Microsoft should have gotten off their collective tush and done something about it, and they should be held responsible now. But the mere notion that we are all in danger just because these bugs are kept secret is patently ridiculous.
~wally
Damn right I would, if he didn't tell anyone about it, didn't release the code for public review, and didn't update the kernel so people could download new versions with a relatively simple installation process.
But, gee, since it's Linux, I don't think those things are real concerns, do you?
Hope to shed a little light down under your bridge.
My own pointless vanity vintage computing page
ya except rpm based distros suck ass. long live debian! (and os x)
How many time in the last few days have you clicked the OPEN button instead of saving the file?
Considering that I use mozilla on linux, I'd say never.
Well every one of those time someone could have "sent you up the bomb".
If you go to untrusted websites and blindly open files, sure. But I've never done that, even when I was using Windows.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
There is also OmniWeb, if you are using MacOS X. OmniWeb is by far the most beautiful web browser I have ever seen. It uses MacOS X's Quartz Engine to produce very clear anti-aliased text and crisp graphics. It's lacking very little, needs a bit more work on CSS and InScript/JavaScript but it's very usable for 99% of the web sites out there.
I would say that if you use MacOS X then you should be using OmniWeb. OmniWeb can masquerade as Internet Exploiter to fool sites which "require" you to be using IE so you will only need IE for the few sites which are broken for any browser except IE.
Sapere aude!
No, we can't sue them, but we can charge them with hate crimes against stupid people (ie. people who use Windows :-P)
(4) Uninstall IE
(5) Install Opera, Netscape or Mozilla
Clue me in on a few things, monkeyboy Michael:
1.) Did you bother to test this "flaw"?
2.) Did you bother to get independent verification the "flaw" exists, and can be exploited?
3.) Did you bother to search for any evidence that the "flaw" has been, or is being, exploited?
4.) Do you have even the slightest bit of journalist integrity?
I suspect that the answer to all the above questions is "No."
Michael, you're an idiot. You have an uncontrollable case of "diarrhea of the keyboard." Your ridiculous ranting drips with stinky, runny shit.
Tell me, monkeyboy, had you found out about this flaw in Konquerer or Galeon or Mozilla, would you have ranted on in the same manner? Of course not; those products aren't made by Microsoft, therefore they aren't "EVIL!!!!" If this flaw existed (or does exist) in any other non-MS browser, well, you'd just say that it was a minor bug that was going to be fixed "real soon now."
However, since the flaw reportedly exists in IE, it's obviously a horrible conspiracy by Bill Gates and his Microsoft cronies to destroy everything that is sacred! They pissed on Mom's apple pie! By God, they'll be killing puppies next! They must be stopped!
Looks like it's time to take advantage of Slashdot's filtering features again. I've already filtered out articles by Jon Katz, and anything to do with anime (I don't care for anime). Time to add monkeyboy Michael to the list.
Not surprising that Slashdot's filters work so much better than Slashdot's editors.
"The dead do not shoo-bop-aloo-bah." -- Kai, 'Lexx'