Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
We'll see plenty of coverage within the next 48 hours, Microsoft statements by the end of tomorrow, and a bugfix by month's end. The big question is going to be, how will people cope in the midst of it all? Will this kind of lagtime offer virus creators to do a whole world of damage? Considering how things have spread recently, I wouldn't be surprised at all if they did. Might be time to start browsing with my iBook more often.
What kind of steps can people use to protect themselves now, is there any kind of toggle or security setting that can be turned on in IExploiter 5.0(tm) to keep us a little bit safer?
My own pointless vanity vintage computing page
I have a very basic understanding of the law, and I am wondering if MS could be sued for negligence.
-- "I'm open to falling from grace"
80% of the web.
If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now? Could it be that (GASP!) security through obscurity actually worked in this case?
Does anyone else notice that this story has been posted before, many times, with only slight variations each time?
What's in a Sig?
What kind of steps can people use to protect themselves now?
If you really want to toggle IE into secure mode you just need to click the little "X" in the top right corner of the window.
Slashdot? Oh, I just read it for the articles.
Google toolbar? I do a google search in Opera by entering "g my search words" in the URL field. And once you got addicted to the mouse gestures, you wonder how you could ever live without.
someone decides to put up a website to demonstrate this vulnerability. the site deletes everything on your harddrive. someone else decides to embed this into an HTML email. this email is sent to lots of people and deletes their harddrives.
will MS be held responsible? will the person who put up a website as a 'proof-of-concept' be held responsible? what about the guy who sends around the email?
ultimately folks, I think the end user is going to be held responsible. i don't know about the rest of you, but the company I work for will hold me responsible if our systems fail. and blaming MS isn't going to help me one bit.
now that this cat is out of the bag...what can we do to protect ourselves if we can't switch from Windows b/c our jobs won't let us?
Hmm, this article seems a little light on details. To me (very much not a know it all) it sounds like it is an exploit in the MIME type headers for a page - if that's the case is IE really the only one that can be exploited or does it lie more in the way that IE handles MIME type headers?
More detail would be nice. (and no, I don't want to know more abou tit so I can exploit, just so that I can learn from it and other's mistakes)
Please give your mod points to others, Im at the cap. They will appreciate it more
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.
This is just not true. You specifically have to download things before they can do anything using IE and if you are dumb enough to use outlook and let it have the ability to execute file attachments automatically, you deserve what you get.
Michael says : "completely open any time you browse the web with IE. "
Story says "who view a specially constructed Web page"
Okay, the hole isn't good - and MS must fix it - but the article as posted by
Your computer is open if you stumble across a specially constructed site. If you browse
Mmmmmmm
Content-type is an HTTP header. To recieve this info must be transmitted via HTTP. You may have noticed that Netscape (and even Lynx, and yes even on Linux) have no problem displaying local html/ pdf/ whatever files without recieving an HTTP transmission, and thus no Content-type header.
Yep, they do the same thing and look at the file extention to determine how to render files.
I'm not saying there's not a bug, or it's not severe, but examining the file extention to determine type is hardly an IE-only thing.
Trolls throughout history:
Jonathan Swift
You ask if there is any toggle in IE? Did you read the article because it explained in there that there is indeed a toggle you can flip. Basically you have to turn off file downloads to protect yourself.
Most end up knowing that they will clean up the mess, because "The top guys like Microsoft so much - it has so many features." Nobody is willing to do an honest cost accounting for the top guys.
Until the collective IT folk give an honest accounting of how much MS is really costing them, there will not be a switch away from MS. The moment they do - stampede!
telnet server.foo.com 80
/GET file-to-have-your-advice.
Connected to server.foo.com.
Escape character is '^]'.
/HTTP
For example, there are seven or eight differnt start-up objects in Windows 9x:
- msdos.sys [hidden file]
- config.sys
- autoexec.bat
- registry [many different keys]
- system.ini
- %windir%\system\vmm\*.* [just sucked up whole]
- startup folders [yes, you can have startup folders nested.
What a program is to do with a file is done in three different ways as well.It's little wonder that the thing is open to attack. You can't hunt it down unless you pretty much hack it, and follow their goofy retro thing with the 64-bit sequence: {01.22.23....}
Lack of forethought, I imagine.
OS/2 - because choice is a terrible thing to waste.
if you try and open an .exe that is named as a text file, the file associations within windows will launch notepad (or associated program) and NOT fire off the renamed application, ditto with .html and .wav files (or any other associated file), are they sure they arent talking about a file named something.txt.exe?
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
I watched a good bit of this thread on bugtraq (check the archives). Several people on the list attempted to reproduce the exloit as detailed by the original poster and failed. Whether that was their mistake or not is anyone's guess. I didn't try it myself. It only seamed to affect certain builds. I'm certainly not saying IE users aren't vulnerable, I'm just saying get details before making too much noise. MS won't release a fix until they're good and ready, so let's just sit on the flames a bit and try to find out what is going on in reality.
This sounds to me just like the GM/Ford cases at the 60's about negleting consumers. Isn't time to DOJ put a period on all these things?
First that stupidity of Nimda IIS bug, that can't be fixed until next IIS release. And now this Security through obscurity crap?
Now I want to ask. "Where will M$ take us". I know where I want to go, but what about them?
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Microsoft does it's best (or worst) to provide something. But, heck, it's FREE. IE costs us nothing.
What I DO pay for is my virus scan. I'd like to know that if something gets through and hurts my security, the virus scanning software would catch it.
I wish people would stop getting mad at people for providing otherwise OK software with bugs in it, when those programs are FREE, and wish people would start getting mad at the virus scan companies (who my company pays lots of money to) for not catching threats.
The Internet is generally stupid
According to the article, the issue only comes up if you are prompted to save/download a file, and choose to open it from it's current location. The file may appear to be a .txt or whatever, but if you open it from its current location you can't know for sure whether it's an executable.
The suggested solution is to never open from the current location. Choose save instead, which will reveal the real file type.
But the file is identified as file.txt or whatever. There's no indication that it's an executable file. Done properly, this could fool any IE user.
And MDI. For me that's always been the clincher. It's nice to be able to be able to organise windows like that.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
That's funny, my copy was $100, and that was with the upgrade discount.
Well, if you use Outlook, and you're dumb enough to run with preview pane on, you deserve what you get. Simply run without the preview pane on, and delete messages from unknown people before reading them. Very simple.
I'm not terribly shocked--using a 3-letter extension to store that much metadata is absurd.
Luckily, the MacOS doesn't do tha.... oh, wait.... they do now...
Potato chips are a by-yourself food.
Bad analogy dude. The problem is *current* browsers have the problem as well. You perhaps *could* blame linus for the current one having a hole.... or RATHER you could if he knew about it and didn't do anything, as in this case Microsoft is. Boys and girls, if anything goes wrong it's lawsuit world here, because as far as I can see , keeping it a secret someone is about to get his shit fucked up is being NEGLIGENT.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Those saying security through obscurity is bad don't deny that the release of notification about the bug may enable people to exploit it. However, forewarned is forearmed, so you can start doing something about it as soon as you know, up to and including disconnecting vulnerable servers from the 'net.
There's also the publicity aspect. Making this extremely serious bug publicly known puts pressure on the vendor to fix it. So far, they have known about it for over two years and have done nothing. That's two and a half years for anyone who might have stumbled across the bug to exploit it. They might have friends. Exploits, easter eggs and all that stuff spread quite happily before the 'net.
Saying "What I can't see can't hurt me" is naive in the extreme.
Just because you're paranoid doesn't mean they're NOT after you.
Opera 6.0 is now available for download. If you tried an older version of this browser and thought it sucked, try it again. It's light, fast, more standards compliant, and its rendering engine is very compatible with the way I.E. and netscape work so it works practically everywhere. You can browse MDI-style, which means you can have all of your browser windows as sub-windows of the main one, OR you can go NS/IE style and have a separate window for everything. Its skinnable (but you don't have to use a skin), it has more privacy and security features than I can count. You can turn off javascript pop-ups (or merely relegate them to popping up in the background). You can spoof the broswer string as being I.E. or netscape for those sites that are browser bigots. I cannot say enough good things about this software. And its available for BeOS, Linux, Solaris, Mac, OS/2, QNX, Symbian OS and of course Windows. Get it here.
Error: PANTS NOT FOUND. Press <F1> to continue.
Could be that the ones that DID know about it didn't say anything. How would you have known? Security through obscurity may "work" but there's no audit checks to determine if it does or not unless someone aggressively uses a security flaw.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Second, don't just bitch about IE. If you haven't already, check out the alternatives:
-
Mozilla, now in Version 0.9.6, is very feature-rich and fast and the most standard-compliant browser in existence, but not for computers with less than 128 MB of memory.
- kmeleon (Windows) and galeon (Linux) are Mozilla derivatives with smaller footprint.
- Opera, which is closed source adware and requires registration, is a very fast browser that is especially recommended for "information surfers" because of its excellent navigation and caching.
- Konqueror is KDE's built-in browser. Thanks to Qt/Embedded and/or KDE-Cygwin, it might be ported to Windows as well.
- Lynx and W3M are up-to-date text mode browsers capable of displaying most pages which do not depend on images or animations.
There is a choice, you just have to make it. And no, I didn't copy&paste this from elsewhere and I actually tested all of these, so you may mod me up without guilt. My personal recommendation: Opera (and Mozilla once I've upgraded to 512 megs and V1.0 is out)."Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)
From the article's intro:
"Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."
Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."
Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.
Nasty flaw nonetheless -- glad I switched to Mozilla.
I agree When ever you hear about a microsoft exploit you linux freaks are all over it but when a linux hole is opened most likely by the same wannabe h4z0r3s no body says anything the just patch and move on, maybe like the new Apache exploit which allows file system access.
( NO NOT APACHE THESE THINGS ONLY HAPPEN TO IIS )
I now return you to your regularly scheduled Windows bashing.
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You're talking local versus server context. In the case of a local file, MS and Windows "KNOW" that it's not an executable because of extention. However, if the server tells the browser it's something completely different, it'll do it's level best to try to carry out the cuing from the server- i.e. if it swears it's an aplication of the type MS understands, it'll try to run it, even if the extention is ".txt". At least that is my understanding of the flaw in the browser.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The concern, from what I understand, is that a user might be lead to believe that "readme.txt" will be opened and viewed as a text file by IE. This, when in fact the website has placed executable binary/script data in the file and changed the appropriate response headers so that IE is fooled in to executing it as a program if it is 'opened'.
All the user sees as a prompt is "Open" or "Save Target As" using the menu options OR again "Open, Save, Cancel" by clicking on the link.
For an inexperienced user, the appropriate option will probably not be obvious. This is because many users have a lot of trouble navigating the file system to find files that have been saved by applications and enjoy the shortcut of having the windows decide how the file should be 'opened'.
I agree that an experienced user would never choose open because they know this is very risky. But, in my mother's case, she has trouble deciding when to click and doubleclick.
In Microsoft's defence, however, the "Open" option is never the default. Thus, it's probably safe to say that an ignorant user will almost always be safe from this attack as they will be picking the default and saving the file to the disk. At that point, "readme.txt" will cannot be executed and only openable from a text editor.
Anyways.. no matter how you look at it, this is a problem that fundamentally involves the act of downloading a file. Something even my mother knows not do by herself. This is not a security issue in the same magnitude as the worm viruses that plagued IIS.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
- Copy your current explorer.exe, shell32.dll, comdlg32.dll, notepad.exe and wordpad.exe to a backup location in case things go haywire. (I've done this before on Windows 98 and ME boxes without problems, but it's always good to be safe).
- Insert the Windows 95 CD, and start a dos prompt.
- From the prompt, enter:
- You should have the files listed above appear on your desktop. Now shut down into DOS mode, and copy the new shell32.dll and comdlg32.dll into your Windows SYSTEM directory, and copy explorer.exe, notepad.exe and wordpad.exe into your WINDOWS directory, and reboot Windows. (If you're using ME, you can go into c:\windows\system.ini and change your shell to taskman.exe in order to be able to replace explorer and the other system files)
Your system should come up with the old Windows 95 shell, which doesn't have any of the IE integration bullshit. IE will still launch as a separate application (with an Office-style splash screen, even!) and since the IE dll's aren't stuck in your memory all the time, your system should be a bit faster too.d: (or whatever your CD drive is) /a /l c:\your\windows\desktop win95_02.cab comdlg32.dll explorer.exe shell32.dll notepad.exe wordpad.exe
cd win95
extract
Of course, after doing this, the next step is to replace your browser, but that goes without saying. :-)
Loneliness is a power that we possess to give or take away forever
the only thing opera has going for it that other browser don't is gesture navigation
Gesture Navigation and it doesn't have the vulnerabilty currently being discussed.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.
the problem is that someone can tell your browser (via header information) that the file you are downloading is named (for example) "blah.txt", and actually send you "virus.exe".
.txt files (for example) without bothering to click "save".
IE prompts the user to open/download blah.txt - most people would click "open", and it then spawns the downloaded virus.exe.
the correct filename is displayed once you get to the "save as" box, however most people would just open
there are conflicting reports that ie 6 may/may not be vulnerable - the latest is that if you did a minimal install over the top of ie5, it may be (due to the fact that it didn't replace certain components of IE5.x)..
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Sure, MS can be sued for negligence, just like they can be sued for antitrust violations. You may even win, if you can prove that you suffered actual harm from this. And then the judge will ask Microsoft what they think they should have to do to compensate you, and Microsoft will say that they should give you a sticker that you can stick on your monitor that says "Don't open files from their current location. Always save to disk!". So in the end, Microsoft will stick it to you.
stew77 asks:
who's using IE anyway?
Roughly 85% of people surfing are using Internet Explorer. With computer software, there's alot to be said for "It's preinstalled so I don't have to do anything to get it". Otherwise, I'm positive their share would be much smaller.
----
Open mind, insert foot.
Unless you combine it with the fact that IE is set up to automatically execute certain MIME types (like audio/x-wav). Send a message with an attached .EXE file, but hack up the message so the MIME type reads something else, and -- presto! -- instantly executing attachments. That's one of the attacks Nimda used.
IE won't launch a file that is declared as a .EXE by the HTML header without asking permission. What we're saying here is that IE doesn't check the TLE of the file it downloads, just the type declared in HTML. So IE thinks it passed a text file to the OS, and doesn't pop a warning of a possible malicious executable.
However, once the OS gets a hold of it, it looks at the TLE and says, "Executable! Gotta run it!" And if the code slags your hard drive, you're just SOL.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Those who use IE are probably those who have no reason to switch browsers, and those who visit sites that are "optimized" for IE. There are also those that don't want to use Opera because it has a huge ad banner, and don't want to pay to have it taken away or use an illegal serial number. Let's not forget those who use AOL. :P
You die too easily.
This is a shameless pandering to the preconceptions of the Slashdot crowd. The statement that "Nobody is willing to do an honest cost accounting for the top guys" is simply not true, and it's an unfair dismissal of IE's very real successes in that space.
IT guys can and do choose other browsers. Last I heard, Navigator still had over 1/3 of the corporate browser market. Suggesting that IT folk would be cowed by the "top guys" flies in the face of every experience I've had with them: that they're pragmatic, honest, and outspoken.
How many fucking years have they had to do this? How many fucking years longer are we going to rely on GIF (fucking cringe) for transparency because 85% of web browsers are using IE?
How many other browsers have implemented alpha transparency in PNG's in absolutely no time at all? Mozilla, Konqueror, Opera... are there any more? Why the FUCK can't IE, which is supposedly the best browser there is, handle it?
Pardon my absolutely mindless lunatic ranting... just really pissed that PNG's still aren't an option... thanks to IE.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
There must have been a huge party at FBI headquarters on Nov 19 (when this was reported to MSFT) since they finally had a viable delivery system for Magic Lantern.
Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
Hey Malda and VA Software executives, or whoever is in charge of keeping a minimal amount of decency on this site: why do you keep letting crap like this make the front page? This is not informative, insightful, or in any way useful. This is just a rant by a pissed-off bigot, pure and simple.
The vulnerability is real, but it is presented in such a hate-filled manner that it's unbearable to read. Michael has done nothing but spew venom in this posting. He's doing the right thing by bringing this to the attention of millions, but he does so with only malicious subtext to his main point.
This reads like a stream-of-conciousness scream from a 13-year-old who's just had his Nintendo taken away from him. This isn't journalism, it isn't even information, it's just garbage.
Please, do us all a favor: if Michael can't clean up his act and give us his material in at least a somewhat-presentable manner, fire him. You're losing respect for your site with postings like this. And no, this is not a troll, I'm serious.
Konqueror also does this, and has quite a few specified by defaut... "gg:" searches google for , for example.
= e&acronym=\1'.
Others by default are fm: (freshmeat), rf: (rpm-find), dict: (meriiam-webster dictionary), ad: (acronym database), and many other popular search engines. Adding or modifying entries is very simple also; the entry for Acronym Database is 'http://www.chemie.de/tools/acronym.php3?language
XML is like violence. If it doesn't solve the problem, use more.
With all of the email viruses, internet borne viruses, worms, holes, DDOS attacks, it surprises me that anyone even uses the internet or related technologies at all. It will be a sad day when the whole idea of the internet is just "dumped" because of hackers (the bad kind), holes and bandwidth abuse. It seems like daily that I read through the articles on slashdot and find a new hole, exploit or virus that is being used or abused. Take for instance the recent decision to shut down the first IRC server, because of repeated DDOS attacks, that is truly a shame. As I have said often before, abuse it and lose it...
Nathaniel P. Wilkerson
www.haidacarver.com
Sounds like this patch (assuming they actually fix it) that will be forced by the PR gods will fix an issue that I've struggled with. IE just ignores the blody HTTP header when it comes to mime type.
As a work-a-round, I've been adding a &whatever=foo.extention to trick IE 5+ into using the extention I need it to use. (Ugly if you need to return a PDF document from a JSP (or god help you) ASP page. I have a pretty good guess how this could be used by the forces of darkness.... never thought about "real" binarys before....
+++ UGUCAUCGUAUUUCU
Then you've probably clicked on some links that took you to sites that are very little known and that could contain rogue code that exploit this IE security hole.
I guess IE users will just have to stop using search engines then. I guess that will only affect about 80% of the Net users, so you're right, this isn't a big deal.
ayottesoftware.com
With both IE and Konqueror, you have a good web browser (excluding problems already mentioned with regards to IE...), and that web browser also acts as the file manager, except all that each is doing is mimicking what their predecessors did without providing any extra functionality that is inherent in a web browser.
Sure, IE has some neato wiz-bang "features", but it's ridiculous to claim that it adds anything to local file browsing that wasn't already provided by the previous program. Same goes for Konqueror.
Granted... they are both better file browsers than their predecessors, but that functionality is completely separate from web browsing and could be removed and used to create a totally separate file browser. There is absolutely nothing gained by integrating the two.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
The bug hasn't been exploited. It hasnt caused huge problems. MSFT is coming out with a fix BEFORE hackers could find a way to exploit it.
I don't think it matters. Of the browsers affected, how many do you think will receive this patch? It's too late.
Regardless, the issue will not become serious because it requires a server to deliver the payload and that's not something anyone would do willingly without advertising themselves as the attacker.
This isn't much different from the Netscape Java SocketImpl problem that would allow servers to connect back to your machine and look at your files (albeit harmless by comparison).
I think you mean HTTP, not HTML.
-- If no truths are spoken then no lies can hide --
I've had serious problems with Opera crashing the operating system when there are too many windows. I've reported this bug several times. No answer.
Bush's education improvements were
I have received a number of emails recently attempting something like this, but I'm not using Windows so I can't say whether or not they would have been harmful.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Until one of my users got an email with an attachment that would just execute itself from the preview pane, no matter what the security settings were.
I sat there and toyed with it (yanked the LAN cable first) and absolutely could not get it to *NOT* run automatically.
(Her Outlook Express probably had been upgraded a month before, I think, but downloading the latest version *did* take care of the problem.
The real question is, why does Outlook support *any* of these behaviors? Sure, occasionally it's nice to HTML-ify an email and stick in a picture, but do I really need DHTML, scripting, cookies and all of that other crap?
When was the last time somebody had a legitimate reason for sending an embedded script in an email?
Oh, sure, let me have my personal emails set a cookie when they get read. Sure, I'm really going to do that.
Why not just have a really scaled-back HTML renderer that ignores tags that you choose to ignore?
Cheers,
Jim in Tokyo
-- My Weblog.
Those of you who read the articles will consider this redundant, but I've seen so many different interpretations of how the exploit works (and many wrong ones modded up), so I thought I'd clear it up:
You make a trojan or other malicious executable, and name it 'something.txt'. Then you make your HTTP server tell browsers that this file has content type 'application/octet-stream'. IE will read the content type header and realize that it's an executable, and ask you if you want to open it or download it. But since the file name indicates a text file, there's absolutely no indication that a program will be executed if you choose "open".
DISCLAIMER: I haven't tried this. This is just my interpretation of what I've read in the various articles. Also note that some versions of IE will use the word "execute" instead of "open" in the pop-up dialog, which might help tip some users off.
-- If no truths are spoken then no lies can hide --
Besides, it's not like Microsoft are the only folks who take forever to release patches.
So far, they have known about it for over two years and have done nothing.
I don't see anything in the article that states that Microsoft knew about the bug for two and a half years, but simply that it's existed since IE 5.0, which came out two and a half years ago. The headline, and the Slashdot writeup on it smells horribly like FUD-slinging.
In fact, the article says it was only reported to Microsoft late last month and that they're testing a patch now.... two and a half week turnaround time is much different than two and a half years.
And no, Open Source isn't the silver bullet to prevent bugs like this.... how long was that recent root exploit in the Linux kernel before anyone noticed it?
NO CARRIER
I found that out when I was trying to make a "view source" link to a .jsp file that was a soft-link to the jsp with the suffix of html. Apache sent "text/plain", as appropriate. Netscape and Mozilla viewed it just fine, just as I wanted them to.
I.E. noticed that it looked awfully like HTML and rendered it as HTML, effectively hiding all the embedded java and jsp tags that I wanted to show.
bastards...
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.
Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.
--
U.S. planned to attack Afghanistan before the second WTC bombing.
Bush's education improvements were
post a link to the picture of 'another gaping security hole'.
--
The Cap is nigh. Time to get a fresh new account.
From the article:
Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit.
Perhaps those same people can explain exactly how often people who might exploit such an IE deficiency also follow such laws as: DMCA, anti-piracy, anti-theft, anti-terrorism, etc.
That's completely rediculous. That's like asking the wolf to sign an NDA before letting them loose (unmonitored, of course) in the hen house.
On a side note, I'm still waiting for a 'leet hack that will damage my install of Windows 2000. I don't run virus scan, so I'm not "protected" in that sense. But the first HUGE stumbling block is that my user has peon rights to my own system. I fail to see how this exploit could damage my system. Sure, I might lose some files, but now I'm more attune with the (better) Unix model of users and their rights.
I'd really like to know. Currently my choices are:
1. Stop thinking about this question entirely. No, really, stop thinking about it. Try really hard... whoops, I thought about it again.
2. Believe what the law student says, unless he's contradicted by an equally plausible source.
3. Believe the "It's legal to download ROMs if you delete them within 24 hours" type rumors that get spread around the internet by the legally ignorant.
4. Hire a real lawyer to talk to for hundreds of dollars.
I'm sure law school grads (including your ethics lecturer) would love option 2 to be unavailable, but I'm just not seeing a superior alternative here.
Actually, linux has had security problems in the past.. and Linus needs to take some classes on Quality Assurance; I'd sooner trust microsoft to come out with a secure opensource kernel then I would Linus.
:)
But then again, i'd expect Linus to come out with a more secure closed source kernel then it would be likey for Microsoft to come out a secure closed source kernel
If software is known to be faulty, either the company licensing fixes it or they do not.. they are not required per their license to fix bugs; unless explicitly stated in their license.
If their product is not secure; that is your fault and negligence for running it, not the developer's
This is like saying that it is microsoft's fault that someone gets infected by a virus; when it is the user's fault for being stupid enough to trust any product made by microsoft..
Most end up knowing that they will clean up the mess, because "The top guys like Microsoft so much - it has so many features."
Show the "top guys" the article about Microsoft finally getting around to patching their browser. Make sure you highlight this text from the article:
Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files.
Explain to them that if they want to 4) Clean up the mess, while the mess is being cleaned up, they need to stop their downloading of mysterious files off the internet.
Try to mix in some economic terms: "Boss, in order that we may obtain greater reliability through Microsoft's web browser, Microsoft says that we need to disable part of the function of the web browser itself, aka sacrificing our productivity in order to maintain stability."
That should get their attention.
I would like to mention that
A) those programs are not bundled with the Operating System; only running on some machines.
B) there have been multiple wuftp exploits, anyone sane wouldn't run it.
C) the programs you specified are open source, they are usually patched very quickly, rather then brushed off as Microsoft often does. Also, since they are open source if there is no patch available, you can easily work-around the bug or disable the faulty feature.
If IE was open source, this problem would be major.. but it would be fixable; currently, as it is closed source.. it is a continuing major security hole
The issue is not that theres a bug as such, because as as software developer I know that bugs just happen as in "That's life folks" , *but* that it's a dangerous bug and microsoft have not fixed it despite continuing to sell it.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
> since Sept. 11 all media outlets are rethinking what is and what isn't safe to release to the public
Is there any information the hijackers actually used such information? Or is this just raw terror? Or something more insidious - remember that the Pentagon Papers and the Nixon's tapes were matters of national security too.
I know from my web development experiences that this has long been a problem. In fact, recently me and a friend were contracted to make some modifications to a site built in perl. The client was an all-MS shop and did not notice that sometimes the contents of the CGI's got dumped out the screen raw. It turned out that since they all used IE, it automatically assumed the output to be HTML and rendered it, but when we used Mozilla, since no propoer MIME header was sent, the browser just rendered it as text. Kind of scary that this can go on without anyone doing something about it.
--Jon
Actually, Slashdot has way more Windows apologizers than it used to. And this is a bad thing.
It used to be that the heavy Linux focus kept away a lot of idiots. Now everyone feels like it's supposed to be some grand open forum. It used to be a much larger percentage of users just accepted the Linux perspective (I won't call it bias) and moved on.
As to this article, I think it may seem a little on the angry side. But I'm sort of angry here too. MS needs to get its act together (although I'm sure they're scrambling for patches now).
The problem is not some crazy design decision (integrating IE isn't necessarily that bad of an idea), the problem is that MS has too many programmers pointed too many different directions.
It can be a hard job to keep things secure when you're working with a lot of disparate technology (and your boss is mostly concerned with how it looks). I have a fair amount of respect for MS programmers - perhaps they need some better management.
Let's not stir that bag of worms...
Ironically, I ran into this one just the other day, but didn't recognize it for what it was.
I develop software for a living, and one of my tools is a web-based thingy with a CGI interface. A typical URL might look like this:
http://foo/bar.cgi?blah=blah&filename=quux.jpg
This CGI script returns a web page with info about the file "quux.jpg," which exists on the server.
When I serve this URL up to IE 6 under Windows 2000 (maybe other versions; that was the only Windows IE I tried) the browser thinks it's downloading a JPEG image, and asks me where I want to save it.
My script sends a nicely formatted Content-type header of text/html, but the browser is stubborn and won't listen.
So in my case, this wasn't really indicative of a security hole, but rather a pretty dumb design flaw in the browser that should have been caught in testing.
(Oh, and FYI, my "fix" was to reorder the CGI parameters as the URL gets constructed, so the filename never comes last. I'm not happy with this, and I may implement URL-encoding the filename's "." character instead, then decoding it on the server side. But the spec says I shouldn't have to do that, so the whole situation has left me kind of pissy.)
Here's an easy fix for Microsoft to implement: have IE append the "expected extension" to the name of a file if the extension given is wrong. For instance, if foo.txt has a content-type of application/octet-stream, have it tell the user that they are downloading foo.txt.exe, and reflect this in the open/save dialog and the name of the saved file. This has a pleasant non-security side-effect - I often write CGIs which return a content-type of, say, application/pdf. If the user downloads the resulting data, it will be saved as myapp.cgi. This will cause problems when the user tries to open the file.
There's a fairly easy exploit (for IE since 4 I think) that allows a malicious web page to read arbitrary files off a users hard disk.
No patch available as far as I know. It's also a lot easier to exploit than this one (heck, I even was able to do it).
I'll put details up if anyone's interested...
Let's not stir that bag of worms...
Funnily enough I got one that did this just this morning.... but my procmail filter cleaned it up nicely. Note the original content type below.
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
Another case of security vs convenience I suppose.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
/. article leads one to believe that they are brushing it off. When infact, they were just trying to wait until they actually had a worth while patch before they said anything.
The patch for Internet Explorer (IE) is currently in testing and could be released soon...
So, am I missing something? There is a patch in the works, it is just not released.
Sure, it should have been released a long time ago. Or, should never have had to become an issue.
Shame on MS for bad practices.
But the
Now the real question is.... will the patch just open 7 more holes?
-xtype
Mozilla has gestures as well.
We're going to make information free Mr. Anderson, whether you like it, or not.
Ethics 101: We are the lawyers. We make the laws. We judge the laws. We prosectute the laws. We defend from the laws. About the only place in law we don't have a monopoly is in juries, but we're working on repealing your right to a jury as we speak.
Anyone giving free advice without going to our way overpriced schools will be prosecuted to the fullest extent of the law.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Honestly? I seriously would recommend browsing the web only with Mozilla. I had been using IE, but I switched to mozilla full time after 0.9.1 (except for work related browsing on my company's web pages, which are written exclusively for IE browsing.) It's been buggy, it's still a little buggy, but I haven't had many real showstoppers because of it. And no one's published any attacks yet, but because it's NOT integrated into the OS, I'm somewhat less concerned about the damage it's capable of causing.
If you're stuck with IE, then might I recommend a proxy filter such as The Proxomitron? You can modify the incoming http headers to do anything you want, including altering file extensions!
John
John
Oh, you mean like Code Red? Yep, that issue certainly wasn't serious.
Enigma
You want to see it for yourself? The problem is that IE get's a file that ends in say, .ZIP, asks the user to download or open from current location, and if it's "open from current location" it actually executes the code as an executable, even if it _IS_ a .ZIP. There's nothing special here, and it doesn't need you to have web administrator access, I did it here: http://www.cs.nmsu.edu/~dfoesch/funny.zip If you want to see the exploit first hand, select "open file from current location" and then if it asks you what application to use, just click "ok" (ok, you might have to select the first entry) and PRESTO! Notepad.EXE! Running remotely on your computer! This could easily be any arbitrary program, I just chose Notepad.
I am unamerican, and proud of it!
Links. It supports frames, renders tables better, etc.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Let's say that this hits the news. CNN tells people to be careful when they use IE/Outlook. John Doe says "Oh my, that's terrible!" and stays away from the computer for a few days because it could blow up on him. Later on though, the pr0n is too tempting and he starts using IE again. Darnit, this is some good stuff here.. Anna Nicole Smith and all this type of stuff. Two months later he doesn't remember a thing about the horrible bug in IE. Because his computer works fine.
I am 99.999% certain that this will not be a turning point in the browser war. John Doe doesn't care unless his pr0n disappears. And he is certainly not going to download Netscape because that's too hard, let alone PAY for Opera?! He can view his pr0n quite well on IE, barring of course the fact that he gets 400 popup windows on his screen by clicking some link.
Microsoft will walk away from this one too. Until Microsoft blows up John Doe's computer, or takes away his pr0n, this will probably go fairely un-noticed by the public.
Wealth is the product of man's capacity to think. -Ayn Rand
Real men pre-compile the JSP's into servlets so the users don't have to...
Innovate? Bah, I did not say that. What I did say was moving binaries is painful with server side Java, and even worse using JavaScript or VBScript. Try it some time, I had to last week....
I've spent way too much time coding C++ ISAPI filters and extentions, COM components, and ASP to say this sux d00d! Right tool, right job. Most of my personal time these days is spent building ATL COM components for the ARM...
I'll assume you are fresh to this web stuff - M$ or $un whore? Stuff evolves. My first CGI work was in C, followed by ISAPI and NSAPI, ASP, Servlets, and lately custom tags, XML, and yes -- JSP. The trick is to know when and why one is a better choice than another for a job. That, and making your resume fully buzz word compliant....
(PS - get an account Steve)
+++ UGUCAUCGUAUUUCU
Uhh... I don't know of any sites that fit into this category, do you?
Amazing magic tricks
Here is a site with some more info on the SliMP3..m l
http://www.mp3newswire.net/stories/2001/slimp3.ht
It has a bit more detail on the unit and a picture of it working. Quite and impressive peice of hardware.
--------------------------------------
58.0% slashdot corrupt
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
2068 is obsolete.
2616 is the current RFC for the HTTP/1.1 protocol.
A .signature, maybe. I know you're not about to expend any reputation or liability on a random post on an internet forum. I think anyone with any sense should know the same. I have no idea whether the law agrees with me.
I suppose my problem is with glrotate's phrasing. I don't see why you should be responsible for spouting off on Slashdot any more than I am just because you're in law school. I like the fact that people can hold lawyers responsible for legal advice, but that seems to me to be a "special case" in human interaction, the exchange of warranted information for a fee, not an implicit agreement I have with everyone who's looked at a law text. And despite real concerns for potentially misleading people or exposing law students to needless lawsuits, when you consider the problem from the perspective of established lawyers telling proto-lawyers not to give legal information away for free, it comes off sounding more like price fixing than like ethics.
Of course, you've got it easy. If you think lawyers have to watch shop talk outside of work, imagine what civil and mechanical engineers face in the way of liability. As one of my coolest professors put it, "When doctor screw up, one person die. When engineer screw up, thousand people dead. Everybody die!!!"
Because it's part of the Windows OS. When grandma goes out to buy herself a nice Dell computer, it comes with Windows preinstalled, and hence has IE installed by default. She would have to take extra steps to download and install a different browser. But why, when IE seems perfectly fine, and it's integrated so nicely into the desktop? And it's hard to argue that. Think of the average home user that isn't as aware of these issues as we are.
A big part of the problem is that the clues aren't easy to spot for non-technical people. They can't see a problem in IE, as it seems to work just great. There are all these refined features to play with so it must be a solid product. And there are a whole heck of a lot of people who don't think IE is a browser, they think it is the browser. When they hear about holes like this they don't think that IE is broke, they think that someone has found out how to break into web browser (as in all web browsers). It would never cross their mind that IE is at fault. Try explaining how IE has issues with content type vs. file extensions to random people on the street. They just won't get it.
And this is where their monopoly comes into play again. They're such a huge, enormous company with a huge, enormous user base that they all turn into lemmings. If something happens to their IE, it will happen to their friends IE. Soon they start to see lots of people having trouble with IE. Then they stop relating the problem (if they ever did) to IE and start to think everyone is being affected by "the baddies who broke the internet". By the time Microsoft releases a patch user believe it to be a general problem that must be affecting everyone. Finally, since the issue has been disrelated with IE in their minds, why would they have any reason to look for a different browser?
I'm against picketing, but I don't know how to show it.
consider this e-mail I got from X-10 customer support, in regards to the installer for their windows 2000 version of ActiveHome, which does not run properly (it looks like a widget issue):
I have not heard of this problem before. It could be that the setup file is corrupted. (uninstallation instructions deleted) Now redownload the software. Be sure to disable any anti virus software you use on that machine. In fact, make sure no other apps are running while downloading (except IE of course). Which brings me to my next point, make sure you download thru Internet Explorer. If you use any download assistant or wizard disable it and use the default windows tool.
Call me paranoid, but that doesn't exactly give me very warm fuzzies, especially from the folks that brought us the annoying pop-under ads.
(and what the hell is the "default windows [download] tool" ?)
I downloaded the demo of HomeSeer for now, and will just end up implementing something in Perl for my X10 equipment (which I bought long before the days of the pop-under - I no longer buy their crap)
I use Mozilla for browsing and Sylpheed (http://sylpheed.good-day.net) for mail, so I guess I've already voted, so I'll use my soapbox to do a little campaigning.
My office has a loose policy of letting users use any POP3 client that they choose. Most seem to be on Outlook Express, but others use Eudora and one called "Becky!" that I think is a mainly Japanese product.
I've noticed that the HR department gets the bulk of the viruses, given their unfiltered contact with the general public, so I'll soon be setting up a special box just for them to use:
Linux, Gnome (KDE if they like,) Mozilla, Sylpheed. (Yahoo Messenger and XMMS will be on it just for fun.)
It will also get the latest release of OpenOffice, so they can look at resumes and stuff without worry. It will also have all of their standard drives mounted through Samba. It should be a fairly easy transition - sylpheed is very similar in feel to Outlook Express. OpenOffice will take a very little bit of retraining.
I agree with your point - it was very well-said. Microsoft put the customer second and because of it, they are losing a customer. Not just for Outlook, but for at least one Windows license, hopefully an office-full soon. It would sure make *my* job a lot easier.
Cheers,
Jim in Tokyo
-- My Weblog.
...which means that it would still be live even if saved to disk and clicked on. It may not be run with notepad, but odds are good that one way or another it will ruin notepad...
Got time? Spend some of it coding or testing
There was a hole in Slashcode that allowed this to be exploited... it caused some pages to be turned into goatse.cx redirects. If you opened them in Konq (presumable any browser other than IE) it would just be text containing some HTML snippets to redirect to goatse. Some of the trolls were posting this on their user info pages, to turn Slash links into Goatse links. I believe that Taco has since fixed that one, thankfully.
Even Slashdot wants to hide some things
Copy this text, paste it into a file called imamoron.bat and stick it on your web server:
/y c:
@echo off
echo Please wait, unpacking...
format
Now tell the webserver that the MIME type for BAT files is audio/x-wav and add a link to imamoron.bat (you probably need to restart your webserver). Hit it with IE, and kiss your hard disk goodbye.
Got time? Spend some of it coding or testing
By your logic, just clicking on a hyperlink in the first place might as well be "user intervention".
.txt file (or most types of files) of indeterminate origin, just like opening a hyperlink, is among them.
The fact is, there are some things that users are supposed to be able to do without being afraid of their system being remotely compromised and trashed! And opening a
"So what it comes down to, is I also have to mangle the output name be making it .txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW..."
:P
;)
I had this same problem. Basically, you must make sure to pass the filename as part of the content header, but not attached to the end of the script name. This way, IE will always pop up a window asking you to save. It will tell you that it is saving your script name, but in reality, it will save the page you want it to.
First, write the page from your database to your local server as a file. Then do the following (my script is written in PHP; translate as needed.)
I wrote my database contents to a variable called $content, then executed the following code:
# put content into file called download/$page_num.html
$fp = fopen ("download/${page_num}.html", "w");
fwrite($fp, $content);
fclose($fp);
if ($action == "download") {
# set up file download to client
header("Content-Type: text/unknown\n");
header("Content-Disposition: attachment; filename=\"${page_num}.html\"");
header("Content-Transfer-Encoding: ascii");
$fn=fopen("download/${page_num}.html", "r");
fpassthru($fn);
unlink("download/${page_num}.html");
exit;
};
Note the key difference between my script and yours is the fact that I'm not passing anything but a content header to IE. Don't use your_script.php?filename=xxx... that doesn't work. Just write the filename as a variable and put that variable in the content disposition header. Also note that the Content Type can't be text/html, or, really, anything that IE will recognize.
This works in both Netscape and IE. Note that if you're working cross-platform using text files, you'll have to convert line breaks. I use the following code:
# get os for carriage returns
if(strstr(getenv('HTTP_USER_AGENT'), 'Win')) {
$content = eregi_replace("\r","",$content);
};
Again, that's PHP -- translate if necessary.
Here's the final trick I'll pull out of my bag: if you set a Content Type to application/vnd-msexcel or somesuch (I could be off on that), and send the client a tab-delimited text file, it will open in Excel. Same goes for plain text and Word. It's a great trick to pull when you know your client is going to be using Windows and will say, "Hey, how did you get your script to make an Excel file? That's so cool!" (Always nice to have a little extra trick to impress your clients...
Hope this helps --
Erica
Your computer is open if you stumble across a specially constructed site. If you browse /. the news, stock quotes etc. then you're prett much safe.
Wrong, if you have a gaping security hole on your computer, then you're vulnberable (open) even if no-one exploits the hole.
The story, as posted on /. has it right.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
What kind of steps can people use to protect themselves now
:)
This step and this, for instance
May we live long and die out
The most anoying part is the fact that IE pops up to open readme.txt, but executes readme.exe, _this_ should never happen.
If IE ask permission to open some file with notepad, it should be opened with notepad, and nothing else.
If IE finds out it would rather open the file with run.dll (afterwards) , fine, but _ask me_, goddammit.
I really hate this 'ask once, do whatever I like' behaviour in M$ products
Please, Microsoft may have used some competitive pressure, by making IE easier to come by then anything else. But I have trouble blaming Netscape's demise on anyone but Netscape. 4.7 was a complete piece of shit, and Netscape put out some of the buggiest, crash prone, shit ever. That's why people switched to IE, that's why I switched to IE. Because Netscape, comparatively, was a piece of crap.
autopr0n is like, down and stuff.
MDI annoys the hell out of me, to be honest.
autopr0n is like, down and stuff.
upon first reading michael's post, i thought this wouldn't work, because ie has that annoying behavior of examining the first bytes of file to determine its mime type, sort of like apache's mime-magic module. and then ie in 5.5sp1 had to go and break the content-dispostion header, but i digress.
.bat
.txt
.txt
.bat
.exe renamed to b.txt
.bat file as text in the browser.
.txt, ie prompts to open or save, defaulting to save. selecting open opens the binary file in notepad.
anyway, i tried to recreate this bug, with no luck. maybe someone can explain what i'm doing wrong, assuming this is a valid hole in i.e.:
server: apache 2.0.28 beta for win32
client: ie 5.5 sp2 (not sure if it's stock sp2 or has a hotfix on top of sp2. there's some Qxxxxxx following in the "about" box)
in httpd.conf, created the following:
<Directory "c:/foo/bar">
#AddType audio/x-wav
#AddType audio/x-wav
AddType application/octet-stream
AddType application/octet-stream
</Directory>
created two files:
a.bat:
@echo off
format a:
b.txt:
this is a just an
ie renders the
in the case of the
changing the mime-type to audio-x-wav just renders the files as text in the browser (no prompting in the case of the txt/exe).
so what's the big deal?
Hrm. I thought that they were saying that the method of execution is determined by the type (audio/x-wav in this case) and the displayed name is determined by the filename. This would mean that if they sent you an .exe as audio/x-wav it would attempt to play the executable as audio. Just ugly noise, no security problem.
Don't get me wrong, I think this is a big problem, but I think it's different than you describe.
There are no trails. There are no trees out here.
This article is complete crap. I tested it, myself, and it simply isn't true.
.exe files are now sent as text/plain. When I type in the URL http://autopr0n.com/cliplay.exe. Internet Explorer does indeed handle it the same way it would handle executable content. It asks if i would like to download or execute it Hardly much of a fucking security issue if you ask me, especially considering the fact that it would behave in the exact same manner if the mime type was application/octet-stream or whatever the default value was.
A quick edit of my mime.types file in apache, and
In other words, the meme type has no effect on how IE handles executable content. But if this were a problem, it would mean that IE automatically ran all executable content it received, including stuff with the proper mime header. You would know this two if you stopped to think about it for half a second.
Oh, and mozilla does the exact same thing (well, it doesn't give you the option to execute from the cache like IE does). At least in the somewhat older version I have.
You guys couldn't take five fucking minutes to test this before posting this crap story?
Oh wait, it was from michael... nevermind. Anyone else remember the united devices fiasco a while back where michael attacked some anti-cancer distributed software because it was being funded by 'corporations' (Intel) who would of course patent everything and make money off everyone's spare cycles (despite the fact that it was clearly stated on the site that it wouldn't be). Couldn't be bothered to check sources or verify anything before posting a story to millions. And it's the same here. Way to fucking go Mr. 'journalist'
autopr0n is like, down and stuff.
For all the fanboys that scream out that Opera is better than IE (and it is, I love it too) - in this case it is vulnerable too, as this link proves. The file save dialogue will show the text.txt filename, but if you select to open it directly, it will run.
Opera 6.0 is not vulnerable - but take note - even though it is much better and has less exploits than IE, it's still not completely free of them. (On the other hand, the only secure applications are those on an unpowered computer, or a program of 'Hello World' complexity)
What happens if, you send an .exe file with an audio/x-wav mime type is that IE will handel it like any other .exe file it runs across. it'll give you the option to save or run it, as an EXE. in other words, the mime type is pretty much ignored.
autopr0n is like, down and stuff.
If you try that on a windows machine, make sure you don't have .bat files set as server side exicutables.
you'd be just as likely to kill your server's hard drive while the user got a nice web page that said "please wait, unpacking..."
autopr0n is like, down and stuff.
URL: http://autopr0n.com/cliplay.exe
Mime type: audio/x-wav
Action: Opens up media player and says "cannot play back, format not supported"
In other words, you're completely full of shit. And so is the person who posted this bogus artical in the first place.
autopr0n is like, down and stuff.
Of course, the server could be the victim of the exploit, which could then send links to everyone on the person's buddy list...
Links to where? Back to the infected webserver? You don't have propagation because you're not infecting new servers. Not unless the webserver is doubling as the victims PC but that isn't very common and such sites do not get a lot of hits.
>Actually, Slashdot has way more Windows apologizers than it used to. And this is a bad thing.
/.er with an agenda to push. I've said it before, I'll say it again. I don't come here to fucking push a one-sided agenda, and I think that the so-called apologists are just geeks looking for some JOURNALISTIC INTEGRITY. If the low UIDs and zealots want to keep the blinders on and circle jerk all the way to non-MS heaven so be it. This board seems to be evolving away from that, thank god. There are some of us who recognise flaws and strengths with many different apps and OSes and are WILLING TO TELL THE FUCKING TRUTH.
Apologists? Get stuffed. How about rational and clear-headed. Like being able to spot reverse FUD in action. Again, you are another
Yes this "feature" is a security risk. Yes it is serious. And YES, the tone of Michael's comments border on tabloidism. And YES, I think it is appropriate that the patrons of this board be able to point that fact out and demand a little bit of non-partisan behaviour from the editors.
"The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. "
Correct me if I am wrong, but that doesn't sound like M$ refusing to fix the bug or not fixing it to me...
People should not be afraid of their governments - Governments should be afraid of their people.
"What kind of steps can people use to protect themselves now"
Never ever choose "open file from its current location" no matter what you think the name is, unless you are willing to give trust the site with any data on your system.
Of course, since no data has been released, I'm not sure this fixes all the problems, but from the description in the article it would. (Somewhere above someone says that IE executes certain MIME types, namely audio, automatically. However, AFAIK, in that case it would attempt to use the correct plugin, and this vunerability would not apply).
I don't think this will do major damage. There seems to be a real easy workaround. I think michael is blowing things a bit out of proportion in his article. On the other hand, I do agree that this is a perfect example of how Microsoft's refusal to divulge information has nothing to do with protecting customers. Sure there is no "patch" for the vunerability yet. But NONE IS NEEDED! In no case is any legitimate usage made immpossible (check me on this--Microsoft may have implemented some stupid "copy protection" where you can only open a file but not save it). It is only made less convienent. Users can be protected the instant they see the alert, Black Hats will take time to set up an exploit even if tools are made easily available.
URL: http://autopr0n.com/random.txt.
.exe file, rename it to .txt, and then send it as application/octet-stream IE will prompt to download/open, and if you click open it will open it in notepad. For example
Mime type: application/octet-stream
Actual type: text file
Action: shows up in IE as a regular text file.
Now, when you take a real
URL: http://autopr0n.com/random.txt.
Mime type: application/octet-stream
Actual type: win32 executable (shows you how long your computer has been running, actually)
autopr0n is like, down and stuff.
Sorry, the second URL should be http://autopr0n.com/uptime.txt
autopr0n is like, down and stuff.
I don't really think the EEF is going to go around lobbying for more restrictions on programmers.
autopr0n is like, down and stuff.
First of all: Test what? Details of the bug have not been released. So only your own arrogance validates your "test" of this bug.
Second of all: The harm in this bug lies in IE asking the user if he wants to open a file of one type (i.e. Text, which is safe), and then proceeding to run maliscious code.
Now this bug may not pose any threat to reasonably intelligent people, but I think we all know that the internet (and IE users even moreso) is not comprised solely of reasonably intelligent people. Hell, it might even get me, if I was an IE user. Why waste time/space downloading a txt file when I can open it in the browser? Trust issues? Who worries about whether or not to trust a txt file? Text is harmless, as long as it's treated as text.
Nothing to see here. Move along.
The problem here arises from the fact that Windows allows more than one '.' in a filename, but will only display one. Therefore, a malicious webmaster can name a file "foo.pdf.exe" and Windows Open/Save dialog will only display foo.pdf.
Windows, by default, does not show the actual file extension. The 'actual' file extension is the last one. You can have as many '.'s in your file name, and the last one won't be shown if file extensions are turned off (not 'just one')
If you turn file extensions on its not a problem.
*sigh* is it to much to ask that people actually know what they're talking about?
autopr0n is like, down and stuff.
That's true, but implied warranties make the assumption that the product is going to be as good as others on the market. And we all know, or at least have our stereotypes about the software market.
So in the end, software has no implied warranties, because no one can reasonably expect that it won't be bug/security issue free.
autopr0n is like, down and stuff.
Warning to consumers: Although it sounds like a good thing, "Standards-compliant", when used in the context of Mozilla, is a euphemism for "Fails to render a significant proportion of popular websites".
-- the most controversial site on the Web
Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.
The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.
Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians
I agree it is a bug in the OS. It is Matrox video cards. The problem is that, in some cases, Opera takes memory and doesn't give it back. There is a huge memory leak somewhere, it seems, that has been there for more than a year.
Bush's education improvements were
sent an EXE as an audio file. It was automaticaly downloaded and I got an error message saying that it was an invalid audio file.
.txt file with a win32 program file in it (renamed .exe) and it will ask you if you want to open or save or whatever. If you click 'open' it opens in notepad. Weirdly, a regular text file sent with a mime type saying that it's an exicutable will just show up as a regular text file.
Sending an
I'm using IE6, though. And some comments seem to be saying this only affects IE5. So who knows. I've posted URLs for my expirements on slashdot,here, here, and here
autopr0n is like, down and stuff.
I find it a constant pain; my concept of a filesystem is nothing like my concept of the web.
My filesystem is much more like Gopher than WWW.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
First of all: Test what? Details of the bug have not been released. So only your own arrogance validates your "test" of this bug.
.exe with some other mime type with an external viewer, and having an .exe renamed named to .txt and sent as an executable). The program never ran.
What details are you talking about. They are all spelled out clearly in the article. Change the mime type of an EXE and it gets run. Only it doesn't. I've tried it both ways (having an
autopr0n is like, down and stuff.
Not entirely; as I understand it, Konqueror and Explorer work in pretty-much the same way, eg the HTML redering is taken care of by a seperate library/DLL, that is available for use by any application.
When I set IE to warn about cookies once, SQL Server Enterprise Manager later warned me about a cookie when I was browsing the db I was adminstering (this was about 2 years ago now).
Cheers,
Tim
It's official. Most of you are morons.
"Microsoft doesn't audit their software because *IT ISN'T COST EFFECTIVE YET*. Not until people demand security will MS start doing this. It hasn't happened yet."
I agree that Microsoft does not audit their software. That seems obvious.
Yes, Microsoft has more to audit, but they have more full-time programmers, too.
What you are basically saying is that Microsoft doesn't care about being trustworthy, they care only about money.
I never would have guessed that Open Source software would replace the software from a giant company, but that is will continue happening if Microsoft does not care for its customers.
Bush's education improvements were
I had a similar problem once, when I had to make a CGI that would send back a spreadsheet to be passed off to the right application from either Netscape or IE. The eventual solution was to change the content-type slightly for each browser, and for IE to append a fake parameter with the right extension so IE would open it correctly.
It was a workaround for IE, really, Netscape handled it fine with the correct content-type. IE didn't handle it correctly unless you munged the content-type AND added that fake extension...
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Did you consider that maybe he was testing & debugging small pieces (maybe to make sure the app logic was right?) before testing everything more thoroughly?
Man, I'm sitting in my high schoo, right now using IE 5.0 because that's what the computers in my school shipped with, and our one computer tech doesn't have the time to install a new browser on all the comps, and train the clueless teachers and students in their use. And frankly, why should my school have to lose security because of this? It's microsoft's job to ship a quality product (in theory), and they aren't doing that. IT isn't the victim's fault.
I'm the stranger...posting to
I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a .bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.
.exe file to .txt, that just spits binary data at you in Notepad.
/.ers would have hit on it by now.
Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.
- I have tried renaming an
- I tried a cgi (source is here).
Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.
3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.
Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other
Microsoft has long tried to subvert MIME. In particular, as noted, MIME type is used to determine how to handle a document or attachment, but extension is used to actually handle it. For kicks, try opening an mime type AUDIO/basic document. The most basic possible audio encoding pulls up an error message.
--G
I think you missed just one little thing in this particular example.
The original article clearly states that people have been very secretive about the details. For example, it says that the details weren't mailed to Bugtraq at one point, and also that the select few who were given a demo apparently all signed NDAs first.
What I'd like to know is, how is michael getting all the "inside info" he'd need to justify his comments? What is his source? Unless he's got information he didn't mention, his article appears to be nothing but anti-MS FUD. If he does have that information, why didn't he post it, on a board as skeptical as Slashdot?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner."
I think you guys got this backwards. It seems to me that everyone else is going against the standard by not doing it the Microsoft way. I mean, these guys embrace and extend! Everyone else is just sticking with the old standards, while Microsoft is blazing new ones 8^}
"Microsoft
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I use Opera and sometimes Mozilla. I have both set to identify as "MSIE 5.0" so I can go to those "Designed for Microsoft only" sites. Anyway, I am sure that this type of thing throws off the stats a bit, doesn't it?
This is all just more of the same. I have come to expect it from MS.
My experience with this is that certain web hosting providers (ConcordEFS, today's ebiz) refuse to send correct content-type headers for flash animations, since it "works in IE"(tm).
IE will guess the content type, and ignore what the server says -- real web browsers listen to the server. So it makes admins lazy, makes MS's browser monopoly stronger, and makes other browsers look broken.
I just wish that the people who don't think MS is a monopoly, abusing their power, had to deal with these little monopolistic tactics every day. If they did, then MS would be no more.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
By "completely open" they mean you have to click on an EXE, download it, and choose to open it! WOW what a vulernability!!! OH NO! Opera and Mozilla are also vulernable!!! Ye gods what do we do now?!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
I have to use IE at work. There is absolutely no alternative.
The proxy software that was recently put in place uses Windows Authentication to let you through. Basically this entails logging into the proxy using your NT userid/password - all of which is sent automagically by IE. Without this the proxy won't let you through, not even for DNS.
So no, I don't have a choice.
What really sucks is that because of this proxy, there's no ways out of the network either. If I want to telnet to a box out on the net, I can't do it - even if the box has sshd listening on port 80, 119, etc. putty can't connect because it can't get through the proxy.
who's the moderator who called the original post "flaimbait"?
That was a valid response. He likes Opera... hell, I like Opera. And he's correct that the Opera UI with the gesture movements gets addictive. I'll hop on a computer using IE and I find myself trying to go back into history using the right click gesture method.
Opera is a great browser (I personally prefer 5 instead of 6).
Someone mod the parent (or mine to get some attention) up. Mod me down for being an ass if you want but moderation like that, on a valid post is uncalled for.
www.slightlycrewed.com - Because aren't we all?
Staying off the security vulnerability side of things, IE's non-conformance to the standard way of determining file type has irritated me for some time. Here's why:
The HTTP standards dictate that the Content-type: header contains the MIME type of the data which follows. Netscape accepts this; any standards compliant browser does this. IE, however, looks at the filename extension (and even the data itself) and makes decisions based on that.
This means that if I write some HTML, put it in a file called "text.html", then configure my browser to serve it with "content-type: text/plain", the right thing for a browser to do would be to display the HTML source as text. Some versions of IE think they're far too clever to fall for that one, and just render it as HTML anyway.
(1): What if I *want* to read the HTML source?
But more importantly than (1), I've seen proper production servers misconfigured in this way -- don't ask me why, so HTML content is sent with the wrong Content-type header. If the site is tested with IE only, everything will appear to be fine; only when you try and browse the site with another browser does the fault show up.
Now, what's a non-technical web user going to think when they see this? Are they going to think "Hmm, the server is set up wrong"? No, if it works in IE but not in Netscape, they're going to think "Netscape sucks!", and merrily continue using IE.
This despite the fact that IE is the one that's behaving wrongly.
I won't go as far as to suggest that this behaviour was put in as a deliberate ploy, but if someone else wanted to, I wouldn't argue with them...
File extensions seem to me to be a safer way to manage filetypes - on any Mac OS prior to X all you had to do to fool a user into running a spoofed program was to change the filename extension and icon (say, make an application with a .jpg extension and a quicktime image file icon). The os runs the file based on the actual file type and creator codes when it is double-clicked, and those codes are typically invisible to the user, so someone could very easily open a malicious program instead of, say, some downloaded pr0n.
.jpg will always be opened as a .jpg, even if its just a renamed .exe
At least with file extensions as the absolute identification of file type you can't be tricked (ignoring the method discussed in this article), and a
You *only* test on beta software (IE6) ?!?
And you do this for a living?!?
Of course not, you dimwit. It goes like this:
1. Implement a feature.
2. Test it on my workstation (Win2000, IE6)
3. Shit, there's a bug.
4. Fix the bug.
5. Test it on my workstation-- better now.
6. Submit change to QA for "real" testing.
Sheesh.
Remember Asimov's Law: "Never attribute to malice what can adequately be explained by ignorance or stupidity."
This isn't a "monopolistic tactic." It's just a design flaw that slipped through QA and out into the world. Nobody in Redmond is tenting their fingers and muttering "Excellent."
Conspiracy theorists please get off at the next stop.
It really is hard for them. Older teachers in particular like the computer to look the same every time they use it, or they get confused. When I worked at my high school over the summer, I was told repeatedly not to allow any variation in desktop performance, so as not to confuse teachers or students. When you spend a lot of time of /., it becomes hard to believe, but a lot of people are simply not computer literate at all.
I'm the stranger...posting to
Didn't know about that. Interesting. Thanks.
I don't know what agenda I'm trying to push. I work in a MS shop and my programming resume is very MS focused. I have a lot to lose if Linux catches on very far. I don't even have it installed on my home machine right now. I don't think you are stupid or that you're trying to tell fibbies.
What I'm saying is that Slashdot used to be nothing but nerds - the clear Linux focus meant that only a certain kind of people came around. Now it seems everyone comes around - and there's little focus. And as more of the general populous comes in, some of the old nerds (who said things that interested me) leave.
I think it's great that Slashdot is more balanced in its coverage of MS now. But its bad that I have to read through a lot more things I don't find interesting. Moderation has become very predictable - moderators waste their points on safe targets like obvious trolls and "long comments with lots of links that sound intelligent". Sometimes I think they're just trying to get by without being meta'ed down.
I'm not saying that non-Linux nerds are stupid. I'm just saying that the crowd that Slashdot used to attract said things that were more interesting to me.
Let's not stir that bag of worms...
- However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site.
Reading this one would think, "Oh, no problem. What webmaster would create a trackable exploit?" (ignore comp-u-geek for a moment).Add this exploit to wide-open server crack Code Red2/ Nimda...you've got a clear way for a third party to cause a *huge* disaster.
My logs are *STILL* full of Code Red 2 and Nimda attacks (running appache, so I don't care). How long until these OpenDoor servers are "patched" with the malformed MIME header exploit?
-- @rjamestaylor on Ello
I have little doubt it's being exploited -- I've received several mystery emails with apparent "WAV files" in them. Since I'm using Pine under Linux, it's not being executed, but when I save the file and look at it with "less", this supposed audio file contains the text "This program requires Microsoft Windows." Obviously it's a Windows executable, and why else would I receive it tagged as an audio file unless that would exploit a bug to allow an executable to run instead of playing an audio file?
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
"Don't you get that feeling that some of these people are former TeamOS/2 ers? "
You mean people like Nicholas Petreley and Joe Barr? No! Not possible!
I was developing a web application that would serve out a chunk of opaque data for the user to save on their hard drive. So I set the Content-Type to "application/octet-stream" and the "filename" in the URL was foo.yai which is a totally bogus extension, right? Well it just so happened that the actual content of the data was XML. But not only that, it was XML saved as a UTF String so that it had this two-byte header on it which indicated how long the UTF String was.
.com is an executable as far as Windows is concerned. Brilliant.
Clicking on the link that generated this file worked fine on all browsers but IE, of course. You would click on it and all other browsers would properly show the user the "Save As..." dialog. IE looked at the file and determined that it was XML (even without and xml extension!) and not only that, it was so bold as to tell me that my XML was mis-formatted because of this 2-byte header at the beginning of the file! So it started its embedded syntax-highlighted XML viewer that it has and then stops and says "Misformated XML, unknown characters before the <xml> tag...". Gimme a break!
The "workaround" was to set the Content-type to X-Made-Up-Content-Type-To-Fool-Stupid-IE and it decided that this was something that should receive the "Save as..." dialog, as did the other browsers, thankfully.
So I'm not at all surprised that someone found this vulnerability with IE being so bold as to guess the content-type when it is set to application/octet-stream and start doing whatever it wants to based on its guess.
And have you ever noticed that IE get's the extension from the last thing in the URL _even_ if it's a query string? So if you have a URL like http://www.foo.bar/download?e=greg@yahoo.com
then the filename it will try to save is "download.com". And of course
Read the original post closely:
.exe files are text/plain ... in which case you get the prompt, and then Windows opens the executible in Notepad.
.txt files are application/octet-stream ... in which case they are still displayed as text in your browser.
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Where is the exploit in this? Any user with half a brain (not many, I know) will see that this supposed text file ends with ".exe" or something. That's a trigger right there.
AFAICT, IE relies soley on the file extension when deciding whether or not to execute a file.
You can try and tell it that
You can try and tell it that
The only way I can think of making this work would be to change the MIME types on the client machine (i.e. Explorer > Tools > Folder Options > File Types). And I'm pretty damn sure that's not possible via plain-Jane HTML.
Tuus crepidae innexilis sunt.
And on "UNIX" you can make ANY file executable by setting a permission bit! This is easily as bad if not worse! Jeez...
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Simply put a 'text' file on MSN which is actually the patch. Users don't even have to know they've been patched.
(Which makes me wonder, was this security hole left in to allow the installation of magic lantern and similar software...)
- You don't know how to maintain a station wagon either!
Last I checked, "possession of stolen property" was still a crime.
I'm talking about LAW. Not hyperbole. Not your fantasy. the LAW. No where, no where at all, in any law, is copyrighted material considered "stolen" The fact that you equivocate "copyright violation" with theft does not have any bearing on the LAW.
Last I checked...
If you're so good at 'checking' why don't you look it up and see for your own god damn self. Then come back and show us all where it says that possessing copyright infringed property is the same as possessing 'stolen' material.
autopr0n is like, down and stuff.
so he's gonna get fired from school?
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Interesting point.
Bush's education improvements were
You were very quick to be hostile. Sometimes I don't have control over the operating system used by my customers.
Bush's education improvements were
I'll bet that the patch will be available by the spring.
(Note - I'm specifying neither the hemisphere nor the year.)
Liquor
Sanity is a highly overrated commodity.
Secondly, the text/html content-type is not executed, it is rendered in the browser. You would need to set the content-type to something automatically run by an external viewer, like video/mpeg.
Then the browser will say, "Ok, this is a video file, better ShellExecute() it", then the Shell API will look at the extension, .EXE, and run the file as a standalone executable.
Anyways, I haven't tried it yet for myself, but that's the impression I'm under as to how it would work. It might be trickier than this, or only work with specific set ups and content-types.
Interesting to see these ideas all in one short post:
Trust the feds.
Trust microsoft.
Forget about privacy (the above will decide whether you need it or not).
Forget about security (the above will decide whether you need it or not).
I hope it was a joke.
Basically, the first 256 bytes of the file are scanned, and compared with the Content-Type header. If the two results do not agree, the scanned type is used. If the scanned type is ambiguous, and the file is binary, then the user is prompted to save or execute the file. If the file is text, it is displayed.
Now, can someone explain what is wrong with these instructions that would cause executable content to be automatically executed? The text even gives an example of a file extension of .DLL and .BAT, and how those would be handled.
If history repeats itself, I think this is how it will happen. Microsoft may release a bugfix in the next few months. However, they won't publicize it much, partially due to the fact that they don't even think it's a bug. Eventually, i'd say three months later, a virus creator stumbles along this bug, makes a virus like code red, and then it gets big media coverage, while everyone tries to patcht their systems.
how big an idiot he really is.
glrotate
sure would be nice to have a squelch command for some users.
Nevermind the fact that IE is one of the best browsers out there. It helps when you actually keep adding functionality and streamlining your to your browser, rather adding bloat and commercial addons. I stopped using Netscape as soon as it was clear that there were no significant advances since 4.7 and that they were more concerned with adding a special AIM button to their browser rather than fixing their HTML implementations. Sure, being preinstalled helps, but all in all, IE is a *much* better browser than Netscape (not to mention being the most w3c-compliant browser for the Mac). Microsoft may not have won the browser market fairly, but that doesnt take away from IE's strength.
Novice users will take you literally. It happened to me.
My first month on the job, for an employer who made us peons use communal banks of PCs. Someone two seats away was running WordPerfect 5.1, and asked me "How do I save this file?"
I answered "Control Alt Delete," and before I could stop her, she'd rebooted her machine.
But of course, IE isn't software for productive work...
I can see the fnords!
Try this too:
If a page is called '.txt' and mime-type is text/plain, MSIE will *still* treat it as HTML, if it "looks like" HTML source.
See this for example, or if you want to be naughtier, try this for a crash.
Make even shorter URLs - 8LN.org
Never said IE is the best. I certainly agree that other browsers are either more compliant or are working towards getting there. I'm merely saying that IE has its own merits, and deserves its lead ahead of Netscape.
"Computer illiteracy is usually not about a lack of skill, but a fear that it is impossible to learn a computer skill. It is an acquired behavior."
Agreed, but it's damn hard to get people to unlearn that fear. And that's the problem.
I'm the stranger...posting to
Who uses IE? Pretty much anyone who uses Windows.
Remember, IE is linked deepely into the user interface. Active desktop uses IE. Windows help uses IE. Outlook uses IE. Office uses IE. Explorer uses IE. Scads of programs written by third parties use IE. Even if you have Netscape (or other) as your Internet browser of choice, you can be sent to a web page using IE as the browser by any program that wants to.
And all of those IEs are Internet-aware.
Yes, bringing up the help page on a program you downloaded (without even opening the program, mind you) could send you off, running IE, to a web page with this exploit on it.
In addition, this is how IE determines MIME types. It does not completely ignore the supplied Content-Type, but it might as well be. Primarily, it is exmanining the first 256 bytes of the file to determine if it is a known type. So unless you can disguise an executable with an mpeg header or something, you're not going to be able to get native code to automatically run without a prompt.
If I'm not mistaken, that's a different kind of scripting. At least it was a few years ago.
I was using that about 6 years ago, well before Javascript and VB script has been introduced.
I also seem to remember that it fell apart when the email went outside the local network - it was a really Windows-only kind of thing.
That sort of thing, I agree, is appropriate in an enterprise setting.
Also, I think everyone here would agree that Outlook's usefulness is what keeps it alive - people live with all of the problems because of the luxuries it affords them. (Kind of reminds me of the people who didn't want to get off the Titanic just because it had hit an iceberg...)
Ok, that last comment is a bit of an overstatement...
Cheers,
Jim
-- My Weblog.
With text/plain it simply treated it like a normal .exe file. (asked if I wanted to save/open whatever)
autopr0n is like, down and stuff.
No one paid for netscape.
autopr0n is like, down and stuff.
They went out of their way to avoid doing it the right way. I don't see how that could be considered ignorance or stupidity.
First of all, it's incredibly arrogant to talk about this in terms of "right way" and "wrong way." As far as implementation goes, it seems like one person's idea of "wrong way" is "a way dissimilar to what I think ought to have been done."
When you write your own web browser that is feature-for-feature, capability-for-capability equivalent to Internet Explorer, then you're qualified to talk about "right way" and "wrong way." Until then, it's all just opinion.
And secondly, it seems pretty clear that Internet Explorer and Windows Explorer share a lot of code; it's very reasonable-- to me, anyway-- to imagine that they reused some of the code that went into Windows Explorer's file type heuristics in Internet Explorer. Everything we've been bitching about simply falls into the category of unintended consequences.
not 85% of people surfing, 85% of peaop who visit that site. Mostly trade people, or people looking for a fact to put in the story, which means media outlets, most of them use IE.
This only detects what browsers say they are.
I would take a grain of salt with these "facts".
Now if there was a program that sites could sign up with that gathered these stats, then submited the results of the individule sites to an orginization that putds them together, you might begn to see a number that you can realy on.
The Kruger Dunning explains most post on
Have we forgotten that the web is supposed to be browser-blind?
Says who? Oh, right, the W3C. Their standards process is too slow, and Netscape hasn't even got their browser supporting those standards. Java on the client is slow, buggy, and a lot harder to write/compile/deploy than javascript.
Java works on many platforms, including the PlayStation Fucking Two
Your definition of "works" has to be pretty loose. The MacOS virtual machine is a dog. Sun uses Java as a litigation tool like a pissed-off Scientologist. Putting applets in your web pages seems like a great idea, until you realize it's not 1996, Java on the client sucks, and 80% of people use IE anyway.
There's a reason IE is breaking the web.
IE isn't "breaking" shit. Web pages load faster, do more, and look better in their browser. This is because web developers request new features from Microsoft, and then Microsoft builds them in. If content providers didn't build IE-friendly web pages, this wouldn't be an issue, but it is, because IE is easier to code for and more powerful than Netscape.
Quit being another one of MS' brainwashed sheepole and wake up
Microsoft makes my job easier. Netscape makes it harder. My job is how my kids get food. Some things are more important than who's "breaking" the web. Put down Adbusters for a second and take a look around you. That green paper your mom gives you all the time, that's money.
---
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy