Slashdot Mirror
Another Gaping Microsoft Security Hole Goes Unpatched
For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.
Netscape and most other browsers have no problem with this.
You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.
Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?
IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.
Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.
If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!
Does anyone else notice that this story has been posted before, many times, with only slight variations each time?
What's in a Sig?
What kind of steps can people use to protect themselves now?
If you really want to toggle IE into secure mode you just need to click the little "X" in the top right corner of the window.
Slashdot? Oh, I just read it for the articles.
Michael says : "completely open any time you browse the web with IE. "
Story says "who view a specially constructed Web page"
Okay, the hole isn't good - and MS must fix it - but the article as posted by
Your computer is open if you stumble across a specially constructed site. If you browse
Mmmmmmm
I watched a good bit of this thread on bugtraq (check the archives). Several people on the list attempted to reproduce the exloit as detailed by the original poster and failed. Whether that was their mistake or not is anyone's guess. I didn't try it myself. It only seamed to affect certain builds. I'm certainly not saying IE users aren't vulnerable, I'm just saying get details before making too much noise. MS won't release a fix until they're good and ready, so let's just sit on the flames a bit and try to find out what is going on in reality.
Your virus scanner will do little good when someone can cause your computer do download and run any executable the malicious website owner wants... all they need do is make your computer run a file that isn't a known virus and won't set off any of the general protection features in an antivirus program, which should still allow them to completely ravage your files.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
The exploit is another one that allows a content type to be set that will cause executable code to download and execute without user intervention.
Hmm, did you read the story?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
"If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
Those saying security through obscurity is bad don't deny that the release of notification about the bug may enable people to exploit it. However, forewarned is forearmed, so you can start doing something about it as soon as you know, up to and including disconnecting vulnerable servers from the 'net.
There's also the publicity aspect. Making this extremely serious bug publicly known puts pressure on the vendor to fix it. So far, they have known about it for over two years and have done nothing. That's two and a half years for anyone who might have stumbled across the bug to exploit it. They might have friends. Exploits, easter eggs and all that stuff spread quite happily before the 'net.
Saying "What I can't see can't hurt me" is naive in the extreme.
Just because you're paranoid doesn't mean they're NOT after you.
Not exactly. Linux and Unix determine file type by magic number. Try renaming a postscript file (or whatever) as foo and type
file foo
and you'll see that it still returns the correct file type.
"Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)
From the article's intro:
"Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."
Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."
Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.
Nasty flaw nonetheless -- glad I switched to Mozilla.
As soon as trade secrets are stolen, or hard drives are trashed, or economic harm takes place, however, a negligence action may arise.
The first barrier is the economic loss rule. If the contract damages are higher than the tort (negligence) damages, there is a defense to tort. In English, there's no lawsuit unless the bug costs you more than buying your copy of Windows cost you.
The next barrier is the contractual disclaimer, the "EULA" as Microsoft calls it. The waters here are less well charted. To be realistic, it depends on how severe the harm actually is.
The wild card is intentional harm. If Microsoft in fact intentionally included this bug, knowing of the danger, for the purpose of advancing their business enterprise, legal actions could arise that are not precluded by the EULA. This would be difficult to prove, however.
I think /.'s knee jerk assessment of "death of the Internet, film at 11," is premature, however. I hope I'm not wrong, but I think the bug won't prove that severe. Just browse at "medium security" in IE, for example, right?
If I were a lawyer, I would want to sue Microsoft. They have $30 billion in cash or so sitting in bank accounts. It would be more tempting for them to settle claims than it would be for an Enron, for example.
Don't worry about the legal angle. If the harm is severe enough, justice will be done.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
The upstream comment is 100% pure bullshit.
When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.
Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)
This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The concern, from what I understand, is that a user might be lead to believe that "readme.txt" will be opened and viewed as a text file by IE. This, when in fact the website has placed executable binary/script data in the file and changed the appropriate response headers so that IE is fooled in to executing it as a program if it is 'opened'.
All the user sees as a prompt is "Open" or "Save Target As" using the menu options OR again "Open, Save, Cancel" by clicking on the link.
For an inexperienced user, the appropriate option will probably not be obvious. This is because many users have a lot of trouble navigating the file system to find files that have been saved by applications and enjoy the shortcut of having the windows decide how the file should be 'opened'.
I agree that an experienced user would never choose open because they know this is very risky. But, in my mother's case, she has trouble deciding when to click and doubleclick.
In Microsoft's defence, however, the "Open" option is never the default. Thus, it's probably safe to say that an ignorant user will almost always be safe from this attack as they will be picking the default and saving the file to the disk. At that point, "readme.txt" will cannot be executed and only openable from a text editor.
Anyways.. no matter how you look at it, this is a problem that fundamentally involves the act of downloading a file. Something even my mother knows not do by herself. This is not a security issue in the same magnitude as the worm viruses that plagued IIS.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.
stew77 asks:
who's using IE anyway?
Roughly 85% of people surfing are using Internet Explorer. With computer software, there's alot to be said for "It's preinstalled so I don't have to do anything to get it". Otherwise, I'm positive their share would be much smaller.
----
Open mind, insert foot.
Unless you combine it with the fact that IE is set up to automatically execute certain MIME types (like audio/x-wav). Send a message with an attached .EXE file, but hack up the message so the MIME type reads something else, and -- presto! -- instantly executing attachments. That's one of the attacks Nimda used.
IE won't launch a file that is declared as a .EXE by the HTML header without asking permission. What we're saying here is that IE doesn't check the TLE of the file it downloads, just the type declared in HTML. So IE thinks it passed a text file to the OS, and doesn't pop a warning of a possible malicious executable.
However, once the OS gets a hold of it, it looks at the TLE and says, "Executable! Gotta run it!" And if the code slags your hard drive, you're just SOL.
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
With all of the email viruses, internet borne viruses, worms, holes, DDOS attacks, it surprises me that anyone even uses the internet or related technologies at all. It will be a sad day when the whole idea of the internet is just "dumped" because of hackers (the bad kind), holes and bandwidth abuse. It seems like daily that I read through the articles on slashdot and find a new hole, exploit or virus that is being used or abused. Take for instance the recent decision to shut down the first IRC server, because of repeated DDOS attacks, that is truly a shame. As I have said often before, abuse it and lose it...
Nathaniel P. Wilkerson
www.haidacarver.com
Until one of my users got an email with an attachment that would just execute itself from the preview pane, no matter what the security settings were.
I sat there and toyed with it (yanked the LAN cable first) and absolutely could not get it to *NOT* run automatically.
(Her Outlook Express probably had been upgraded a month before, I think, but downloading the latest version *did* take care of the problem.
The real question is, why does Outlook support *any* of these behaviors? Sure, occasionally it's nice to HTML-ify an email and stick in a picture, but do I really need DHTML, scripting, cookies and all of that other crap?
When was the last time somebody had a legitimate reason for sending an embedded script in an email?
Oh, sure, let me have my personal emails set a cookie when they get read. Sure, I'm really going to do that.
Why not just have a really scaled-back HTML renderer that ignores tags that you choose to ignore?
Cheers,
Jim in Tokyo
-- My Weblog.
If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.
Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.
--
U.S. planned to attack Afghanistan before the second WTC bombing.
Bush's education improvements were
Microsoft actually has a KB article about this, and it is intentional. Apparently, they don't believe a web developer is competent enough to handle mime types, IE has always tried to glean information from the file, be it by the extension or otherwise, to determine what it should think the file type is. At work especially I have been bitten by this "feature" many times.
.txt for finding easily in the import box, but if you send IE a content type of text/plain it will display it. No big deal, just save right? Well, IE also believes since it got < and > tags that it MUST be HTML, despite the fact that I'm saying it's plain text, so it's going to add the proper html header and footer along with content encoding tags. Pagemaker doesn't like that. And to be even more irritating, is that we'd like to be able to just have the save box pop up. Well, normal browsers that handle things standardly will accept the content type, and if they don't understand the content type they will usually pop up a "save as" box. OK, so now we pass back content type of application/x-hdi-export, surely no browser knows of this, and Netscape/Moz/Opera handle this correctly. But we also pass a default filename, in the Content-disposition part, with a name ending in .txt. So what's IE do? Display it in the window, still thinking it's HTML, all because of the extension.
.txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW because for "common" types such as text/plain or application/octet stream, it examines the content of the file.
The most irritating aspect of it is that you simply can't get around it. For example, we have a web-based flyer/catalog generation program at the office. The advertising department enters records such as item code, part number, color, size, etc, some text, and attaches items to the record. Hardware distribution (like shovels/rakes/nails/etc) has extremely low margins, so purchasing something like Quark Express or another database driven tool is out of the question. Well, we found Adobe Pagemaker to be sufficient, and lo and behold it supports importing tagged text. So from our database, they select items and it can export SGML-ish text to be imported into Pagemaker.
Now here comes the rub. Pagemaker wants the files to be
So what it comes down to, is I also have to mangle the output name be making it
And for those of you who thing "why not right click -> save as", well the generation needs several arguments, such as sorting, template name, etc, so it's a form, and you can't click the button and tell a form you want to save the download.
This isn't the only time I've had a problem, I don't want to even get in to how IE badly handle dynamically generated PDF's, how since 5.5 it ignores the settings to not embed PDF since that's the only work-around, and how 5.5 also asks the "open here/save" question TWICE when passing it some file types.
Overall, they may tout it as a feature, but if they'd just follow the damn standard like everyone else I wouldn't have to waste so much time finding workarounds for their "features"
Free Online Woodworking Resources Directory
post a link to the picture of 'another gaping security hole'.
--
The Cap is nigh. Time to get a fresh new account.
I'd really like to know. Currently my choices are:
1. Stop thinking about this question entirely. No, really, stop thinking about it. Try really hard... whoops, I thought about it again.
2. Believe what the law student says, unless he's contradicted by an equally plausible source.
3. Believe the "It's legal to download ROMs if you delete them within 24 hours" type rumors that get spread around the internet by the legally ignorant.
4. Hire a real lawyer to talk to for hundreds of dollars.
I'm sure law school grads (including your ethics lecturer) would love option 2 to be unavailable, but I'm just not seeing a superior alternative here.
Ironically, I ran into this one just the other day, but didn't recognize it for what it was.
I develop software for a living, and one of my tools is a web-based thingy with a CGI interface. A typical URL might look like this:
http://foo/bar.cgi?blah=blah&filename=quux.jpg
This CGI script returns a web page with info about the file "quux.jpg," which exists on the server.
When I serve this URL up to IE 6 under Windows 2000 (maybe other versions; that was the only Windows IE I tried) the browser thinks it's downloading a JPEG image, and asks me where I want to save it.
My script sends a nicely formatted Content-type header of text/html, but the browser is stubborn and won't listen.
So in my case, this wasn't really indicative of a security hole, but rather a pretty dumb design flaw in the browser that should have been caught in testing.
(Oh, and FYI, my "fix" was to reorder the CGI parameters as the URL gets constructed, so the filename never comes last. I'm not happy with this, and I may implement URL-encoding the filename's "." character instead, then decoding it on the server side. But the spec says I shouldn't have to do that, so the whole situation has left me kind of pissy.)
Funnily enough I got one that did this just this morning.... but my procmail filter cleaned it up nicely. Note the original content type below.
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
Another case of security vs convenience I suppose.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Also a story about it here, http://www.theregister.co.uk/content/4/23223.html
I've had it installed at work for a week now and do just fine without all the images and special formatting of spam.
"I have a cunning plan..."
I have to plug something here.
:-)
Check out the procmail-based scanner at impsec.org
If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.
The following is something I received today that would slip through otherwise (notice the original content-type)
> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>
End of blatant plug
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Read my journal entry about how I got this data, or just look at the table (that cannot be formatted properly because the lameness filter is the most useless piece of crap that Slashdot has ever forced upon its readers - I'm glad you guys are all about free speech online!! - so use the linked journal where the formatting was accepted and don't forget to continously annoy CmdrTaco about this annoying "feature" to protect us from the oh-so-evil trolls):
Browser Actually Used By Slashdotters
Galeon: 1511 (3.00%)
iCab 9 (0.02%)
Konqueror 4149 (8.25%)
Lynx 6 (0.01%)
Internet Explorer 24885 (49.47%)
Mozilla 9340 (18.57%)
Netscape 3756 (7.47%)
OmniWeb 190 (0.38%)
Opera 3267 (6.50%)
Other 3187 (6.34%)
Note: Other contains browsers whose User-Agents could not be parsed. It may contain valid browsers, but for the most part is either badly formed User-Agent strings or unknown User Agents.
It has to be noted again that this data is not statistically accurate: it was taken directly off of hits, and is biased towards browsers that automatically download images (in other words, every hit counted - the values didn't take into account which hits were hits to the images linked to on the page).
Also, some other people decided to ... uh, borrow ... the mirror and so some of the links come from other sources that aren't Slashdot. I forget if I filtered those or not, but...
If anyone's interested, I suppose I could try and fix up the Perl scripts used to calculate that data. I have some pretty pie charts on my harddrive that I could put up somewhere too, although they are for the most part useless...
You are in a maze of twisty little relative jumps, all alike.
Because it's part of the Windows OS. When grandma goes out to buy herself a nice Dell computer, it comes with Windows preinstalled, and hence has IE installed by default. She would have to take extra steps to download and install a different browser. But why, when IE seems perfectly fine, and it's integrated so nicely into the desktop? And it's hard to argue that. Think of the average home user that isn't as aware of these issues as we are.
A big part of the problem is that the clues aren't easy to spot for non-technical people. They can't see a problem in IE, as it seems to work just great. There are all these refined features to play with so it must be a solid product. And there are a whole heck of a lot of people who don't think IE is a browser, they think it is the browser. When they hear about holes like this they don't think that IE is broke, they think that someone has found out how to break into web browser (as in all web browsers). It would never cross their mind that IE is at fault. Try explaining how IE has issues with content type vs. file extensions to random people on the street. They just won't get it.
And this is where their monopoly comes into play again. They're such a huge, enormous company with a huge, enormous user base that they all turn into lemmings. If something happens to their IE, it will happen to their friends IE. Soon they start to see lots of people having trouble with IE. Then they stop relating the problem (if they ever did) to IE and start to think everyone is being affected by "the baddies who broke the internet". By the time Microsoft releases a patch user believe it to be a general problem that must be affecting everyone. Finally, since the issue has been disrelated with IE in their minds, why would they have any reason to look for a different browser?
I'm against picketing, but I don't know how to show it.
"So what it comes down to, is I also have to mangle the output name be making it .txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW..."
:P
;)
I had this same problem. Basically, you must make sure to pass the filename as part of the content header, but not attached to the end of the script name. This way, IE will always pop up a window asking you to save. It will tell you that it is saving your script name, but in reality, it will save the page you want it to.
First, write the page from your database to your local server as a file. Then do the following (my script is written in PHP; translate as needed.)
I wrote my database contents to a variable called $content, then executed the following code:
# put content into file called download/$page_num.html
$fp = fopen ("download/${page_num}.html", "w");
fwrite($fp, $content);
fclose($fp);
if ($action == "download") {
# set up file download to client
header("Content-Type: text/unknown\n");
header("Content-Disposition: attachment; filename=\"${page_num}.html\"");
header("Content-Transfer-Encoding: ascii");
$fn=fopen("download/${page_num}.html", "r");
fpassthru($fn);
unlink("download/${page_num}.html");
exit;
};
Note the key difference between my script and yours is the fact that I'm not passing anything but a content header to IE. Don't use your_script.php?filename=xxx... that doesn't work. Just write the filename as a variable and put that variable in the content disposition header. Also note that the Content Type can't be text/html, or, really, anything that IE will recognize.
This works in both Netscape and IE. Note that if you're working cross-platform using text files, you'll have to convert line breaks. I use the following code:
# get os for carriage returns
if(strstr(getenv('HTTP_USER_AGENT'), 'Win')) {
$content = eregi_replace("\r","",$content);
};
Again, that's PHP -- translate if necessary.
Here's the final trick I'll pull out of my bag: if you set a Content Type to application/vnd-msexcel or somesuch (I could be off on that), and send the client a tab-delimited text file, it will open in Excel. Same goes for plain text and Word. It's a great trick to pull when you know your client is going to be using Windows and will say, "Hey, how did you get your script to make an Excel file? That's so cool!" (Always nice to have a little extra trick to impress your clients...
Hope this helps --
Erica
Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.
The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.
Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians
This is all just more of the same. I have come to expect it from MS.
My experience with this is that certain web hosting providers (ConcordEFS, today's ebiz) refuse to send correct content-type headers for flash animations, since it "works in IE"(tm).
IE will guess the content type, and ignore what the server says -- real web browsers listen to the server. So it makes admins lazy, makes MS's browser monopoly stronger, and makes other browsers look broken.
I just wish that the people who don't think MS is a monopoly, abusing their power, had to deal with these little monopolistic tactics every day. If they did, then MS would be no more.
I've had enough abrasive sigs. Kittens are cute and fuzzy.