Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest IE Hole Lets Gopher Root You

Posted by ryuzaki0 on from the well-isn't-that-special dept.

rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""

4 of 533 comments (clear)

  1. The remedy by sh0rtie · · Score: 5, Informative

    To protect from potential exploiting, you can temporarily disable the gopher
    protocol like this:

    Go to Tools -> Internet options -> Connections. Click on "LAN settings".
    Check "Use a proxy server for your LAN". Click on "Advanced...".

    Go to the Gopher text field
    and enter "localhost", and "1" in the port field. This will stop Internet
    Explorer from showing and processing any gopher pages.

    this will protect you for now, at least until M$ pull their finger out

  2. Re:All three gopher links left.. by Simon+Brooke · · Score: 5, Informative
    Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

    That really isn't the point. It would not take many minutes to put up a gopher server with a Win 32 rootkit as content, and then put an innocent but interesting looking link into a web page ('free live world cup scores' would do nicely just now) with an href pointing to that server, and, ideally, one of those annoying JavaScript scrollers in the browser status display to prevent the user from noticing they're about to click a gopher link, and, hey! That's a few more suckers rooted. It will probably go through most firewalls, too.

    If you (or your organisation) still use Internet Explorer, I would treat this as serious. Change your default IE install to have gopher point to a safe machine of your own; block gopher at your firewall; and, ideally, switch to Opera 6, Netscape 6, or Mozilla as your organisation's default browser.

    This isn't going to be the last security hole found in IE.

    --
    I'm old enough to remember when discussions on Slashdot were well informed.
  3. Re:Stats, anyone? by sh0rtie · · Score: 5, Informative


    Yep this site specialises in just that
    Here

    also George Guninski does some research here
    Here

    and Mr Malware
    Here

  4. Official Bugtraq Post by PunchMonkey · · Score: 5, Informative

    The Official Bugtraq Post:

    OVERVIEW
    ========

    Gopher is a protocol developed at the University of Minnesota in the
    early 1990's. Gopher servers offer hierarchically organized directories
    and files. These form a "gopherspace" which can be thought of as the
    predecessor of the World Wide Web. Gopher was mostly abandoned soon after
    HTTP and the World Wide Web started gaining popularity.

    Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
    be accessed via URLs starting with "gopher://". The part of code in IE
    which parses gopher replies contains an exploitable buffer overflow
    bug. A malicious server may be used to run arbitrary code on an IE user's
    system.

    DETAILS
    =======

    When the overflow is triggered, a fixed sized buffer in stack gets
    overwritten with data from the gopher server. This data can contain most
    octets from 0 to 255 (also nulls) which makes it particularly easy to
    inject a working shellcode in it. This is a traditional, trivially
    exploitable buffer overflow. A test exploit has been successfully used to
    run arbitrary code without user intervention with various IE versions and
    systems including IE 5.5 and 6.0.

    The attack can be launched via a web page or an HTML mail message which
    redirect the user to a malicious gopher server when the victim views them.
    The server can be very minimal, ie. a program that can listen on a TCP
    port and write a block of data; a fully operational gopher server isn't
    necessary in order to carry out the attack.

    The exploiter could do anything that a regular user could do on the
    system: retrieve, install, or remove files, upload and run programs, etc.

    Full technical details aren't disclosed at this time to prevent
    exploitation.

    WORKAROUND
    ==========

    Internet Explorer users can protect themselves from the flaw by disabling
    the gopher protocol. Barely any gopher servers exist on the Internet
    today, so this is unlikely to cause problems. If needed, a gopher client
    or some other web browser can be used to access the gopherspace.

    An easy way to disable processing and displaying gopher pages is to define
    a non-functional gopher proxy in Internet Options. Select Tools ->
    Internet options -> Connections. Click on "LAN settings". Check "Use a
    proxy server for your LAN". Click on "Advanced...". Here you can define
    proxy servers to be used with different protocols. Go to the Gopher text
    field and enter "localhost", and "1" in the port text field. This will
    stop Internet Explorer from fetching any gopher documents.

    After installing the patch from Microsoft you can remove these gopher
    proxy settings (or restore them to values they had before).

    For more information and a vulnerability test see
    http://www.solutions.fi

    VENDOR STATUS
    =============

    Microsoft was contacted on May 20th. At the moment of writing this
    advisory, Microsoft has started designing and coding a fix, but hasn't
    given any approximation of when it would be released. The patch will be
    available at

    http://www.microsoft.com/technet/security/current. asp

    when it is completed.

    --
    I'll have something intelligent to add one of these days...