Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.
P.S. Is it news anymore that IE has holes?
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.
He who laughs last is stuck in a time dilation bubble.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.
Dream world scenario:
1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible
Real World scenario 1:
1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses
Real World scenario 2:
1) Report it to the public (anonymously).
2) Company will fix it
Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.
The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.
If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?
I can understand the desire for such vulnerabilities to be fixed before going public, but Microsoft has been known to sweep exploits under the rug for as many as twelve years. Exploits are a common fact of life with Microsoft products, and its better that this exploit was released to all as an explanation than as a virus/worm.
You can't judge a book by the way it wears its hair.
WE could have found out about it when our sytems started acting up.
This is not like Windows-Linux, where there is a steep learning curve.
Mozilla (or Phoenix) is a slick alternative with an almost zero learning curve to pick up the same level as IE. It also takes almost no time to learn features _that aren't in IE anyway_ that help you see the internet in a much more useful way (ad blocking etc).
No one is forced to use IE with very few exceptions:
People who have it mandated at work, but that's work's problem not yours - they could change too.
People on dialup who have a very slow net connection - but they probably have it on a dial up CD.
People who use it's integrated rendering engine for OE/HTML email - but you can change that easily too.
People who _must_ access IE only websites - but there are very few of these any more, and you can always use IE just for these to lower your exposure.
Microsoft Zelots who refuse to believe that Free software can be any good - but they deserve everything they get.
Beep beep.
While my firm is a strong supporter of full disclosure, this is rather over the top.
What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.
Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.
We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.
Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .
Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.
I use Mozilla Firebird, myself, and like you, I've tried to encourage my friends to switch. ;-)
Doesn't help much when I'm forced to use a university workstation (like today), but I find it's a better quality browser than IE. Renders faster, blocks pop-ups, and I find tabbed browsing to be pretty much invaluable.
Of course, the best thing about Firebird is, I can still watch Doctor Who: Scream of the Shalka
There are, of course, some times when you have to use IE (like Windows Update, though I guess I could always just download each update manually).
The big problem I've hit is that, even with all these MSIE vulnerabilities that come out on a near-weekly basis - not to mention annoying pop-ups and pop-unders, and other little security-related issues - I don't seem to have any success.
So what's your persuasive technique for getting people onto pre-1.0, non-MS, reliable-but-not-100%-complete software?
"It is dark. You are likely to be eaten by a grue." -- Zork
"I'd like to know who the editor thinks are "forcing" people to use Microsoft products."
People at work who have to use Windows because it's work mandated.
Their's millions of those type of people...
Jason Lotito
it wouldn't have been 'a known hole', but to the Microsoft developers
Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.
I bet you most people in Big Corporations are forced to use windows (not that they know any different).
I know I am forced to use windows at work, even though either a Mac or any Unix Desktop would do.
I ditch IE whenever I can, but for example our HR Website and anything else RELIES on Windows, no way around it.
If you want to e-mail me, use my PGP Key.
Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
Are you talking about internet companies or companies using IE for their intranet apps? If a company is using IE-specific functionality to offer services over the internet, they deserve to get bitten periodically. I have no sympathy for any company that provides a service to the "public" but forces them to use one specific browser.
On the other hand, it is quite common to use IE-specific functionality for intranet applications. That's not a problem, one assumes that the intranet server is safe. The solution is to continue to use IE for intranet (and remove all links to internet sites from intranet apps), but use a more secure product to access the internet.
I don't understand the "forced to use Microsoft products" part.
Even when you need to work on Windows, why should you be _forced_ to use Internet Exploder?
Mozilla is the first thing I always install on Windows.
There are organizations where people are indeed forced to use a fixed set of software. In this case, if there's a security hole, the responsability belongs to the sysadmin who forced people to use broken and out of date software.
{{.sig}}
Truly. Makes one wonder if there are internal memos in M$ that warn of the possible mayhem in IE and are swept under the rug like the Explorer chassis problems in Ford motor...
Oh, and for bonus points, both products are "Explorers" ;)
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Truth. But here's the problem. Microsoft's reputation for responsiveness (that is, not!) and collegiality (that is, not!) in these situations is awful. Nor does Microsoft treat those who report such problems with any degree of warmth. Having established its Chinese wall as it has, Microsoft has lost its standing to whine about non-collegiality of the world it has created.
This is the entire point about open systems, or at least openness about security -- it leverages what happens out there. Frankly, I feel more secure knowing what are the leaks, whether they are addressed or not, than I do knowing there are secret leaks out there for someone to exploit without my knowledge.
If Microsoft had a reputation: (i) for assuring that a report of a leak would be responsibly handled and escalated promptly and without agonizing pain on the part of the reporter -- who is doing Microsoft a favor; and (ii) for responsibly, promptly and professionally addressing the problem, I would feel much more sympathetic.
The problem is that they don't. Maybe they will change as they said they would. But until they do, I'd rather hear the news in time to know for what I have to watch out than to have it buried while others who have discovered the leak exploit it.
Here's the thing, it is highly unlikely that any leak that is discovered by me was discovered only by me. Others, less responsible than I, will disover a leak, find the exploit, and either keep it in their "bag of tricks," trade it or what have you. In any case, if I find it, the exploit is likely out there in someone else's hands. I'd rather know the problem than wait for the solution.
Yes, the kiddies are more likely to play if it is readily "out there." But guys, that happens anyway, one way or the other. Beside, Microsoft seems far more responsive to public leaks than private ones -- maybe this kind of report is more likely to assure that the bug will be repaired than otherwise.
And you spend much less time on hold . . .
Truly. Also, if there is exploit code, someone is using it, just maybe not as part of a trojan or virus yet. Patch or no patch, you can bet that there will be an exploit being used in the wild within a matter of hours or a day at the maximum. The latest trojan/worm/virii are programs that deliver huge amounts of machines to spammers and hackers to become part of their DOS botnets or spamnets, with built in backdoors, etc. Were you on irc the day that the mirc xdcc flaw was discovered? I received no less than 30 malformed xdcc requests that day. Discovery of a new flaw is like free candy to script kidz. Twice the 0wned machines, half the hacking.
music lover since 1969
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
The part about this story that gets to me is that a single person finds 7 (!) holes/exploits by himself. Makes one wonder just how many things are left open simply because no one has looked at them yet. Scary.
"Invalid ContentType may disclose cache directory"
My Classification: Minor
This isn't all that serious. The major threat is that a hacker could get your cache directory. The downloaded web page runs as part of the "internet" zone, meaning that there is no privelage elevation (IE has a zone system to give different pages different privelages).
"LocalZoneInCache"
Moderate/Severe
This is more serious. It allows an attacker to modify files on the system or worse. Note that this *is not* the same as a root exploit, but it could be as damaging as running an executable. Note that the user *does* have to choose "open" in the download dialog, but they are not warned about the security risks and may not consider them as the file extention is ".htm".
"MHTML Redirection Leads to Downloading EXE and Executing - Remote Compromise(requiring MYCOMPUTER zone)"
Moderate
This is somewhat less severe. It allows an attacker to download and execute an executable, but only if the user has already downloaded the page, saved it to disk, and executed it. The user might assume (incorrectly) that the file is safe.
"MHTML Redirection leads to local file parsing in INTERNET zone"
Severe (If an issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to parse the contents of a local file. They would need the absolute path. This could be used to discover potentially private information.
"HijackClickV2 - Adding a Link to Favoriate List(requiring clicking a link)"
Minor
This would allow an attacker to add their site to favorites. The user would have to click a link and would have to release their mouse button over the favorites list (which is placed under their cursor after clicking the link).
"execdror6"
Severe (if issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to run an executable on the user's system. The user would have to click "open" on an HTML file download. Security warnings would not be displayed.
"BackToFramedJpu - Cross-zone scripting(requiring a subframe in victim page)"
Moderate
This could allow an attacker to execute code in another security zone. It could potentially be used to execute code in the "my computer" zone if the attacker knows the location of a local page with frames.
I'll comment on the rest later.
Hmmm who modded this troll up as Interesting, ok I'll pretend this is not a troll, and answer, what M$ has done with bimbo's and IE is not just code reuse, they have not just used some of the same libraries again, they have tightly coupled, them together, so that they cannot easily be separated, parts of windows code was put into the IE libraries, were it doesn't belong in order to legitamise their claim that the two are so called integrated, butchered would be a better term, this is why all of a sudden installing IE even without the "IE desktop", changed your system libraries. In addition inorder to further the same goals or out of shear incompetence, M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff, so all that had to happen with gzip was they fixed the library, then if another project was staticly linked to the library it would have had to be relinked to the new library, but as the majority of code is dynamically these days, most programs would only need you to update the dynamic library on your system, and whala, all programs using the library are fixed next time you run them.
in my life God comes first.... but Linux is pretty high after that
Francis Smit