Slashdot Mirror
Open Source Firm Releases Patch for IE Bug [UPDATED]
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
In other news....M$ slams a DMCA lawsuit for "hacking".
Life is not for the lazy.
I can't even come up with a good joke for this. Seriously. It's just too good. Way, way too good.
My own pointless vanity vintage computing page
trust OS people to fix what M$ can't find profit for!
How long til they're sued by MS?
Try to remove the color-problem by restarting your computer several times. -- Microsoft-Internet Explorer README.TXT
When Microsoft can't do it anyone can!
I'm not downloading anything that isn't part of a MS plan. Sounds like a trojan attempt to me.
Unfortunately, with this being an unofficial release, I don't see many people likely to utilize this until it is released by Microsoft. In the meantime, I am enjoying reading this in Mozilla :)
*
troll blacklist. Please mo
i am confused about what i shuld do. my mommy touched my pee-pee and made my soldjer stand at atenshun. she was proud of my soldjer but then she said it is cold out and he should be warm so she put my pee pee in her hooha. that was warm and nice but then something happened and my soldjer got real slick and wet and made a mess all over my mommys hooha. she called me a dirty little boy and gave me a slap on the face and a whupping with a switch.
i dont know what to do. my pee pee felt good in her hooha but how do i not make a mess? and why am i going to burn in hellfire for forever and ever and ever, amen?. jeses knows i didnt try to be a bad filthy little boy and make a mess and deserve a whupping, right? please help me because she said my soldjer needs to get warm again. i think that is true but i dont want to be a filthy evil little boy and have hellfire.
It's called Mozilla/Firebird.
Without the original source to IE?
This patch fixes a security bug in Internet Explorer that could allow someone who actually knows what they're doing to repair buggy programs on your computer.
Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.
What if the hokey-pokey really is what it's all about?
So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.
the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.
so this patch is pointless
(cool that it can be done though)
What the article doesn't say is that the "patch" just removes IE and installs Mozilla. :)
Why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.
Support the First Amendment. Read at -1
For the adventurous among you.
http://www.openwares.org/downloads/IEpatch.EXE
If you wanna get rich, you know that payback is a bitch
Will there ever be a day? It's like fixing something old. Keep patching it, then someday give up and get a new one.
I don't know about you folks, but this appears to redirect your request to their cgi script, which ostensibly will allow or deny it based on whether or not it is vulnerable.
This looks like a horrible way to "fix" the problem.
Natural != (nontoxic || beneficial)
If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.
The overpresence of "strcpy" is a bit unsettling, too.
While it's a nice step, it's no replacement for an official Microsoft patch.
Mod it funny! You know you want to!
How do you patch closed source code?
By violating the EULA by disassembling IE?
Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
I wonder when OSS folks will release their version of Wind...no, wait, ReactOS team isn't sleeping, doing nothing, I think :P
One that hath name thou can not otter
How is having an open source patch for a closed source product different than a closed source patch?
Seems to me that all you know is that somebody who presumably knows more than you can about the underlying code is doing stuff to it. You're still risking the same badness whether you read what they give or not.
The patch may be marvelous, but I can't see why anyone cares about its source.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
A third party releasing a patch to a browser. How safe is this?
Yes the source code is there, but how do we know the executable doesn't have crap in there?
Even if everything is clean now, how about the next patch from another source?
(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Comment about Open Source browser as a better general patch for the woes of IE.
For a dual-boot configuration, I'm still in favor of a FAT32 partition between NTFS and <favorite open source file system>, the beauty of which is that Mozilla mail can be pointed to a single set of folders on that FAT32, regardless of which OS is booted.
Now, if only the Palm desktop stuff could achieve such flexibility; I still wind up duplicating data in the Palm desktop under redmondware, and JPilot under Linux.
Which isn't too much to have to complain about, now, is it?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Does applying a third party patch violate the EULA for IE?
A Better solution:
Use Mozilla Firebird
If the open-source community is able to put out a patch to fix vulnerabilities faster than Microsoft, this could happen more often. If it happens more often, then perhaps Microsoft could just stop trying to patch its own OS and programs altogether. Just a speculation, not too likely. :)
i just know that MS won't speed up their patching to beat the open-source community.
Don't even try to argue. It is NOT worth the while to go round the world to count the cats in Zanzibar.
Sorry, but its going to be a cold day in hell when I run something from a website named "openwarez.org".
It didn't ask me to reboot afterwards!!!
Someone start knitting a sweater for Satan...
What happens when Microsoft releases their official patch? While being open source, who's to say that it will play well when Microsoft releases their official patch?
It's only "open source" in the very loosest sense. From the patch:
Internet Explorer URL Spoofing Security Patch
Developed by Opensoft Corporation, Vanuatu
Contact: opensoft@openwares.org
Opensoft Corporation, Vanuatu
Copyright 2003 All rights reserved.
Terms of Agreement:
By using this source code, you agree to the
following terms:
1) You may use the source code, resource
files for educational purposes only.
2) You MAY NOT redistribute this source code
without written permission. Failure to do
so is a violation of copyright laws.
3) The author of this code may have retained
certain "additional copyright rights".
If so, this is indicated in the author's
description.
this is good in the short run, but bad in the long run
people voluntarily patching M$ products will lessen the pressure on M$ to write code with fewer bugs in the first place. Also without knowing the source code, reverse engineering the program and writing patches is risky at best: who knows what this patch might break after extensive testing.
Also: when (and if) M$ actually releases a *real* patch for the problem, how will that work with this open source patch?
I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.
Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.
I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.
And no matter how they did it, how freaking embarrassing is this for Microsoft? "Our software is so flawed that unauthorized third parties can fix it faster then we can." Oh thank god NORAD is using that shit!
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.
I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"
If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.
It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.
ESR's right in his article "How to Become a Hacker"
Q: Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Ruby on Rails Screencast
Seriously: why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.
I don't have any idea why MS decided to wait until next year before fixing something which is otherwise a severe security issue. I guess everyone is just lead to believe that MS simply doesn't care if your PC gets hacked, because then they can go around and pass the buck to spammers and charge people for an upgrade or support.
I think this patch release makes more of a political statement, regardless of the issues surrounding whether an OSS company should be putting out patches for proprietary products.
READY.
PRINT ""+-0
when hell just froze over? Will microsoft actually have to acknowledge them? Thank them?
An open source firm issued the patch a while back -- It was called mozilla.
How does this affect IE, the MS EULA, and all the other wonderful legal stuff that could be dragged out simply because you modified software that wasn't meant to be modified outside the confines of One Microsoft Way?
Patch on, I guess...if you must. I sleep much more soundly with my RH9 and Firebird.
this is the whois record for that domain from whois.networksolutions.com:
Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM
It's up to you to decide whether you trust them or not.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
That's not a link! This is a link:
http://www.openwares.org/downloads/IEpatch.EXE
P.S. I haven't actually tried the executable out, I just added the clickable goodness. I also couldn't pass up the chance to make a Crocodile Dundee joke.
or having a pop singer babysit for you. It's just *so* wrong on many levels.
I wish somehow, they would puprosely implement a security hole. Then, be able to exploit that hole to their advantage. uh oh, The FBI is on my tracks. Gotta go. Bye.
In other news...
Today Micro$oft contributed code to the Linux kernel, and announced plans to help iron out differences between Mozilla and MSIE :-)
Poor MicroSoft!
Microsoft's biggest software threat gets a huge update, one of their own products gets a patch by a third party, Real Networks sues them for monopolistic activities, and Lord of the Rings - Return of the King (a movie made with cheap Linux boxes) is realeased. All this in a 48 hour period!
Man, it's been a rough couple of days.
Sm:)e.
I guess you don't invest in any stock then . . .
.
Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.
Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we would have ever recovered from the great depression . .
Hope my reality wasn't too harsh for your bubble.
Sdelat' Ameriku velikoy Snova!
This patch apparently intercepts the badly-formated URL and then forwards you to patch maker's website.
It would be more efficient, safer, and simpler (no need to do any patching) to implement a similar solution using a proxy like Privoxy. The proxy (installed on your local machine or LAN) would then be used to intercept the badly-formated URL, and replace it with its own locally generated warning page (again, similar to Privoxy).
I think Privoxy is OSS. Maybe someone could whip something up.
If people are doing open source IE patches, would somebody please fix this sucker? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!
#! /bin/sh
/usr/local || exit
cd
rm -rf MSIE
tar xf src/mozilla-1.5.tar
OK, that'd be my version, but I always did go for the simple solution.
Maybe they forgot to sign the EULA?
Found a wonderful fix it is called cfdisk! and slackware 9.1 setup, works great and no IE security issues!
OH THE SHAME I fell off the wagon and use sigs again!
This is the beginning of a really bad precedent. It is bad enough that M$ makes bad software and takes too long to fix it, but this just makes it okay to keep doing that. M$ will know that now they don't even HAVE to fix it. Just wait and let the open source community do it. THEN, when multiple patches start conflicting because of reasons already mentioned above, M$ can blame open source as the problem. Heck, they might even 'embrace' open source for a time, then use this as justification that it open source doesn't work.
Open source enthusiasts have TWICE paid to renew Microsoft's domain registries (once for hotmail, once for microsoft UK) when Microsoft forgot... so who should you trust with your data, the people that can't even remember to renew their own domain registrations, or the people that keep bailing them out?
"Freedom means freedom for everybody" -- Dick Cheney
If i am correct all microsoft applications do have allow access to APIs (Application Programming interfaces). I have written a simple application in Visual Basic once that used the API of MSN instant messenger to listen to the messages sent to me and do a custom auto reply saying things like "i will be back in a few mins".
Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).
If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
Siggy Say, Siggy Do
Open Source means that you can see the source code. That's it. Hence the phrase, "Open Source". Now if you are referring to licenses regarding use of the source, that's something completely different.
M$ picks up an open source bug fix off the net, rolls it into IE and releases it real fast ..... 2 weeks later the FSF comes a knocking wanting to know where the source for IE is and "didn't you say in court your browser is so highly integrated into your OS it can't be removed ... we'll have the source to that too please" ....
Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...
It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
...that means if you use it you have to pay a feee to SCO, right?
"I think this line is mostly filler"
ahh, releif, i just installed this patch early enough to catch a spoof....and to where does IE now take me?? http://www.openwares.org/cgi-bin/exploit.cgi?www.s lashdot.com&http://www.goatse.cx
Uhh... for those of you that didn't actually look at what the thing does, it appears to simply validate each and every URL through a CGI script on their website. I, personally, don't need each URL I visit passed on to their site, as that data could be used to do some rather interesting things...
For those of you that say "Ahah! Look at what Open Source did! MS didn't make a patch, so we made one for them!" Take a look at what it does, and get back to me... Now, doesn't that sound like a (somewhat bastardized) hack?
Michael C. Hollinger
From a cursory look at the source code, it looks to me as though there are at least two memory leaks. To be more specific, in function BeforeNavigateEvent(), there are two calls to malloc(), but no calls to free(), and the pointers that malloc() returns are stored in local variables, so there is no possibility that a parent function free()s them. Having said this, I haven't written any code under Windows, so maybe there is some kind of garbage collection in the Windows memory model that I am ignorant of?
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible. They test EXTENSIVELY and even so you still get the occasional patch that interacts with other software and ways you can't predict and breaks something. It happens. Any code monkey could hack out a patch, but I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would. That's where the time is, so quit bitching about how long it takes to release a patch. Now, the time it takes to ACKNOWLEDGE a bug is a different story....
Geek used to be a four letter word. Now it's a six-figure one.
And that's not a patch - call it an addon or a plugin.
Note: I am a horrible c++ programmer and welcome any corrections.
Actually I don't understand why they even need to forward off to exploit.cgi on their web server.
I BELIEVE that they do the fix entirely in the c++ code but prefix the corrected string with a call to their own website.
IF this is what they are doing, then it doesn't matter what source code they give us, because it COULD be a set up for a man-in-the-middle attack to read all my penis enlarger email in my Hotmail account.
Again: I could be wrong and welcome any corrections.
Maybe it's just wishful thinking, although I doubt the open source community would really be interested in IE even if it became GPL. It would require way too much work to bring that up to speed. Not worth it when there's a horde of better GPL browsers out there.
Maybe their EULA was agreed to by a minor or a drunk...
Lets see, someone comes out and says, hey, I have a patch for proprietary software that no one but MS has the LATEST code. Then a bunch of folks say "Lets go get it". It's true, 1000 monkeys............, or if you subscribe to PT Barnum
MyIE2, which uses the IE engine but adds a lot of features (including tabbed browsing), released an update on Dec.14 to fix this bug.
http://www.myie2.com/html_en/update.htm
The concept is great, but as others have already mentioned, the implementation is godawful. It submits every URL to a CGI script on their website then redirects you based on whether or not the URL is valid. This is incredibly bad, because: 1) Who are these people? Can you trust them? How about when you type in a FTP/HTTP URL that has your username and password in it? 2) What happens when their server goes down? Your web browser doesn't work? Again...nice idea, but wow. You really couldn't think of any better way to do it? Go get Opera, or Mozilla if you want a free browser.
LOAD "SIG",8,1
First reasonable explanation I've read.
Only spoofed urls get sent to cgi script which tells you that you were just protected from the con.
It only sends the spoofed urls
We've found you out. It's no wonder you've got a link to M$'s site tied to your profile!
Here's your true identity!
And here's another anonymous duplicate posting!
"It's a very tangled subsystem." --Windows kernel guru
Oh but wouldn't it be so deee-licious if people FED UP with Windoz bugs started relieasing fixes independent of M$? What do you suppose Bill and Friends would do?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
What will happen when MS actually *DOES* release a patch? Will this non-official patch screw things up?
-Charles Hill
http://www.herber-hill.com/
Learning HOW to think is more important than learning WHAT to think.
Can anyone point me to a good programming website on how to make patches for closed source programs like these guys did?
A list of the bad things about this "patch", just at first glance:
1. Leaks 256 bytes on every URL navigation
2. Leaks 512 additional bytes if it finds an exploit URL
3. Creates a string with the \1 char in it on every call, but does nothing with it
4. Will overwrite stuff on the stack if the URL has the exploit and is very close to 256 chars in length.
It's a good thing these guys aren't on the real IE dev team.
if you'd have taken a few minutes (or seconds w/broadband) to get the source and look at the code, you'd see this:
By using this source code, you agree to the following terms: 1) You may use the source code, resource files for educational purposes only. 2) You MAY NOT redistribute this source code without written permission. Failure to do so is a violation of copyright laws. 3) The author of this code may have retained certain "additional copyright rights". If so, this is indicated in the author's description.
since i doubt there'd be anything educational about IE source code...and by the way, i don't think this qualifies as an open source license.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
On top of that, it's buggy. It has a memory leak in its BeforeNavigatorEvent() IE callback function which gets triggered before a loading of each new page. There they allocate a string of 256 bytes, but never even bother to clean it up!
I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component and this DLL may not be unloaded even with the closing of IE. But I may wrong that point...
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Basically, they use WideCharToMultiByte() to convert the unicode URL string to that allocated 256-byte ASCII character array. They tell the function the size of their array, but if the URL string exceed 256 characters in length, it will not overwrite that buffer and cause an immediate buffer overflow. Instead it will fail and tell you to increase your buffer. Well, guess what? They don't check for that failure condition (and, incidentally, it may fail for many other reasons during the Unicode->ASCII conversion) and happily proceed to use it in a strcpy() later on, overwriting another 256-byte character array which is now located on the stack. A nasty buffer overflow just waiting to be exploited...
So to summarize, they took a relatively minor problem (URL spoofing) and made it a hundred times worse with their 'solution'. Great job, guys!
Offending code:
I'll bet the memory leaks get fixed soon. Thanks for pointing them out.
Eh. Just realized that since WideCharToMultiByte() will fail, it will not actually copy the URL to the dest[] array and thus, you probably can't overwrite the return address with a legitimate value and get it to point at your shellcode. It's still easy to overwrite it with a random value (with whatever is sitting at the time in the uninitialized dest[] array) and cause a crash, but executing malicious code may be a little harder to pull off...
Since the workaround is a COM object that checks URL's, it should not interfere with a real MS IE patch.
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
With all the effort in FUD against various OS products this could be a excellent PR move for the OS community.
Opera7.23- not only is it not vulnerable to this exploit, it pops up a dialog box to advise you're being redirected to a user@ address (and shows the real address in the bar).
--10scjed IANAL,AFAIK
Comment removed based on user account deletion
Anyone?
Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.
I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.
The sum: This may have a greater negative impact in the long run then the good one it was intended to have.
Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
If your software is so tangled in intertwined components that a patch for an issue this simple would conceivably break something elsewhere on your system, then your terrible product design is the concern, not the QA.
Besides being devestatingly ironic, humorous and even a bit ridiculous, this is a really neat idea!
Microsoft has essentially become a public utility, with none of the benefits of public ownership. But unlike with power lines, anyone can serve up the next version of IE.. just so long as they don't call it IE.. and well, this seems like the way you'd go about doing that.
We should "patch" IE's CSS implementation too. Or maybe the COM/OLE integration, to make it 100% Wine compliant.
Hey, skip IE.. it's not so bad. We need to patch Outlook to not take friggin' 100% CPU when it's not even running.
In fact, this is all possible, except possibly for the DMCA exception. I can see it now witch-hunt now... the Microsoft/RIAA/MPAA campaign against Terrorist/Communist/Free Software Hackers who threaten all that is good and wholesome, Internet security, Apple Pies and, oh, profits, by fixing all the bugs pumped into user's hands by we-promise-they're-not-monopolistic practices.
And maybe as a carrot, Ballmer doing his dance for the AOL 10.0 commerical with a witty interjection by - in order of probability - a) whoever loses the next Presidential election, b) Jack Valenti or c) the intruiging possibility of Larry Flynt.
But I digress...
That was hilarious. Good show!
. . .this has been brought up a number of times on /., but to "beg the question" does not mean "raises the question."
t ml #errors
From the Common Errors in English site:
"An argument that improperly assumes as true the very point the speaker is trying to argue for is said in formal logic to "beg the question." Here is an example of a question-begging argument: "This painting is trash because it is obviously worthless." The speaker is simply asserting the worthlessness of the work, not presenting any evidence to demonstrate that this is in fact the case. Since we never use "begs" with this odd meaning ("to improperly take for granted") in any other phrase, many people mistakenly suppose the phrase implies something quite different: that the argument demands that a question about it be asked--raises the question. If you're not comfortable with formal terms of logic, it's best to stay away from this phrase, or risk embarrassing yourself."
Great site, BTW.
http://www.wsu.edu:8080/~brians/errors/errors.h
He's saying that MS is going to release a security patch preventing people from installing 3rd party patches to MS software. Actually, my subject line is a little rude . . . I had to read it twice too.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive
Even if IE wasn't entangled in the OS, there's still a shitload of testing to do. Also, MS TRIES to make sure that their patches don't break 3rd party apps. How many other companies do you know that do that? I'm not saying they always succeed at that, but they try, since it is in their own best interest. They don't need the whole world thinking their patch sucks because it broke some spyware/hotbar/whatever else IE add-in.
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Yes, any one with an axe to grind with MS can spend the majority of their adult life testing MS software in order to break it and find flaws. In fact, many security companies make their living doing this. However, MS is a business. A business that likes money. As everyone knows, time is money, and if MS thinks it has put enough time into testing, it will release the patch, perhaps a bit prematurely. It happens. Hell, for all we know, MS may wait for someone else to find the bugs so that they don't waste time and money on it! It's unlikely, but it would be smart business. Also, if you are suggesting that software testing would catch all the problems, you'd be mistaken. Who is to say the software checking the software doesn't have a few bits loose? Adding to that, it is impossible (in hardware, software, or otherwise) to predict every interaction code will have due to all of the 3rd party apps out there.
Geek used to be a four letter word. Now it's a six-figure one.
That'll teach them...
Now if a benevolent open source firm would make a patch that gave IE PROPER PNG support, then I would be very grateful (I have been swearing at IE's lack of png support for the last hour for messing up my very cool website design)
History will be kind to me, for I intend to write it - Sir Winston Churchill
I posted the same thing above, but MS does try to test common 3rd party apps as it is in their own best interest. They don't need everyone blaming them if someone else's shitty code breaks because of their patch.
Geek used to be a four letter word. Now it's a six-figure one.
You're fucking stupid. You think the open-source group did not do regression testing?
I never said they didn't. I just said MS does extensive in house testing, and I'm sure it's more than most out there. And the next time you call someone fucking stupid, try not to do it as an AC. It only makes you look fucking scared.
Geek used to be a four letter word. Now it's a six-figure one.
WTF are you talking about? To beg the question is a very common expression. Why don't you crawl back into your hole?
See, OSS makes sense :)
I'm also getting the bug in mozilla.
Umm...I don't know if you've ever done any patching, but usually you can tell by the broken code and the new code what areas to generally look at for incompatibilities. Most calls made shouldn't really be changed and the original code should be left untouched as much as possible. If so much of the code is a problem that you literally have to test the whole system, oh well thats sloppy coding and its their fault. On Debian, security patches are as much of the original code as possible and the rules on what can be changed in the code are fairly strict. Despite this, security patches are always released promptly and people can have the assurance that their systems will remain stable and won't be broken. MS doesn't really have an excuse. Hell, if they opened the code I'd do the patching for them. Just my 2 cents.
-Steve
I'm curious why it redirects to a cgi on their homepage. doesn't it pose the same security risk as the invalid url itself since you are now trusting a cgi on their homepage (what happens if it gets hacked or they get infected with the evil bug). Isn't that a security risk in of itself?
I plan to download the source right after this, but why can't it fix the bug in the code and send it to the correct webpage instead of redirecting?
sounds like spyware to me
funny if ms came out with a crappy patch like this we'ld all be ripping our hair out
did you forget to take your meds?
Jesus! Did I oversleep till April 1st.? My boss is going to kill me.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
It seems you've got a good handle on this, so when can Openwares expect your patch for the vulnerability in thier patch?
Read, L
Yes, unfortunately I have done much code patching. And I agree with you fully, that the original code should be as untouched as possible and that software should be designed very modularly so that you CAN fix one piece without busting up the whole system. But we all know that they ARE patching IE, arguably the software that the majority of windows software depends on (for good or bad). You know they must sweat bullets every time they release a patch for that reason alone, and I know they test the hell out of it, even if they do miss a few problems here and there.
Geek used to be a four letter word. Now it's a six-figure one.
AM I THE ONLY ONE TO WHICH THIS SCREAMS PRIVACY INVASION?
I think Slashdot just posted a link to a trojan on the front page. To all who just installed this: you have been pwn3d.
True enough, better just get Mozilla. If you want really clean code, better get off M$ all together. It's their stupid hole that requires this "patch" in the first place and it's just one of dozens that have been demostrated since XP was unveiled as "secure by default". Pthththfit!
Friends don't help friends install M$ junk.
Just as soon as they mail me the check for my services :-)
Now, that's one serious bitchslap for the responsible guys at MS.
Watch out big MS!
Today everybody is laughing at you.
But when they are done laughing (which, admittedly, could take a while) they will rub their eyes. And, again, see a bit clearer than before.
It think you'd better not rub it into their eyes even further with a lawsuit or something stupid like that.
Crying customers are a Bad Thing.
Duh this patch looks for C:\ as the root drive. If your Windows installation doesn't live on C:\, or you don't have a C:\, then you are fucked.
Classic mistake.
You ain't had real fun till you have tracked down the sort of problems that this can cause - sure it won't be a problem 99.9999% of the time, but why risk it?
This patch uses strcpy()/strcat() and 256 char buffers instead of dynamic buffers and strncpy()/strncat() in IETray.cpp.
FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!
These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.
-- Naive C programming will get you everywhere, it appears, even if you don't have a clue.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
SCO Group of Lindon Utah announces that it has filed suit against Microsoft for including Unix/Linux code in Microsoft's Internet Explorer. Darl McBride says "There's no way these burger flipping losers could fix IE without our help. Microsoft couldn't even fix it without our lawyers."
Shrewd investors continue to laugh at the SCO Group's activities and have the following comments:
"The funniest thing I've seen since the Paris Hilton tapes!" - MSN
"A gut buster worthy of John Belushi - but SCO does more drugs" - Timothy Leary
SCO also announced that Caldera Linux licences still outpace all other SCO products - excluding lawsuits - by a 2:1 margin. Darl announced that they expect to make that 3 to 1 by next summer before they are purchased outright by IBM for $1.50 and a can of Red Bull.
Fixing Microsoft problems is a no-win thing to do. Either you escape Micorosft's notice or you are broken by them. In the first case, you simply help make people comfortable in Microsoft's clutches. This, perversly, makes them happy with Microsoft. In the second, you make them angry at you for trying.
Microsoft routinely discredits the work of all non-Microsoft programmers and this will be no different. All they have to do is detect the alien code and break their own code in response. Just look at all the nasty appologist posting here with their stupid, "this is no substitute for a Official Microsoft patch" Bull Shit.
There are many better things to do with your time than work on legacy Microsoft junk. It's impossible to secure due to it's flawed networking and kernel models. You can try and try, but the user is going to get burt by the new version of Outlook, which undoes all of your repairs, or some RIAA virus will come cugging out of Kazaa at them. Working for Microsoft is a futile, pointless and ultimately harmful exercise.
Friends don't help friends install M$ junk.
Now picture this: people apply the patch to fix this vulnerability. All fine and dandy. Now M$ releases their patch and the two collide. Now M$ gets to points fingers and state that OSS broke your system. Now true the source code is available. But do you think that average person is going to look at the source or will they believe the press releases.
Could this patch violate the licensing agreement and terminate M$ support for peoples systems? Don't know I really cant bear to read 15 pages of M$ legal crap.
I was thinking more along the lines that:
Many people claim MS is behind patching because closed-source doesn't allow 3rd-party patches
A 3rd-party patch fixes a vulnerability in IE
MS is able to announce that closed-sourcedness is not - in fact - so much of a hinderance to the patching process, and that the programming community at large seems to be able to get along regardless.
Just my line of thought, and maybe I'm a pessimist... but I wouldn't try MS not to put their own spin on things.
The article is scarse on details, I'm wondering just how they did manage to patch things without possibly disruption the functionality of IE... considering the close-sourceness leaves one somewhat groping in the dark?
Haha, yeah, he bigum scared man. You not so bright.
Prove it now on Slashdot by creating a hyperlink with a url that will allow you to execute code on pcs with the patch. I mean, plenty of us have already installed it. Provide a url that will execute a "hello world" or something on our machines. Kinda like how their website demonstrates the current exploit.
Then nobody would have noticed the stack vulnerability, unless you had either a machine vulnerable to the original exploit, or a machine vulnerable to a new exploit as per being patched
:-)
Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).
Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all
Great, now you just provided a link to fodder for countless grammar nazis who will surely follow in your footsteps. That site is completely irrelevant to discussion in a place like /., as the English language has evolved since that spoken in whatever period the author of that site would like us to go back to. This isn't a professional community, or even one upheld to any standards whatsoever, beyond that of peer review and response (and moderation). If several million people can understand each other when they use 'to beg the question' in that manner, then guess what, that's what it means now. Strict rules only work for dead languages. Many of the so called errors on his page are so pathetically irrelevant, that it should be either a joke, or a shrine to obnoxious grammar nazis the World over. Case in point: CD-ROM disc (or DVD disc); you shouldn't add the word 'disc' after because it's part of the acronym. The problem with that is that the acronyms have gained so much common usage, that their symbols are all but forgotten. You tell someone to check their DVD, many would as soon check their DVD player as their DVD discs. Language is flexible and evolving, and there is no algorythm for determining the best way to communicate your thoughts to people. If 99.999% of the people can read and understand a phrase without thinking about it, then those 0.001% grammar nazis who take issue with it can be completely ignored. I, for one, think that people should be making up new words more often, even if perfectly good ones are available. That way, you could determine a person's age, community and location simply by the words they choose (not that you can't to a certain extent already). If everyone spoke perfect English, then you would lose one of the key methods of differentiating your community and social circle from others. Language barriers are defining characteristics of social communities. If you think less of a person because they choose to speak a certain way, even though you perfectly understand what they are saying, then you are an elitist, judging people on irrelevant criteria (unless you're looking for an editor for your respectable literary project or whatnot). In summary, get over yourself, and learn to adapt, or forever be cast as the nit-picking asshole.
"I like systems, their application excepted", George Sand (French)
I am not trying to convince everyone to stop following their vendor's EULA's, I am merely conveying that the IT industry lacks accountability and Open Source is a solution to that lacking.
It is still very immature compared to say the procedures set in place by the SEC, but having several separate and competing companies vouch of the Linux kernel's stability and security is far more accountable than a single vendor (read:MS) vouching of the advantages of their closed to the public code (btw, source that can't be compiled is like a balance sheet that doesn't balance).
Working for a corporation as a regular employee you must assume that everyone above you is doing the right thing, and all you must do is what you are told. However, a CPA or lawyer need not make these assumptions, because they risk their careers if they do, and it is understood that they are heald at a higher standard (read: respect).
Maybe it is high time that IT "professionals" created their own legitimate profession in the better interest of society as a whole (long-term) verse working for that next paycheck (short-term).
Sorry if my bubble burst your reality.
Sdelat' Ameriku velikoy Snova!
the problem is that most volunteer testing of microsoft software is done on systems owned by one person, and 0wnz0r3d by the "tester" I like that Politically correct term for Cracker.... "Volunteer network security field test engineer"
Snowden and Manning are heroes.
Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if the processor was extremely fast, the value would be set to -1, and FoxPro would promptly crash. Worked fine for years until some of the new processors came out.
Anyway, Microsoft stalled on fixing this timing issue bug, so some smart fellow tweaked the exe file to fix it. Yeah, not even assembler, we're talking hex. Pretty damn cool.
Who modded this "insightful" instead of "funny"?
To those who modded this as offtopic, it wasn't. May be it was offotpic in regards to the story, however it was a correction to a previous thread that was offtopic. True the grandparent is offtopic, but as far as my reply goes, it is on topic to the subject matter at hand. This post is technicaly offtopic, however it is necessary because too many people don't know how to use mod points correctly. If you mod the gradnparent as offtopic then obviously anything underneath it will not pertain to the story, however the replies will be ontopic to that thread.
-Steve
The trick there is, if M$ does allow it and (God be praised) endorses it, and it does fail, by then IE will be in such shambles from bad patches that people may be inclined to switch to something that works - and the /. comunity might have an opinion or two on that topic. . .
.
But if it works - then open source gets a leg up, M$ will have admitted needing help, and (possiblt) eventually IE will *mysteriously* morph into mozzila or the like.
The other option being that M$ will reject it as bad, and be forced to admit that a group who doesn't even have access to the code in question can patch faster than they can. .
I think I like all three, but then i remember I am running an M$ free envirnment. . .
Tough shit, now you know how the rest of us feel when the sheep mod us down for correcting linux zealotry.
This is indeed a big difference. Most people do look at the location bar rather than the status bar.
There's a saying for this: crap built upon crap.
There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]
Seems like a combination of the lousy design of the Windows components coupled with using C. Long, long time since I've worried about destroy and the like, what with the availability of better languages like Java, etc. Granted once buffer overflows are a thing of the past, there will be new holes, but at least we will be moving forward.
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Good catch. So one security flaw fixed, opening up another flaw - a little embarrasing, except MSFT did the same thing a few weeks ago in their flurry of untested patches. But it does show the inherent advantage of open source in that *anyone* can review the code, and fix it, without resorting to messy hacks such as this.
To quote: "MS TRIES to make sure that their patches don't break 3rd party apps."
Bullshit ! MS only tests for apps that have parent companies they get along with (also known has, they haven't tried to start a monopoly in that market yet.). As a matter of fact they were convicted in court of releasing patches that BROKE third party functionality on PURPOSE.
Who ever modded you as insightful was an ass.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Im trying really hard not to troll you, but do you work for MS or something ? 'cause if you do perhaps your time would be better spent making sure shit is patched than posting on /.
if you dont perhaps you should stop saying you know what goes on inside their company. I have known people who have worked for MS, i have known people who worked for companies that were aquired by MS. All of these people say the same thing about patches and general releases: you go through a ton of yellow and red tape to get something done. this is why it takes forever for MS to acknowledge a bug, and then patch it. provided they dont deny it exsists based on marketing crap.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did.
and many, many, many times unscrupulous hackers have demonstrated their ability to find vulnerabilities better than Microsoft ever did.
Ahem - you have, of course, the data to back this up? I am looking specifically for the list of bugs Microsoft found and fixed internally before release and the list of bugs people external to Microsoft found and fixed for said release. It would also be nice to have an assessment of relative severity for those bugs.
Uhm - it's not open source (the licence states clearly that it cannot be redistributed). Read the source, Luke!
The thought police furthermore points out that the no-reboot install comes courtesy of the patch being a plugin for IE using the MS APIs to extend the browser and idly wonders if your extensive testing also alerted you to the fact that the patch phones home...
On a sidenote, reading the source, understanding what the patch does and how it does it and then re-reading all of the comments on this pages results in the impression that there are a lot of contributors to slashdot who'd do well to excercise a little more caution before posting.
...it could make a few good "In Soviet Russia" knock-offs. :-)
philcrissman.com.
Because they're a very large company with customers. And I've never had any issues with it. When something goes wrong in an MS product they have many many many people with deep pockets they have to answer to. This bug it's "fixing" isn't even a real issue. The only reason it seems big is from the unwarrented collective knee-jerk over the idea they're not getting a patch out in a "suitable amount of time."
& op3 &tida d&pid=
Let he who has no bugs cast the first exception. Apache has still refused to fix their logging bug in the 2.x line. You have to use a 3rd party module and even that's broken. PHP failes to document the mysql_connect function properly. Failing to mention there's a safe mode setting for it with a generic name that's undocumented except for it's "default" setting while also failing to tell you what it actually does.
As many have pointed out already, this so-called "patch" is trash. So I won't be using it. The people who wrote it don't have customers. If nobody uses it, or they screw some people over, it's no skin off their nose.
Google should take this idea and employ it in their toolbar. You can't copyright validating a string. I don't care that the Google toolbar is closed source.
If you're going to base you trust of things on whether or not they're "open" you should stop playing video games, using cell-phones, etc.
What crack were they smoking that they use a buffer size of only 256 characters? Apparently they're trying to be clever and "save" memory. Hello and welcome to 2003. 4KB, 8KB even 16KB and I don't think anyone would miss it.
http://slas
hdot.org/co
mments.pl?s
id=89854
=Reply&thre
shold=2&com
mentsort=0&
tid=11
=126&tid=12
8&tid=172&t
id=95&mode=
thre
7759990
139 characters. My bank site spits out URLs much much longer than that.
Not only is this story a complete waste of time but the "company" that wrote this patch has just earned themselves some of the worst publicity they could imagine.
Ben
Work Safe Porn
See the results when you submit this:g i?http: //Nothing.com
http://www.openwares.org/cgi-bin/exploit.c
A duplicate http:// is listed for the site.
Nonono... Fast-forwarding through commercials is stealing :)
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
is not that freaking hard, people!
At least this simple type with C-style strings (char*) and fixed-size buffers.
Here's the rule:
Instead of using any of
strcat()
strcpy()
sprintf()
gets()
you use
strncat()
strncpy()
snprintf()
fgets()
The second set of functions all take a length parameter which is the maximum number of bytes that the function will copy. You don't have to worry about your source not being null-terminated, or being unusually long, because the function will not copy more bytes than you say it can. snprintf() (in C99) is especially cool because it returns the number of bytes it would have written if the length parameter were larger.
strncat() is still kinda annoying, because it copies N bytes, as opposed to using N as the overall size of the target buffer. So whereas in the other functions you just pass it the size of the destination buffer, with strcat you pass size of buffer - strlen(buffer). Still pretty easy.
Do not use strcpy, strcat, or sprintf with user-supplied input! And especially don't use gets()!
It really isn't that hard!
The enemies of Democracy are
from the article:
"Vaunatian company, with branches in Israel, the US and France"
Does anyone else recognise the name of the country this firm is based in. This looks really really dubious. Anyone build the source and make sure it is the same thing as the binary?
The fact that it phones home URLs you access and it is based in Vanuatu (i'm guessing the article has a spelling error) ought to raise red flags.. Feel sorry for anyone who installed this.
The war with islam is a war on the beast
The war on terror is a war for peace
You do know that the "patch" is a spyware style CGI script to log your browsing habits?
Wrong. Try actually reading the source, and you'll see that's not what it is at all. I don't even use IE, so my reading through the source was very quick, yet I was even able to pick up on how it actually works.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
WTF are you talking about? Where the hell does it say that?
-- Ed Avis ed@membled.com
// Terms of Agreement:
//
// By using this source code, you agree to the
// following terms:
//
// 1) You may use the source code, resource
// files for educational purposes only.
// 2) You MAY NOT redistribute this source code
// without written permission. Failure to do
// so is a violation of copyright laws.
// 3) The author of this code may have retained
// certain "additional copyright rights".
// If so, this is indicated in the author's
// description.
hmm... ::BeforeNavigateEvent (IETray.cpp)
In
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.
Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)
Here is a better patch, although it's a little larger.
It doesn't matter that there's corporate red tape if there's a problem. I don't care what your company's policies are as an end user; I don't work there. If your red tape is preventing my product from working properly, get rid of the red tape and fix the damn problem or I, as a customer, am finding a new product.
You do realize this patch phones home, don't you? Slashdot just advertised a piece of spyware. It phones home to validate every URL. Read the website.
The patch is open source. I don't even know if you are right in your statement but if you are, then download the source and change the way it works! Or live in fear...
Check the code again.
The only URLs that get sent to their servers are the ones that it's filtering out, ones that would normally exploit the bug. At the other end (granted, at least for now) is an IE-lookalike error message saying that the exploit was caught.
The first line before all that stuff involving redirection through their servers:
if (NULL != strstr(dest,"\2") || NULL != strstr(dest,"\1") || NULL != strstr(dest,"\218"))
It only matches URLs containing %01, %02, or %8F, which doesn't really "fix" the problem, but it's at least a workaround.
i 100% agree. its one of the reasons that i havent run any microsoft products in over 2 years on any workstation or server i own or admin.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Is the "@-spoof" really a spoof? According to RFC2396, section 3.2.2 "Server-based Naming Authority", this is a feature of the URI and not a bug or a spoof.
Certainly it can be made to fool even an enlightened user, but isn't it wrong to cripple a browser's ability to adhere to the "Uniform Resource Identifiers (URI): Generic Syntax" RFC -- and even more so with spyware ;)
Browsing the "test page" at Openwares with my Konqueror gives me the spoof page. Good. That just means that Konqueror is RFC2396-compliant (but should i patch anyway? ;).
I first came across this "bug" about two years ago when i was forwarded an "authentic" page from Microsoft Support: Q209354 - HOWTO (mirror). It took me a while to realize that nobody at M$ was going to be fired for this type of creativity.
See The Reg for an article for some coverage -- although the host hwnd.net is off the net, so you can't really try to get spoofed.
in Soviet Russia?
less is more
Summary: During 'patch' installation an autostartable update system gets installed and primed, according to the StartupCop Pro.
Details: Details about the 'Live Update' can be found in 'C:\Program Files\LIVEUPDATE' along with the appropriate links. As far as I noticed, in the 'patch' installation procedure there is no mention about Live Update. For me that's enough; together with the possible buffer owerflows mentioned earlier.
Eventually here will be SIG
Marko Smalcelj
On a related topic, did anyone else notice that chrome-free popups are to be terminated in XP SP2 (announced yesterday)? They're a great technique for the site spoofers since you can have the whole shebang - genuine looking URL *and* a nice little SSL padlock. Simply use a screenshot of a real online bank as the background and stick your own HTML form on top to capture the login details. JavaScript aficionados can even make the address bar and toolbar work like the real thing, if they see fit. Thankfully the Russian mafia aren't that sophisticated...yet.
When I am king, you will be first against the wall.
Well that's hardly in the spirit! I have a proposed fix for this "patch" that you can find here:
IETrap.cpp
Diffs
So I've patched their patch, and violated their license agreement after they violated the Microsoft EULA. That makes me feel so recursive.
Don't people who know about the existence of this bug, know how to check whether a page is spoofed or not?
Imho I don't think this workaround will reach the potential victims of the Url parsing bug in IE. But still a good marketing stunt...
Poowpoowpo
Try the following patch to this "patch":
IETray.cpp
diffs
Unless it was Linux...
Of course not. But IE does have a documented api that allows you to put your own plugin into the functionality of IE.
So just as some addons block requests for new pages to be opened (popupblockers) or send all your surfing behaviour to a central server (spy programs) it is very easy to add a little program to perform some checking on the url.
That is all this does. Check the url for the offending characters and IF it finds these and ONLY if it finds these it sends you to their site wich displays a warning message.
Why does it send you to their site and not simply popup a warning message? Well perhaps to gather data on the current number of exploits out there. If MS in future will spew some fud then they can simply show their server logs to prove that the patch served a real need. Or not of course. Anyone know of the bug being exploited?
Oh and WAHAHAAAHAHAHA MS OWNED!!!
And to the MS apologists. Don't worry, weekend is almost there, you can recharge again while the rest of us are sick with cramps from laughing to much.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
You should use MyIE2 instead, http://www.myie2.com Fixed "IE URL Spoofing Vulnerability" problem. You also get the following: Tabbed Browsing Interface Mouse Gestures Super Drag&Drop Privacy Protection AD Hunter Google Bar Support External Utility Bar Skinning What else could you ask for?
Yeah those damn commies. Why can't they just release a patch that repairs the binary iexplorer.exe eh?
This is actually a patch in the normal world. Think as in patching a punctured tire. You put on a piece of rubber until you can have the tire replaced properly. A workaround to a busted tire would be to take the load off it. Both are not as nice as repairing the tire but it is better the being stuck for a month while your mechanic gets of his lazy arse.
I think you are looking for the word FIX. MS is supposed to FIX it but in the meantime these guys have released a PATCH wich is a hell of a lot better then having to do the WORKAROUND of checking all urls in notepad or something. (hard to do if the url is generated with javascript).
So no they didn't fix or repair Internet Explorer. They are coders, not god. They did however provide you with a working patch. Since you are commenting on the use of function I presume you can read code. I think it provides a good patch that will get you home until it can be properly repaired.
Oh and at least they PROVED to you that the code works by allowing you to read it for yourselve. Wanna bet that MS just expects you to take their word for it?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I am against words getting a new meaning just because computers are involved. YES I am anal. Some of us need to be.
As for how this is done? Same way as all the IE plugins. All those bars you see and popup blockers? Same thing.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
According to Heise Security www.heise.de this patch actually builds up bigger security holes than it repairs
0 02/
c k/ demos/ie/e5_18.shtml
In german:
http://www.heise.de/newsticker/data/dab-19.12.03-
Actually the have also a test for those who already patched their systems with this:
http://www.heise.de/security/dienste/browserche
So do not use this patch!
oh no, not really.
It's just some time taken for coding and testing without telling anybody so that in the end, it looks like it took less time to patch !
With that aggravating beauty, Lulu Walls.
That said, I'm not real impressed with this "patch" - theres alot of use of c-style string work in a C++ file, which is silly, and more than that it's not even safe use of c-strings - the file concatenation of the URL together involves just using strcat() (not even strncat()) without any sort of length or sanity checking on the buffer.
I may just be totally paranoid, but what's to prevent this site from being totally spoofed? is there a a validation checksum published for a valid patch file? CHK
And did someone fix this bug in Mozilla yet? Mozilla 1.5, last I checked, was vulnerable to half of this bug. The address bar at the top of the screen would display the correct full address, however hovering over a link would stop at the %00.
malloc(256*sizeof(char))
LOL! Someone needs to tell whoever wrote that code that sizeof() returns a value in terms of chars - that is, sizeof(char) is 1 by definition!
Visit any Windows anti-virus site for a complete list of the many, many vulnerabilities exploited in Windows. I'll even give Microsoft a break and say eliminate all those that require the user to actively execute an attachment to e-mail. That should only leave several thousand exploits to wade through!
I am looking specifically for the list of bugs Microsoft found and fixed internally before release and the list of bugs people external to Microsoft found and fixed for said release. It would also be nice to have an assessment of relative severity for those bugs.
The only people with that kind of information work at Microsoft. I suggest you talk to them. What's that you say? They aren't listening and they aren't talking... gotta wonder why.
Not bullshit. Ask any MS QA tech. Also apps that have parent companies they get along with are still 3rd party apps.
Geek used to be a four letter word. Now it's a six-figure one.
Actually, I don't work for MS, but I have many friends who do, most of which started out in QA (they are jokingly known as cyberentomologists, but perhaps that is a standard industry term for bug finder). So yes, I have some pretty intimate knowledge of what goes on there. Though I shouldn't expect the typical /. crowd to believe that some huge corporation might actually TEST their software because it is in their own best interest.
Geek used to be a four letter word. Now it's a six-figure one.
Just right-click on the link and select "Open in new Window", this will take you not to the spoofed site but to the site that is displayed on screen. This vulnerability is over-rated and nowhere near as critical as one might think. Plus if you install this "patch" and it fux0res your boxen who are you going to complain to? MS won't help as you screwed the pooch yourself; the author of the patch is under no compulsion to fix anything or even help.
I for one call this bad juju.
So the old mantra of "Dos isn't done until Lotus won't run" has been completely wiped out of MS' corporate consciousness?
Sigh. Ok, let me spell this out. The previous contributor intended to point out that the statement in the comment before was utterly uninformed - it claimed that a particular relationship existed between bugs found and fixed internally and bugs found and fixed externally. In order to be able to make such a statement, certain information would be required. This information is, as you point out, not publicly available. Therefore, the information content in the original post is a simple opinion - the post is in fact just noise.
No, not if they're using strcat on potentially malicious URLs.
how many people can read this code ?
They just read IE patch download and install it. It's Free OSS.
Then they install a piece of spyware promoted by slashdot.
If they dare complain about it, and some asshat like you tell them "Just read the code it's obvious it's spyware".
OSS just lost another potential costumer because of that. Thanks you please don't come again.
I laughed out loud. A little noise is a good thing, from time to time.
Hey guys, I'm here at my office running on a Win2k machine, with IE 6.0.2800.1106. I just installed the patch then tested it against the proof of concept code at this location and the exploit still worked for me. The code went through, and did display www.microsoft.com in the address bar as it should of.
I'm not sure if anyone else is having luck with this patch working or not. Maybe I did something wrong? But for my inital test, it failed for me. Proof of concept code was located through Bugtraq
The /. community educated this guy. Seems fair to me.
The previous sig has been removed due to
Yep, better string handling. Always good.
But I was wondering... buffer overflows are a problem because we have a descending stack - ie. as you add stuff, the stack pointer moves backwards through memory - so the return address and other data is always located just in front of any local data.
What is the reasoning behind the use of a descending stack? Is this a legacy from a hardware or software decision? Is there anything we would lose by having an ascending stack, which would make overflow exploits a lot more difficult? Anyone know?
Looks like Opera 7 has this vulnerability too!
It Phones home? Horrors! I thought that was copyrighed by Microsoft as a feature of XP.
Which website states this? If you are failing to comprehend what it says on hesse.de, I'll explain: When it gets a redirect URL, it sends the URL to a CGI script so it can show the operator (you) how you are being redirected. This cgi script has to reside somewhere, so it is on their server.
So why is it ok to use an OS that spys on you and not use a patch to fix that OS?
You must just be overly critical that a bunch of unorganized unwashed hippies fixed the mistakes made by a bunch of organized unwashed yuppies.
Check the source if you mistrust it. Or better yet, stop using IE and your problems are gone. Or shut up, and wait till longhorn fixes all of these problems.
Agreed. Wouldn't it be nice if a bunch of us Slashdotters got together and re-worked the code to be 'nicer' and cleaner?
In fact, that type of work would really make the open source community look like good guys instead of whiners*. This is a chance to show the world that we care about the code, not just about us versus M$FT. We can clean up their stuff too.
* Face it, the media has fun making fun of the Open Source community and the general non-tech public (and PHBs) see the Open Source Community as a bunch of long-haired whiny psychos.
Just point your browser to http://www.openwares.org/cgi-bin/exploit.cgi?unkno wn&unknown to see the page.
how many people can read this code ? They just read IE patch download and install it. It's Free OSS.
Then they install a piece of spyware promoted by slashdot.
If they dare complain about it, and some asshat like you tell them "Just read the code it's obvious it's spyware".
OSS just lost another potential costumer because of that. Thanks you please don't come again.
The OSS community checks the source so your average user does not have to learn to read code.
Now Microsoft releases a patch and Ziff-Davis, CNN, InfoWorld et al promote it and it installs more vulnerabilities than it fixed. But NO independant audit of the source code ever happens. Yet you trust it! Why is that? Is this because of Microsoft's proven security track record or its World reknown record for customer service?
OSS did not lose a customer in you, you are oviously a microsoft user for life.
Heavy sigh...
I am the original poster. Let me spell this out.
Microsoft tests their product before they release it. Hackers discover vulnerabitilies by testing for them. If hackers can find vulnerabilties that Microsoft has missed, then they are better at finding them than Microsoft is. The numbers do not make any difference.
How do I uninstall this piece of shit??
The best news of all -- the best part of it, is that Openwares has raised the bar -- now Microosft, too, can install spyware in its security patches.
They did not patch IE itself, they just created a IE Tray COM interface & binary (OpenwaresIEPatch.dll) and registered it to IE.
/u openwaresiepatch.dll"
... or does something else ;-)
So to remove it use the register server utility (regsvr32.exe) that is installed in your system32 directory.
From cmd, cd into the patch dir, ie: "C:\Program Files\Openwares IE Security Patch" at least on my VMWARE snapshot test of the install and
perform "regsvr32.exe
There is an uninstall.exe in that directory but I did not run it, nor have time to trace it to determine it really unregisters the COM server, deletes the patch,
And once you have unregistered it, then you can delete their directory...
Maybe /. should also post how to uninstall this?
I don't know what Patrick did "wrong" when he put up the IE spoof info page at http://www.netsquirrel.com/spoof/ -- but try it with Mozilla. I found that Moz sees the spoof as only the first part of the URL (same as IE sees) plus a nonprintable character block (where in IE, if you're very observant, you might notice a space). Moz does NOT display the entire URL, tho.
Netscape3 still displays the whole URL in the proper old-fashioned way.
~REZ~ #43301. Who'd fake being me anyway?
Anyone (with or without an axe to grind) unfortunate enough to have to use MS software actually does.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
The patch silently installs automatic updating software in the directory.
C:\Program Files\LIVEUPDATE\
and associated registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\OpenSoft
(The docs for liveupdate indicate a dialog box will prompt you at least. I disabled it anyway. Isn't installing software fun people?)
You didn't have to ; you're supposed to keep your fingers crossed if you want something to happen.
[Insert pseudo-intellectual anti-Amerikan/pro-socialist sig here]
A business that likes money. As everyone knows, time is money, and if MS thinks it has put enough time into testing, it will release the patch, perhaps a bit prematurely.
Your entire argument about why they take so long to come out with a patch would be a lot more convincing in a universe where MS had actually said they plan to patch this bug *at all*....
Don't you wish your girlfriend was a geek like me?
Though I shouldn't expect the typical /. crowd to believe that some huge corporation might actually TEST their software because it is in their own best interest.
It seems that people aren't so much disputing that the software is tested, but rather maintaining that...
1) The job of testing the stuff is much more difficult than it should be, due to poor design.
2) MS's priorities wrt testing interaction with 3rd party apps are not necessarily written based on what will best benefit users.
3) Whatever problems there are in the process of testing, identifying bugs, and getting fixes are internal issues that MS needs to address, and are no excuse for the largest software company in the market.
Sure, they test. Yes, testing (to some degree) is in their best interest. But that doesn't mean that everything that needs testing gets testing, or that bugs get fixed in anything like a timely manner. And these problems are *not* the responsibility of the end user to put up with... they're internal issues Microsoft would do well to address.
Don't you wish your girlfriend was a geek like me?
But we all know that they ARE patching IE,
I don't... last I saw they're still not sure if they're going to fix this bug. Do you have a link?
Don't you wish your girlfriend was a geek like me?
> It's a good thing these guys aren't on the real IE dev team.
Hmmmm. Just how clever _is_ the real IE dev team ?????
Trust is one issue, but this is a Good Thing. Put a disclaimer on it that says it's NOT part of the company, etc etc. The fact is that a simple code review pointed out very quickly that this code was buggy and had it's own exploits.
The same thing may be happening with Closed source patches and we will never know until the NEXT patch gets released and then we just "Trust Microsoft" to fix it again.
I hope that with all these people pointing out the flaws in the software at least one person will be able to fix them and release it again for public review.
Imagine if the next exploit code for some commercial not only included the exploit, but a "open source" type patch to detect such things were happening.