Slashdot Mirror
Open Source Firm Releases Patch for IE Bug [UPDATED]
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
In other news....M$ slams a DMCA lawsuit for "hacking".
Life is not for the lazy.
trust OS people to fix what M$ can't find profit for!
i am confused about what i shuld do. my mommy touched my pee-pee and made my soldjer stand at atenshun. she was proud of my soldjer but then she said it is cold out and he should be warm so she put my pee pee in her hooha. that was warm and nice but then something happened and my soldjer got real slick and wet and made a mess all over my mommys hooha. she called me a dirty little boy and gave me a slap on the face and a whupping with a switch.
i dont know what to do. my pee pee felt good in her hooha but how do i not make a mess? and why am i going to burn in hellfire for forever and ever and ever, amen?. jeses knows i didnt try to be a bad filthy little boy and make a mess and deserve a whupping, right? please help me because she said my soldjer needs to get warm again. i think that is true but i dont want to be a filthy evil little boy and have hellfire.
It's called Mozilla/Firebird.
So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.
the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.
so this patch is pointless
(cool that it can be done though)
Why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.
Support the First Amendment. Read at -1
How do you patch closed source code?
By violating the EULA by disassembling IE?
Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
A third party releasing a patch to a browser. How safe is this?
Yes the source code is there, but how do we know the executable doesn't have crap in there?
Even if everything is clean now, how about the next patch from another source?
(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Does applying a third party patch violate the EULA for IE?
A Better solution:
Use Mozilla Firebird
Pretty sure this makes Microsoft look really inept. I mean, if the largest and richest software company in the world can't patch their own products before a group of volunteer coders can figure out a fix ... seems to me that makes M$ look like fools.
My US$0.02, unadjusted for inflation of course.
this is good in the short run, but bad in the long run
people voluntarily patching M$ products will lessen the pressure on M$ to write code with fewer bugs in the first place. Also without knowing the source code, reverse engineering the program and writing patches is risky at best: who knows what this patch might break after extensive testing.
Also: when (and if) M$ actually releases a *real* patch for the problem, how will that work with this open source patch?
I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.
Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.
I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.
I don't have any idea why MS decided to wait until next year before fixing something which is otherwise a severe security issue. I guess everyone is just lead to believe that MS simply doesn't care if your PC gets hacked, because then they can go around and pass the buck to spammers and charge people for an upgrade or support.
I think this patch release makes more of a political statement, regardless of the issues surrounding whether an OSS company should be putting out patches for proprietary products.
READY.
PRINT ""+-0
this is the whois record for that domain from whois.networksolutions.com:
Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM
It's up to you to decide whether you trust them or not.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
I guess you don't invest in any stock then . . .
.
Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.
Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we would have ever recovered from the great depression . .
Hope my reality wasn't too harsh for your bubble.
Sdelat' Ameriku velikoy Snova!
This patch apparently intercepts the badly-formated URL and then forwards you to patch maker's website.
It would be more efficient, safer, and simpler (no need to do any patching) to implement a similar solution using a proxy like Privoxy. The proxy (installed on your local machine or LAN) would then be used to intercept the badly-formated URL, and replace it with its own locally generated warning page (again, similar to Privoxy).
I think Privoxy is OSS. Maybe someone could whip something up.
Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...
It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
Words cannot express how much I wouldn't apply this patch.
"I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?"
I don't know why you're worried, Google is already tracking everywhere you go.
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible. They test EXTENSIVELY and even so you still get the occasional patch that interacts with other software and ways you can't predict and breaks something. It happens. Any code monkey could hack out a patch, but I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would. That's where the time is, so quit bitching about how long it takes to release a patch. Now, the time it takes to ACKNOWLEDGE a bug is a different story....
Geek used to be a four letter word. Now it's a six-figure one.
The concept is great, but as others have already mentioned, the implementation is godawful. It submits every URL to a CGI script on their website then redirects you based on whether or not the URL is valid. This is incredibly bad, because: 1) Who are these people? Can you trust them? How about when you type in a FTP/HTTP URL that has your username and password in it? 2) What happens when their server goes down? Your web browser doesn't work? Again...nice idea, but wow. You really couldn't think of any better way to do it? Go get Opera, or Mozilla if you want a free browser.
LOAD "SIG",8,1
While I dont think any reverse engineering took place here, I dont think it would be illegal.
EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an example), yet the copyright laws of the country (Canada, in my case) specifically permit me one backup copy, then I am allowed: 1 backup copy
Some types reverse engineering are prohibited. Like hacking copy protection (as it's covered by the lovely DMCA). But there are efforts to reverse engineer other MS products, like the MSWord format or NTFS and I dont think those are coming under fire. (MS might try to obfuscate or change the formats rapidly, but the very process of RE is not illegal)
IANALBISLTPOOT (I am not a lawyer but I'd sure like to play one on TV!)
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
If your software is so tangled in intertwined components that a patch for an issue this simple would conceivably break something elsewhere on your system, then your terrible product design is the concern, not the QA.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive
Even if IE wasn't entangled in the OS, there's still a shitload of testing to do. Also, MS TRIES to make sure that their patches don't break 3rd party apps. How many other companies do you know that do that? I'm not saying they always succeed at that, but they try, since it is in their own best interest. They don't need the whole world thinking their patch sucks because it broke some spyware/hotbar/whatever else IE add-in.
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Yes, any one with an axe to grind with MS can spend the majority of their adult life testing MS software in order to break it and find flaws. In fact, many security companies make their living doing this. However, MS is a business. A business that likes money. As everyone knows, time is money, and if MS thinks it has put enough time into testing, it will release the patch, perhaps a bit prematurely. It happens. Hell, for all we know, MS may wait for someone else to find the bugs so that they don't waste time and money on it! It's unlikely, but it would be smart business. Also, if you are suggesting that software testing would catch all the problems, you'd be mistaken. Who is to say the software checking the software doesn't have a few bits loose? Adding to that, it is impossible (in hardware, software, or otherwise) to predict every interaction code will have due to all of the 3rd party apps out there.
Geek used to be a four letter word. Now it's a six-figure one.
Umm...I don't know if you've ever done any patching, but usually you can tell by the broken code and the new code what areas to generally look at for incompatibilities. Most calls made shouldn't really be changed and the original code should be left untouched as much as possible. If so much of the code is a problem that you literally have to test the whole system, oh well thats sloppy coding and its their fault. On Debian, security patches are as much of the original code as possible and the rules on what can be changed in the code are fairly strict. Despite this, security patches are always released promptly and people can have the assurance that their systems will remain stable and won't be broken. MS doesn't really have an excuse. Hell, if they opened the code I'd do the patching for them. Just my 2 cents.
-Steve
I always thought it was a better choice for someone "FED UP with Windoz bugs" to use something else. If we ever want Linux to significantly cut into the MS dominance on the desktop, wouldn't it be prudent NOT to improve MS products? Not only did the firm open themselves up to some DMCA litigation, but they also played a little part in perpetuating the MS monopoly.
This patch uses strcpy()/strcat() and 256 char buffers instead of dynamic buffers and strncpy()/strncat() in IETray.cpp.
FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!
These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.
-- Naive C programming will get you everywhere, it appears, even if you don't have a clue.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
Then nobody would have noticed the stack vulnerability, unless you had either a machine vulnerable to the original exploit, or a machine vulnerable to a new exploit as per being patched
:-)
Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).
Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all
We all know about Djikstra and "Goto considered harmful". But do you know about Linus?
See the kerneltrap article for more detail on that. Since I program mostly in using exceptions, I haven't really formed an opinion on this yet.
cheers,
AdHoc
Why would Microsoft use this code in their patch ? This patch code is based upon readily available IE com interfaces which allow addon IE programs to interact with browser operations. In fact, this patch simply checks the url for the vulnerability every time you navigate to the page. If the vulnerability is found it instead naviagtes to: http://www.openwares.org/cgi-bin/exploit.cgi?A& ;B where A is the spoofed url and B is the actual url. Microsoft would fix this vulnerability in the actual IE code, not in a bolted on module like this.
You do realize this patch phones home, don't you? Slashdot just advertised a piece of spyware. It phones home to validate every URL. Read the website.
The patch is open source. I don't even know if you are right in your statement but if you are, then download the source and change the way it works! Or live in fear...
Uh... you may want to try and understand the code first, particular this conditional statement:
Only if that condition is matched -- the string contains bytes having the integer values 1, 2, or 218 -- do you get redirected to their server. Nice troll attempt though.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Referring any sites to their servers IMO is a privacy violation. What if Microsoft did this? You'd be all over them.
Why do they NEED to know which sites are trying to scam? Are they planning to go shut them all down?
They also make no direct reference on their main page that they are redirecting all invalid URLs to their own page. There is ALSO no proof that in a few weeks all those error codes will redirect the users to an ad served page/MSIE future bug trojan downloader site. Of course this is 99.9999% not the case. But it makes you wonder, do all of you REALLY trust a site you've never heard of to fix MSIE bugs?
Well that's hardly in the spirit! I have a proposed fix for this "patch" that you can find here:
IETrap.cpp
Diffs
So I've patched their patch, and violated their license agreement after they violated the Microsoft EULA. That makes me feel so recursive.
You should use MyIE2 instead, http://www.myie2.com Fixed "IE URL Spoofing Vulnerability" problem. You also get the following: Tabbed Browsing Interface Mouse Gestures Super Drag&Drop Privacy Protection AD Hunter Google Bar Support External Utility Bar Skinning What else could you ask for?
I am against words getting a new meaning just because computers are involved. YES I am anal. Some of us need to be.
As for how this is done? Same way as all the IE plugins. All those bars you see and popup blockers? Same thing.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yep, better string handling. Always good.
But I was wondering... buffer overflows are a problem because we have a descending stack - ie. as you add stuff, the stack pointer moves backwards through memory - so the return address and other data is always located just in front of any local data.
What is the reasoning behind the use of a descending stack? Is this a legacy from a hardware or software decision? Is there anything we would lose by having an ascending stack, which would make overflow exploits a lot more difficult? Anyone know?
Criminy, just can't please some people.