Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Firm Releases Patch for IE Bug [UPDATED]

Posted by CowboyNeal on from the anything-you-can-do dept.

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

22 of 544 comments (clear)

  1. DMCA violator by DigiShaman · · Score: 5, Insightful

    In other news....M$ slams a DMCA lawsuit for "hacking".

    --
    Life is not for the lazy.
  2. well done by b4rB3li7h · · Score: 4, Insightful

    trust OS people to fix what M$ can't find profit for!

  3. And this matters why? by Anonymous Coward · · Score: 5, Insightful

    So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.

    the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.

    so this patch is pointless
    (cool that it can be done though)

    1. Re:And this matters why? by s20451 · · Score: 4, Insightful

      so this patch is pointless
      (cool that it can be done though)

      Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.

      ps. Are you related to Noel Coward? Send my regards.

      --
      Toronto-area transit rider? Rate your ride.
    2. Re:And this matters why? by jrumney · · Score: 3, Insightful
      You'd think that Slashdot readers would read the source before installing something claiming to be a security fix from a previously unknown outfit:
      // Terms of Agreement:
      //
      // By using this source code, you agree to the
      // following terms:
      //
      // 1) You may use the source code, resource
      // files for educational purposes only.
      // 2) You MAY NOT redistribute this source code
      // without written permission. Failure to do
      // so is a violation of copyright laws.
      // 3) The author of this code may have retained
      // certain "additional copyright rights".
      // If so, this is indicated in the author's
      // description.
      //
      Yet another example of someone paying lip service to "open source". Do you trust them with the information they are collecting on who is gullible enough to click on links to scams by other parties? Who is to say they aren't running their own scams and allowing them through exploit.cgi while blocking the competition?
  4. How? by blair1q · · Score: 4, Insightful

    How do you patch closed source code?

    By violating the EULA by disassembling IE?

    Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...

  5. Can we really trust this patch? by GoofyBoy · · Score: 3, Insightful


    A third party releasing a patch to a browser. How safe is this?

    Yes the source code is there, but how do we know the executable doesn't have crap in there?

    Even if everything is clean now, how about the next patch from another source?

    (Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)

    --
    The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
    1. Re:Can we really trust this patch? by Atlantix · · Score: 3, Insightful

      Good questions. It's hard (maybe impossible) to know that an open source patch to a closed source product doesn't break something else. On the bright side, you can know the executable doesn't have extra crap. The point of releasing the source code is so anyone can compile it and verify it actually produces the executable.

      --Atlantix

  6. Re:Seriously. by 56uSquareWave · · Score: 5, Insightful

    Ahem you cant see the source code of IE but you trust that? okay then

    --
    - meta language used, please apply your own spelling and gramma
  7. Will this violate the EULA? by jaxdahl · · Score: 3, Insightful

    Does applying a third party patch violate the EULA for IE?

  8. Re:Acceptance? by DavesWorld334 · · Score: 5, Insightful

    Pretty sure this makes Microsoft look really inept. I mean, if the largest and richest software company in the world can't patch their own products before a group of volunteer coders can figure out a fix ... seems to me that makes M$ look like fools.

    My US$0.02, unadjusted for inflation of course.

  9. Re:Seriously. by Atlantix · · Score: 4, Insightful

    Sounds like you're in a no-win situation. You won't install a patch without the MS seal of approval but the patch (allegedly) repairs a known flaw in a product that HAD the MS seal of approval. So that begs the question: What is the value of the MS seal of approval if they're wrong? You'll never be able to install anything!!!

    --Atlantix

  10. FWIW... by NickFitz · · Score: 3, Insightful

    this is the whois record for that domain from whois.networksolutions.com:

    Domain ID:D98313967-LROR
    Domain Name:OPENWARES.ORG
    Created On:03-Jul-2003 22:49:55 UTC
    Last Updated On:02-Sep-2003 03:58:23 UTC
    Expiration Date:03-Jul-2004 22:49:55 UTC
    Sponsoring Registrar:R14-LROR
    Status:OK
    Registrant ID:WBMRD
    Registrant Name:ori rejwan
    Registrant Street1:52 Herbert Samuel St.
    Registrant City:Tel Aviv
    Registrant State/Province:NA
    Registrant Postal Code:63304
    Registrant Country:IL
    Registrant Phone:+1.97250314892
    Registrant Email:orejwan@yahoo.com
    Admin ID:WBMRD
    Admin Name:ori rejwan
    Admin Street1:52 Herbert Samuel St.
    Admin City:Tel Aviv
    Admin State/Province:NA
    Admin Postal Code:63304
    Admin Country:IL
    Admin Phone:+1.97250314892
    Admin Email:orejwan@yahoo.com
    Tech ID:AD384-ORG
    Tech Name:Mohammed Zarqa
    Tech Organization:Tri State Contracting
    Tech Street1:POBox 455
    Tech City:East Brunswick
    Tech State/Province:NJ
    Tech Postal Code:08816
    Tech Country:US
    Tech Phone:+1.7322383766
    Tech Email:mzarqa@aol.com
    Name Server:NS2.ABAC.COM
    Name Server:NS1.ABAC.COM

    It's up to you to decide whether you trust them or not.

    --
    Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
  11. Re:No updates for December? by Neo-Rio-101 · · Score: 4, Insightful

    That's not the point. The point is that MS has ignored patching this vulnerability for far too long. It put its promise of "no patches for December" above the real and critical need to update the most common browser running on the worlds computers from hack attacks. Whether you install it or not is your business, and further more, if the patch was truly buggy everyone would be screaming about it by now.

    --
    READY.
    PRINT ""+-0
  12. I wouldn't call this a patch... by goranb · · Score: 5, Insightful

    Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
    If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...

    It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...

  13. The time problem has nothing to do with the patch by SonicBurst · · Score: 5, Insightful

    The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible. They test EXTENSIVELY and even so you still get the occasional patch that interacts with other software and ways you can't predict and breaks something. It happens. Any code monkey could hack out a patch, but I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would. That's where the time is, so quit bitching about how long it takes to release a patch. Now, the time it takes to ACKNOWLEDGE a bug is a different story....

    --

    Geek used to be a four letter word. Now it's a six-figure one.
  14. Re:How were they able to make such a patch... by meanfriend · · Score: 3, Insightful
    Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

    While I dont think any reverse engineering took place here, I dont think it would be illegal.

    EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an example), yet the copyright laws of the country (Canada, in my case) specifically permit me one backup copy, then I am allowed: 1 backup copy

    Some types reverse engineering are prohibited. Like hacking copy protection (as it's covered by the lovely DMCA). But there are efforts to reverse engineer other MS products, like the MSWord format or NTFS and I dont think those are coming under fire. (MS might try to obfuscate or change the formats rapidly, but the very process of RE is not illegal)

    IANALBISLTPOOT (I am not a lawyer but I'd sure like to play one on TV!)

  15. Re:Do Not Use It-It's Got a Huge Vulnerability Its by DmitriA · · Score: 4, Insightful

    Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...

  16. And if it were MS code by phorm · · Score: 3, Insightful

    Then nobody would have noticed the stack vulnerability, unless you had either a machine vulnerable to the original exploit, or a machine vulnerable to a new exploit as per being patched

    Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).

    Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all :-)

  17. Re:How about this one .... by jujitsustab · · Score: 5, Insightful

    Why would Microsoft use this code in their patch ? This patch code is based upon readily available IE com interfaces which allow addon IE programs to interact with browser operations. In fact, this patch simply checks the url for the vulnerability every time you navigate to the page. If the vulnerability is found it instead naviagtes to: http://www.openwares.org/cgi-bin/exploit.cgi?A&amp ;B where A is the spoofed url and B is the actual url. Microsoft would fix this vulnerability in the actual IE code, not in a bolted on module like this.

  18. Re:Hey, morons by KarmaPolice · · Score: 4, Insightful

    You do realize this patch phones home, don't you? Slashdot just advertised a piece of spyware. It phones home to validate every URL. Read the website.

    The patch is open source. I don't even know if you are right in your statement but if you are, then download the source and change the way it works! Or live in fear...

  19. Use MyIE2 0.9.11 by SuckItTrebek · · Score: 3, Insightful

    You should use MyIE2 instead, http://www.myie2.com Fixed "IE URL Spoofing Vulnerability" problem. You also get the following: Tabbed Browsing Interface Mouse Gestures Super Drag&Drop Privacy Protection AD Hunter Google Bar Support External Utility Bar Skinning What else could you ask for?