Slashdot Mirror
Open Source Firm Releases Patch for IE Bug [UPDATED]
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
In other news....M$ slams a DMCA lawsuit for "hacking".
Life is not for the lazy.
trust OS people to fix what M$ can't find profit for!
So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.
the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.
so this patch is pointless
(cool that it can be done though)
How do you patch closed source code?
By violating the EULA by disassembling IE?
Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
Ahem you cant see the source code of IE but you trust that? okay then
- meta language used, please apply your own spelling and gramma
Pretty sure this makes Microsoft look really inept. I mean, if the largest and richest software company in the world can't patch their own products before a group of volunteer coders can figure out a fix ... seems to me that makes M$ look like fools.
My US$0.02, unadjusted for inflation of course.
Sounds like you're in a no-win situation. You won't install a patch without the MS seal of approval but the patch (allegedly) repairs a known flaw in a product that HAD the MS seal of approval. So that begs the question: What is the value of the MS seal of approval if they're wrong? You'll never be able to install anything!!!
--Atlantix
That's not the point. The point is that MS has ignored patching this vulnerability for far too long. It put its promise of "no patches for December" above the real and critical need to update the most common browser running on the worlds computers from hack attacks. Whether you install it or not is your business, and further more, if the patch was truly buggy everyone would be screaming about it by now.
READY.
PRINT ""+-0
Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...
It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible. They test EXTENSIVELY and even so you still get the occasional patch that interacts with other software and ways you can't predict and breaks something. It happens. Any code monkey could hack out a patch, but I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would. That's where the time is, so quit bitching about how long it takes to release a patch. Now, the time it takes to ACKNOWLEDGE a bug is a different story....
Geek used to be a four letter word. Now it's a six-figure one.
Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
Why would Microsoft use this code in their patch ? This patch code is based upon readily available IE com interfaces which allow addon IE programs to interact with browser operations. In fact, this patch simply checks the url for the vulnerability every time you navigate to the page. If the vulnerability is found it instead naviagtes to: http://www.openwares.org/cgi-bin/exploit.cgi?A& ;B where A is the spoofed url and B is the actual url. Microsoft would fix this vulnerability in the actual IE code, not in a bolted on module like this.
You do realize this patch phones home, don't you? Slashdot just advertised a piece of spyware. It phones home to validate every URL. Read the website.
The patch is open source. I don't even know if you are right in your statement but if you are, then download the source and change the way it works! Or live in fear...