Slashdot Mirror
Open Source Firm Releases Patch for IE Bug [UPDATED]
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
I can't even come up with a good joke for this. Seriously. It's just too good. Way, way too good.
My own pointless vanity vintage computing page
Unfortunately, with this being an unofficial release, I don't see many people likely to utilize this until it is released by Microsoft. In the meantime, I am enjoying reading this in Mozilla :)
*
troll blacklist. Please mo
Without the original source to IE?
Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.
What if the hokey-pokey really is what it's all about?
I don't know about you folks, but this appears to redirect your request to their cgi script, which ostensibly will allow or deny it based on whether or not it is vulnerable.
This looks like a horrible way to "fix" the problem.
Natural != (nontoxic || beneficial)
If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.
The overpresence of "strcpy" is a bit unsettling, too.
While it's a nice step, it's no replacement for an official Microsoft patch.
While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.
I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"
If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.
It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.
ESR's right in his article "How to Become a Hacker"
Q: Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Ruby on Rails Screencast
If people are doing open source IE patches, would somebody please fix this sucker? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!
This is the beginning of a really bad precedent. It is bad enough that M$ makes bad software and takes too long to fix it, but this just makes it okay to keep doing that. M$ will know that now they don't even HAVE to fix it. Just wait and let the open source community do it. THEN, when multiple patches start conflicting because of reasons already mentioned above, M$ can blame open source as the problem. Heck, they might even 'embrace' open source for a time, then use this as justification that it open source doesn't work.
Open source enthusiasts have TWICE paid to renew Microsoft's domain registries (once for hotmail, once for microsoft UK) when Microsoft forgot... so who should you trust with your data, the people that can't even remember to renew their own domain registrations, or the people that keep bailing them out?
"Freedom means freedom for everybody" -- Dick Cheney
If i am correct all microsoft applications do have allow access to APIs (Application Programming interfaces). I have written a simple application in Visual Basic once that used the API of MSN instant messenger to listen to the messages sent to me and do a custom auto reply saying things like "i will be back in a few mins".
Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).
If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
Siggy Say, Siggy Do
Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.
Opera7.23- not only is it not vulnerable to this exploit, it pops up a dialog box to advise you're being redirected to a user@ address (and shows the real address in the bar).
--10scjed IANAL,AFAIK
Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.
I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.
The sum: This may have a greater negative impact in the long run then the good one it was intended to have.
Now if a benevolent open source firm would make a patch that gave IE PROPER PNG support, then I would be very grateful (I have been swearing at IE's lack of png support for the last hour for messing up my very cool website design)
History will be kind to me, for I intend to write it - Sir Winston Churchill
Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if the processor was extremely fast, the value would be set to -1, and FoxPro would promptly crash. Worked fine for years until some of the new processors came out.
Anyway, Microsoft stalled on fixing this timing issue bug, so some smart fellow tweaked the exe file to fix it. Yeah, not even assembler, we're talking hex. Pretty damn cool.
There's a saying for this: crap built upon crap.
There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]
Seems like a combination of the lousy design of the Windows components coupled with using C. Long, long time since I've worried about destroy and the like, what with the availability of better languages like Java, etc. Granted once buffer overflows are a thing of the past, there will be new holes, but at least we will be moving forward.
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Good catch. So one security flaw fixed, opening up another flaw - a little embarrasing, except MSFT did the same thing a few weeks ago in their flurry of untested patches. But it does show the inherent advantage of open source in that *anyone* can review the code, and fix it, without resorting to messy hacks such as this.
I disagree. Just be3cause something is open source (as in they offer the source with the binary) does not mean it must be GPL (freely ditributable (ok nevermind the really poor spelling)). GPL is not the only open source license. In fact I wish more commercial software were like this. It would make security auditing much easier. Yes I cannot use their code in my projects but at least I could have some trust in their programs.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
hmm... ::BeforeNavigateEvent (IETray.cpp)
In
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.
Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)
Is the "@-spoof" really a spoof? According to RFC2396, section 3.2.2 "Server-based Naming Authority", this is a feature of the URI and not a bug or a spoof.
Certainly it can be made to fool even an enlightened user, but isn't it wrong to cripple a browser's ability to adhere to the "Uniform Resource Identifiers (URI): Generic Syntax" RFC -- and even more so with spyware ;)
Browsing the "test page" at Openwares with my Konqueror gives me the spoof page. Good. That just means that Konqueror is RFC2396-compliant (but should i patch anyway? ;).
I first came across this "bug" about two years ago when i was forwarded an "authentic" page from Microsoft Support: Q209354 - HOWTO (mirror). It took me a while to realize that nobody at M$ was going to be fired for this type of creativity.
See The Reg for an article for some coverage -- although the host hwnd.net is off the net, so you can't really try to get spoofed.
On a related topic, did anyone else notice that chrome-free popups are to be terminated in XP SP2 (announced yesterday)? They're a great technique for the site spoofers since you can have the whole shebang - genuine looking URL *and* a nice little SSL padlock. Simply use a screenshot of a real online bank as the background and stick your own HTML form on top to capture the login details. JavaScript aficionados can even make the address bar and toolbar work like the real thing, if they see fit. Thankfully the Russian mafia aren't that sophisticated...yet.
When I am king, you will be first against the wall.
According to Heise Security www.heise.de this patch actually builds up bigger security holes than it repairs
0 02/
c k/ demos/ie/e5_18.shtml
In german:
http://www.heise.de/newsticker/data/dab-19.12.03-
Actually the have also a test for those who already patched their systems with this:
http://www.heise.de/security/dienste/browserche
So do not use this patch!
That said, I'm not real impressed with this "patch" - theres alot of use of c-style string work in a C++ file, which is silly, and more than that it's not even safe use of c-strings - the file concatenation of the URL together involves just using strcat() (not even strncat()) without any sort of length or sanity checking on the buffer.
And did someone fix this bug in Mozilla yet? Mozilla 1.5, last I checked, was vulnerable to half of this bug. The address bar at the top of the screen would display the correct full address, however hovering over a link would stop at the %00.