Slashdot Mirror
Open Source Firm Releases Patch for IE Bug [UPDATED]
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
Without the original source to IE?
Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.
What if the hokey-pokey really is what it's all about?
If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.
The overpresence of "strcpy" is a bit unsettling, too.
While it's a nice step, it's no replacement for an official Microsoft patch.
While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.
I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"
If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.
It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.
ESR's right in his article "How to Become a Hacker"
Q: Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Ruby on Rails Screencast
If people are doing open source IE patches, would somebody please fix this sucker? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!
If i am correct all microsoft applications do have allow access to APIs (Application Programming interfaces). I have written a simple application in Visual Basic once that used the API of MSN instant messenger to listen to the messages sent to me and do a custom auto reply saying things like "i will be back in a few mins".
Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).
If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
Siggy Say, Siggy Do
Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.
Opera7.23- not only is it not vulnerable to this exploit, it pops up a dialog box to advise you're being redirected to a user@ address (and shows the real address in the bar).
--10scjed IANAL,AFAIK
Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.
I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.
The sum: This may have a greater negative impact in the long run then the good one it was intended to have.
I think mozilla misrepresents the url in the status line while the address line shows the url correctly.
MSIE, on the other hand, fails completly.
In fact, on some versions of mozilla you even can spot a control char in the status line, too. But real spoofing depends on the address line.
heise (German)
As a test:
http://www.mozilla.org%00@www.heisec.de
is shown as http://www.heisec.de in mozilla, while msie puts http://www.mozilla.org into the address line.
605413? Yes, it's a prime.
Or maybe Microsoft will figure it doesn't need to provide patches in a timely manner, because the user community will do it for them.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
They have thousands of programmers, let them move their butts and do their fucking job. More holes in IE, easier to convince people to switch to Mozilla.
Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if the processor was extremely fast, the value would be set to -1, and FoxPro would promptly crash. Worked fine for years until some of the new processors came out.
Anyway, Microsoft stalled on fixing this timing issue bug, so some smart fellow tweaked the exe file to fix it. Yeah, not even assembler, we're talking hex. Pretty damn cool.
There's a saying for this: crap built upon crap.
There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]
Seems like a combination of the lousy design of the Windows components coupled with using C. Long, long time since I've worried about destroy and the like, what with the availability of better languages like Java, etc. Granted once buffer overflows are a thing of the past, there will be new holes, but at least we will be moving forward.
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Good catch. So one security flaw fixed, opening up another flaw - a little embarrasing, except MSFT did the same thing a few weeks ago in their flurry of untested patches. But it does show the inherent advantage of open source in that *anyone* can review the code, and fix it, without resorting to messy hacks such as this.
I disagree. Just be3cause something is open source (as in they offer the source with the binary) does not mean it must be GPL (freely ditributable (ok nevermind the really poor spelling)). GPL is not the only open source license. In fact I wish more commercial software were like this. It would make security auditing much easier. Yes I cannot use their code in my projects but at least I could have some trust in their programs.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
hmm... ::BeforeNavigateEvent (IETray.cpp)
In
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.
Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)