Open Source Firm Releases Patch for IE Bug [UPDATED]

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

How were they able to make such a patch...

[znode]

Without the original source to IE?

Re:How were they able to make such a patch...

[epiphani]

Exactly what I was going to ask. How do you "patch" software without the original code? You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

Also, patching a binary - that requires *very* detailed knowledge of the binary itself, not? You cant just diff two binaries, and apply patches like that, can you? Run into adressing problems, not? I've never really studied the end result of my code beyond a little gdb'ing.

Re:How were they able to make such a patch...

[umofomia]

Exactly what I was going to ask. How do you "patch" software without the original code? You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

Actually they didn't have to do that... they just redirect the URLs you click on into their own cgi script off on their server to determine if it's a valid URL.

I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?

Wait for Microsoft to come out with a better fix that properly addresses this issue.

Good to know...

[TSR+Wedge]

Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.

This doesn't actually fix the problem

[realdpk]

If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.

The overpresence of "strcpy" is a bit unsettling, too.

While it's a nice step, it's no replacement for an official Microsoft patch.

Inept and free!

[fm6]

Pretty sure this makes Microsoft look really inept.

Since when have they needed any help with that?

If people are doing open source IE patches, would somebody please fix this sucker? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!

using the API

[ramzak2k]

If i am correct all microsoft applications do have allow access to APIs (Application Programming interfaces). I have written a simple application in Visual Basic once that used the API of MSN instant messenger to listen to the messages sent to me and do a custom auto reply saying things like "i will be back in a few mins".

Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).

If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.

Re:How about this one ....

[CaptBubba]

I actually don't see any mention of the GPL on any of the pages, or in the downloadable source.

Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.

Opera

[10scjed]

Opera7.23- not only is it not vulnerable to this exploit, it pops up a dialog box to advise you're being redirected to a user@ address (and shows the real address in the bar).

Over hyped.

[jag164]

First of all. This 'patch' isn't too extrodinary. This is a plugin similar to the google bar. There is no reverse engineering, thus no threat of DMCA. It's really not a patch, it's more of a work around. It's also a publicity stunt. Upon detecting a spoof, there should me no reason to go to the 'patch makers' website for info when it could be done within the plugin.

Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.

I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.

The sum: This may have a greater negative impact in the long run then the good one it was intended to have.

Re:Acceptance?

[daniel23]

I think mozilla misrepresents the url in the status line while the address line shows the url correctly.
MSIE, on the other hand, fails completly.

In fact, on some versions of mozilla you even can spot a control char in the status line, too. But real spoofing depends on the address line.

heise (German)

As a test:
http://www.mozilla.org%00@www.heisec.de

is shown as http://www.heisec.de in mozilla, while msie puts http://www.mozilla.org into the address line.

Re:... huh?

[BiggerIsBetter]

Or maybe Microsoft will figure it doesn't need to provide patches in a timely manner, because the user community will do it for them.

Re:RTFC

[Holi]

I disagree. Just be3cause something is open source (as in they offer the source with the binary) does not mean it must be GPL (freely ditributable (ok nevermind the really poor spelling)). GPL is not the only open source license. In fact I wish more commercial software were like this. It would make security auditing much easier. Yes I cannot use their code in my projects but at least I could have some trust in their programs.

Re:Hey, morons

hmm...
In ::BeforeNavigateEvent (IETray.cpp)
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.

Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)