Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
A little demo for those still using IE...
Mozilla
Pass it along...
Slashdot hasn't posted my story yet....
We detected MyDoom.B around 15:00 GMT today - ClamAV (opensource rules), McAfee 4319 DATs didn't.
Preliminary analysis at Internet Storm Centre.
Most AV vendors have new patterns out now.
Phil
Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)
This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.
I wouldn't say those are the only people affected by exploits and outbreaks. I'm using Firebird and Thunderbird, but my inbox still fills up with virus forwards from others who are not, and my connection is often slow or down while the latest worm is making its rounds.
You've always been able to do this in Windows, if you change the extension of the file it changes how windows treats it.
.exe and then executes it later there could be a problem.
Since windows doesnt change the extension from what it thinks it is the problem is moot. Ie. if I convince windows that an executable is an HTML document and it saves it as an HTML document and subsequently opens it with an HTML viewer then there is no problem. If it saves it with
Windows doesn't use magic bytes to choose file type it uses file extension. Thus as long as Windows saves the file with the extension it thinks it is and continues to operate in such a fashion everything is fine. All that happens is when you double click the executable it opens it with a PDF viewer. BIG DEAL.
Anyway, you're talking about the virus. The article is talking about downloads from web sites, where you can't tell what type of file you're downloading - you think you're getting a .pdf, and you're really getting an executable. And you gave it permission to download, because you knew that the file was of a safe type! The type you approved was safe, it just wasn't the type of the real file.
Combined with another (not yet fixed) bug that lets web sites spoof which domain they are in, and you have all kinds of fun - downloading a trojan when you think you're downloading a .pdf or even .txt from a trusted site...
But you really can't blame stupid users for this one. If the browser lies to you about what site you're really visiting, and lies about what type of file you're downloading, there's no $&%^$^%$ way that it's the user's fault. The blame lies exactly with Microsoft.
.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.
Cool idea in the right hands, but here it's a disaster waiting to happen.
-Hentai [in vita non pacem est]
I'm mostly guessing here but it looks the the CLSID identifies it as an HTA (HTML application) component, which MS was hyping as all the rage in application developlment a few years back. Basically, it's like an XUL app - written in HTML and JScript. Portions of the Win2k+ UI are written using it, like the add/remove programs dialog.
Remember that IE isn't an app as much as a COM object. If you use Yahoo Messenger, AOL, or explorer, etc., you use IE.
With the problems I have been having with 1.6 on Windows 2000 I would hardly be recommending to anybody. The damn thing crashes at the oddest times and I have yet to recreate anything so I have nothing I can submit as a bug. Everything was great at 1.4 - I should never have upgraded.
I should note, though, that through it all I still haven't gone back to IE.
That is not the nature of the vulnerability. IE displays a dialog saying "You are downloading the file:" followed by the filename. That is where the spoofed filename is displayed. The danger is that, if you are expecting, for example, a PDF which you won't want to keep, you will just click "Open", expecting it to start Acrobat Reader. However, once the file is downloaded, its real filename is that of an executable, which runs merrily away, doing whatever it wishes.
It's got nothing to do with mime types.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
It's even worse. The filename doesn't have to be in the hyperlink - it can also be in the headers. So, the url could be http://someuniversity.edu/~somestudent/exam_answer s.txt
C LSID}"
.exe files... even MS wouldn't be *this* stupid. For all intents and purposes it doesn't.)
The header could then have "Content-Disposition: attachment; filename=Exam_Answers.txt{INSERT_executable_file_
The CLSIDs are under "HKEY_CLASSES_ROOT.MIME.Database.Content Type"
The example above would secretly have the file type of your choice but would be known as Exam_Answers.txt. You won't see the CLSID unless you look at it from the command prompt. If you click on it, it executes whatever file type you wanted.
You can't use a machine code executable file (.exe) directly, however, because it doesn't have a content-type/CLSID pair in windows. (well, it does, but there isn't one just for
I'm running Konq 3.1.5 on Slack -current, and I'm not 'vulnerble' (sic).
I was trying the DEMO PAGE, and noticed a minor work-around. The article says to save the file to disk before believing what it claims to be, which is sound advice, but you don't have to get that far to see something is wrong. As soon as you click on the link a "File Download" dialog is presented asking what to do with it. If you click on Open, based on the fake file extension displayed... your're screwed. If you click on Save, the next dialog box shows the true file type in the "Save as type" box.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
The demo version sends and "executes" an HTML file, but the same channel could be used to send and execute an executable. They were just being careful to make their exploit demo safe to use.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
Google Tool Bar? You oboviously aren't aware of the Firebird Google Bar Extension.
Helevius
The problem is that IE uses both the extention AND the mime type. It decides what to do when you click on it by looking at the MIME type. But it decides how to OPEN it by looking at the extention. So it sees "virus.exe" with a MIME type of text/html, and knows that it is supposed to automatically open html files when they are clicked on, so it downloads it. Once it downloads, it tries to open the file The routines for opening files are the same as the ones in Windows Explorer, so it sees ".exe" and executes it. The user is never prompted because IE is never setup to prompt every time you visit a new page, and Windows Explorer isn't set to prompt every time you tell it to run a program.
ASCII stupid question, get a stupid ANSI
Mod me Flamebait, I don't care...
How is it this story is ok, but when MS announces a fix that will be coming shortly that story is rejected outright?
Hey, mods...take your head outta your ass. Your anti-MS slant is showing (again.)
I'm the one who submitted the story that Timothy posted.
Microsoft damn well deserves some bashing. They didn't fix the phishing bug in their monthly patch set, and the phishing bug was reported very close to the beginning of that monthly cycle, and only 1 week after it was discovered, scammers started making heavy use of it in their attempts to defraud people of banking details. So Microsoft had 3 weeks to witness the phishing bug being abused in the wild, and still they did not patch it almost a full month.
This all comes on the heels of a bunch of PR Microsoft spewed not long ago, claiming a study (they paid for) found that Microsoft issues patches faster than Redhat.
I call them a bunch of lying hypocrites who only care about money and not the security of their customers. You call me a Microsoft basher. You are right, I'm saying Microsoft sucks and the lie. I believe I am right too, they do suck and they do have little regard for honesty, as can plainly be seen.
In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH.
In fact, the last security patch for sendmail was on September 17, 2003. That's over 4 months ago. There have been zero sendmail security patches this week, not 35. The previous patch was released March 29th, 2003. Not the same week, but 5.5 months earlier.
OpenSSH doesn't have the same web pages with patch info as Sendmail... so looking at Redhat's update history on OpenSSH, I see new RPMs published on the following dates: 17-Sep-2003, 16-Sep-2003, 04-Jul-2003, 14-Feb-2003. It's not clear if these are security updates or other less serious updates. But only once did two patches appear in the same week. On average, it's over 2 months between updates.... hardly 54 in one week.
Now compare that the MSIE. Microsoft's customers complained that multiple patches were required every week, so they recently switched to a monthy patch schedule. But there was news coverage that shortly after the switch, they still had to break that schedule and release patches more frequently because of very critical security bugs discovered.
And remember that Microsoft doesn't even bother to fix things like this phishing bug, which makes it easy for scammers to direct people to false banking login pages and have them appear to be the legitimate websites of the banks people trust! Contrast that lack of concern for customers getting ripped off against some of the openssh patches, which fix timing problems where the sub-milisecond delay changes could theoretically leak info if probed repetitively probed over a low-latency LAN.... but virtually impossible to attack over the internet, and no known exploits in use.
It's pretty clear which software has a good security track record and which software has more holes that swiss cheese. It's quite clear who deserves to be bashed.
PJRC: Electronic Projects, 8051 Microcontroller Tools
For example, when I find someone is prone to visiting lots of websites with "fun stuff" to download and play with (such as card-making programs and other crap like that) I find oodles of spyware and adware on their computer bogging it down. I explain to them that the sites they visit and the software they're downloading in installing this junk on their computer and that's why it's slow. Refraining from downloading these things will help prevent this in the future.
Additionally I give them:
- Spybot Search & Destroy
- Mozilla Firebird
and make sure their AV software (which most have) is up-to-date.Finally, for the worst offenders, after giving them tips (writing them down even) and explaining it over and over again, I limit them to 5 - 10 fixes. After that, they cannot ask me for help unless it's a completely different problem (if I find it's the same old same old, I leave and tell them to fix it).
You can be nice, but you don't have to be a pushover. Developing a methodology for helping others simplifies the process and helps alleviate the frustration on a case-by-case basis.
As much as we all hate cliches sometimes they apply: Give a man a fish and he is not hungry for a day; teach a man to fish and he is not hungry for a lifetime
...and that's the way the cookie crumbles.
To all you Mozilla users, don't think that you're safe simply because you use Mozilla. I just tried the demo with Firebird 0.7 and it essentially does the same thing as IE6. Click on the demo link on secunia's site and you get an "open/save as..." window. Sure it says that the default program type is "htmlfile (default)" and the file name shows the CLSID which should make you think if you are supposedly downloading a pdf, but let's face it, the average Joe isn't going to be thinking (or actually reading the file name). If you just go ahead and click "open," you get the same end result as if you had used IE (in fact IE opens if it's your default browser). Even if Firebird is your default it will still try opening the file as an html document. This isn't an IE flaw as much as a Windows flaw, so just switching browsers really won't save you.
Your best bet is to THINK BEFORE YOU CLICK!!!!
Okay, you have a file, called trojan.exe on the webserver. You make a link in the html to link to "trojan.exe". Then you configure the web-server to tell the web browser that the mime-type (a way to indentify the content of the file) of trojan.exe is "text/html". IE sees "text/html" and says "ahh! I know what to do! Open this!", thinking it's a webpage. IE then looks at the file and says "ahh! This file ends in .exe! I know how to open this!" and executes the file. The user is thusly infected ;)
Of course, there is no prompt: who wants to see a prompt every time they navigate to another page on the web? And who wants to see a prompt every time they double-click an executable file in Explorer?
He who laughs last is stuck in a time dilation bubble.
Nearly right.
HTML docs are "executable" because they can automatically invoke Java
You link to trojan-{ASDSADSAFHDAKFDJFJDA}-horse.pdf (where the {ASDASFADFDFA} crap is what tells IE that it's text/html, not PDF.
The "Open" dialog looks at the ".pdf" and says it's a PDF; when you click "Open", instead of launching Acrobat to view a PDF file, Windows says "the {ASDASASFAASD} tells me it's text/html - I'll use Internet Explorer, not Acrobat".
So you were expecting an innocent PDF document, and you get an HTML web page, presumably containing JavaScript or similar which will is executable.
Author, Shell Scripting : Expert Re