Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious MSIE Hole

Posted by timothy on from the why-my-dad-gets-no-tech-support dept.

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

10 of 731 comments (clear)

  1. The Demo by trp642 · · Score: 5, Informative

    A little demo for those still using IE...

  2. According to Bill, this is a good thing by burgburgburg · · Score: 4, Informative
    While at a Longhorn Developers conference in London, Bill explained that ""A high-volume system like (Windows) that has been thoroughly tested will be by far the most secure," than it's low-attack competitors like Mac OS X and Linux.

    Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.

    Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."

  3. Re:Here it comes... by Incongruity · · Score: 5, Informative
    Let's bash the shit out of MS. In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH. Or the... (etc etc) Whatever makes you feel less like an angry hate monger :)

    The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)

  4. Exploit by Anonymous Coward · · Score: 5, Informative

    This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.

  5. Re:it is... by hendridm · · Score: 3, Informative

    I wouldn't say those are the only people affected by exploits and outbreaks. I'm using Firebird and Thunderbird, but my inbox still fills up with virus forwards from others who are not, and my connection is often slow or down while the latest worm is making its rounds.

  6. Re:wtf is an HTML executable? by Hentai · · Score: 5, Informative

    .HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.

    Cool idea in the right hands, but here it's a disaster waiting to happen.

    --
    -Hentai [in vita non pacem est]
  7. Re:small detail, slightly OT by arkanes · · Score: 3, Informative

    I'm mostly guessing here but it looks the the CLSID identifies it as an HTA (HTML application) component, which MS was hyping as all the rage in application developlment a few years back. Basically, it's like an XUL app - written in HTML and JScript. Portions of the Win2k+ UI are written using it, like the add/remove programs dialog.

  8. Re:where's the damage? by NickFitz · · Score: 3, Informative
    What do you expect your browser to do when you send it a mime header text/html? It can be called .pdf, .txt, .whatever-you-like, but if the mime type is text/html, I'd expect the browser to do its best in running it

    That is not the nature of the vulnerability. IE displays a dialog saying "You are downloading the file:" followed by the filename. That is where the spoofed filename is displayed. The danger is that, if you are expecting, for example, a PDF which you won't want to keep, you will just click "Open", expecting it to start Acrobat Reader. However, once the file is downloaded, its real filename is that of an executable, which runs merrily away, doing whatever it wishes.

    It's got nothing to do with mime types.

    --
    Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
  9. Re:If I had a dollar by StringBlade · · Score: 4, Informative
    I do a lot of free tech support for friends and family. However, I take the time to educate them on what not to do and give them the tools they need to help protect themselves.

    For example, when I find someone is prone to visiting lots of websites with "fun stuff" to download and play with (such as card-making programs and other crap like that) I find oodles of spyware and adware on their computer bogging it down. I explain to them that the sites they visit and the software they're downloading in installing this junk on their computer and that's why it's slow. Refraining from downloading these things will help prevent this in the future.

    Additionally I give them:

    and make sure their AV software (which most have) is up-to-date.

    Finally, for the worst offenders, after giving them tips (writing them down even) and explaining it over and over again, I limit them to 5 - 10 fixes. After that, they cannot ask me for help unless it's a completely different problem (if I find it's the same old same old, I leave and tell them to fix it).

    You can be nice, but you don't have to be a pushover. Developing a methodology for helping others simplifies the process and helps alleviate the frustration on a case-by-case basis.

    As much as we all hate cliches sometimes they apply: Give a man a fish and he is not hungry for a day; teach a man to fish and he is not hungry for a lifetime

    ...or the other less well known proverb: Give a man a blanket and he is warm for a night; set him on fire and he is warm for the rest of his life. :-)

    --
    ...and that's the way the cookie crumbles.
  10. Re:small detail, slightly OT by shfted! · · Score: 4, Informative

    Okay, you have a file, called trojan.exe on the webserver. You make a link in the html to link to "trojan.exe". Then you configure the web-server to tell the web browser that the mime-type (a way to indentify the content of the file) of trojan.exe is "text/html". IE sees "text/html" and says "ahh! I know what to do! Open this!", thinking it's a webpage. IE then looks at the file and says "ahh! This file ends in .exe! I know how to open this!" and executes the file. The user is thusly infected ;)

    Of course, there is no prompt: who wants to see a prompt every time they navigate to another page on the web? And who wants to see a prompt every time they double-click an executable file in Explorer?

    --
    He who laughs last is stuck in a time dilation bubble.