Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious MSIE Hole

Posted by timothy on from the why-my-dad-gets-no-tech-support dept.

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

7 of 731 comments (clear)

  1. Microsoft says: Don't click URLs anymore... by jea6 · · Score: 5, Interesting

    "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

    Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb; [ln];833786. Remember, type, don't click.

    --

    sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
  2. No more dangerous than normal. by doublem · · Score: 5, Interesting

    As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.

    This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.

    A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."

    If they ran the file, it sent me a message with their computer name, username and other details.

    About 80% of the users ran it.

    I lost all faith in the human race that day.

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  3. Re:Demo by arkanes · · Score: 3, Interesting
    Amusingly, this would make me blink because actual PDFs open automatically in IE (using the Adobe plugin) and I have to use "Save as..." to get them to disk.

    Theres a couple other inconsistencies - if you do use "Save as" the filename appears to be PDF, but the filetype pre-filter (which is set to the type of file that you're downloading) is "HTML files". Interestingly, in the "open or save" dialog, the file type is blank.

    I'd just like to take this time to slap microsoft for adding yet another way of associating files with applications to piss us all off. We already had enough issues with contradicting file extensions and mime types.

  4. Mozilla Firebird by Peredur · · Score: 4, Interesting

    It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.

    1. Re:Mozilla Firebird by pacsman · · Score: 3, Interesting

      When I went to the demonstration site and clicked the link in Mozilla 1.5 it showed the file name as "ie.%7B3050f4d8-98B5-11CF-BB82-00AA00BDCE0B%7DSecu nia_Internet_Explorer%252Epdf" and asked what to do with it, by default saving it to disk. Even if you were an internet clueless person somehow using Mozilla this still doesn't seem as dangerous if for no other reason than the bizarre filename, which doesn't look the least like it's a .pdf file. On IE it asks if you want to download "...Secunia_Internet_Explorer.pdf" which looks much worse as far as disguising itself goes.

  5. Re:If I had a dollar by Hel+Toupee · · Score: 3, Interesting

    Amen, brother! The worst part is if you do help someone (say a good friend), then they casually overhear that one of their good friends has a computer problem, you're going to be tapped to help that person, too. If I had a dollar for every friend-of-a-friend-of-a-friend's computer I had to un-fsck-up, I'd be rich.

    The worst part is that all these people are getting their kit fixed through that one friend as a proxy, and since you didn't charge them (because you were just being nice, really drunk, trying to get *ahem* "On her good side", etc.), you can't charge their social network of unwashed masses either.

    --
    PERL:
    All of the power of Voodoo with most of the understandibility!
  6. Re:If I had a dollar by Afrosheen · · Score: 4, Interesting

    You're exactly right.

    When enough people get to know you as the local computer guy, you'll get phone calls, visits, you name it. People will expect it to be free by default unless you set a price. Make it fair but worth your time.

    Anyone on here bitching about 'feeling obligated' to provide 'free support', stop bitching. It's your own fault it's free. Charge a price. Believe it or not people are willing to pay their friends a reasonable fee, even if it's not cash. Tell them to rent a movie for you and bring it over, or bake a cake, or get a six pack of Guinness, whatever. I have a big box of Krispy Kreme sitting here from a friend of mine that needed spyware removed yesterday.

    Once you get people trained to think that indeed, your time and expertise are worth something, you won't even have to make requests. People will open their wallets or bring you stuff automatically.

    Don't let your passive-aggressive geek nature leave you with regrets or feeling used. Assert yourself.