Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
A little demo for those still using IE...
Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?
Would you like some more pie, Bill?
DON'T use IE!
--Keeping the flame wars alive, one post at a time
A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.
Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp
I wonder how well I can navigate the internet with out clicking on any hyperlinks.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
; [ln];833786. Remember, type, don't click.
Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
From the article text:
Doom worm currently reeking havoc across the globe.
So it's a smelly worm? Or are they trying to say that Windows stinks?
Where's my lobbyist? Right here.
... that Windows is far more secure than Linux or OSX because it gets tested so many more times out there in the wild..
[Editors note: replace 'tested' with 'tested and found wanting']
Simon.
Physicists get Hadrons!
As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.
This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.
A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."
If they ran the file, it sent me a message with their computer name, username and other details.
About 80% of the users ran it.
I lost all faith in the human race that day.
"Live Free or Die." Don't like it? Then keep out of the USA
I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.
Cyde Weys Musings - Scrutinizing the inscrutable
There are times when I wonder if Microsoft isn't purposely trying to get everybody on the Net own3d.
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Gifts for Geeks - Stuff that really matters!
Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
in fact it is an HTML executable file.
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
Beleive it or not, but many people have a use for http://username:password@domain links, especially in bookmarks. Perfectly secure on a computer used by one person :)
Microsoft is deprecating the use of "@" in URLS.
The popularity of IE is about to drop sharply as the entire XXX-site-password-hacking community finds their reliable tricks no longer work.
Should knock MS's browser marketshare down 10-15% just from that alone.
The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)
This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.
for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.
...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.
I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done,
It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.
Theres a couple other inconsistencies - if you do use "Save as" the filename appears to be PDF, but the filetype pre-filter (which is set to the type of file that you're downloading) is "HTML files". Interestingly, in the "open or save" dialog, the file type is blank.
I'd just like to take this time to slap microsoft for adding yet another way of associating files with applications to piss us all off. We already had enough issues with contradicting file extensions and mime types.
It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.
Mozdev has some tips about completely disabling IE, even in other applications.
What's left: "MSIE Hole".
Still left: "MSIE"
As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:
.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.
Cool idea in the right hands, but here it's a disaster waiting to happen.
-Hentai [in vita non pacem est]
Quote from the article:
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
That is not the nature of the vulnerability. IE displays a dialog saying "You are downloading the file:" followed by the filename. That is where the spoofed filename is displayed. The danger is that, if you are expecting, for example, a PDF which you won't want to keep, you will just click "Open", expecting it to start Acrobat Reader. However, once the file is downloaded, its real filename is that of an executable, which runs merrily away, doing whatever it wishes.
It's got nothing to do with mime types.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Q: How many Microsoft engineers does it take to change a light bulb?
A: They don't, they just redefine darkness as the new standard.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Another Silly Software Hole.
Boxen? Do you also hunt foxen?
It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Convince the IT manager to let you demo Mozilla for them. Use the Windows skin, and whatever plugins you wish to make it as IE-like as possible.
Assuming you convince the manager, continue on with testing Mozilla for compatibility with every critical bit of software the company needs.
If that works, take the results of your exhaustive tests, add in a report on what problems you're solving by abandoning IE, and get the IT manager to sell it to the Director.
Now, once the Director makes it policy, you can force the rollout on the users.
This doesn't work with friends and family, of course, but I am involved in this very process right now at a client site where they are getting quite fed up with security advisories, but aren't ready to move from the Windows OS yet. If I win with Mozilla, I'm trying OpenOffice next.
Just fucking great. Instead of actually fixing the problem, they just told RFC 2396 (which is based on the ten year-old RFC 1738 and officially endorsed by the HTTP standard) to fuck itself and called it a day. And in the meantime, they recommend that users not click any links at all.
Just amazing that this is what we have to deal with.
The best counter arguement to the 'but its only because MS has a bigger market share than your luser OS' is Apache. Apache is much more popular than IIS (as you can verify with a trip to netcraft), but SANS has more IIS incidents than Apache incidents. Both servers have vulnerabilities and sites can be defaced with either server. But IIS is the more vulnerable. Why is that?
Think global, act loco
Yep, but if you read the Microsoft KB article, you'll see that, as usual, they are using a full sheet of sheetrock to fix a pinhole. Instead of patching Internet Explorer 5.x and 6.x to show the full URL with the "@" sign in it, they're just removing the ability to have an http:// or https:// link with the @ completely. That's not a fix, it's a farce. If they were really concerned about what their customers need, they would simply filter the URL and remove any strange control characters before the @ sign and ALWAYS SHOW THE FULL URL.
(Of course, I'm being completely obvious here to the SlashDot crowd...)
That is the old namda eml file exploit, which has been fixed in IE and Outlook. This exploit is harder to fix. This has to do with Windows COM and that components contain a class id or guid that identifies what type of file it is. Also in this case it is an html executable or .hta file not an exe, IE can't run an exe as a component. It has nothing to do with the mime type.
Of course you would get this from reading the article. Now how you got the high rating is the another issue. I guess it is true nobody here actually reads the article. Hell I'm going back to fark.