Another Serious MSIE Hole

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

The Demo

[trp642]

A little demo for those still using IE...

Re:The Demo

[RoLi]

The question is rather: "Why do Microsoft-sponsored TCO-studies never include the cost of viruses, worms, security holes and/or countermeasures against viruses, worms and security holes?"

Re:The Demo

[fizbin]

Because Microsoft's market share guarantees that a disproportionate amount of viruses and worms will target their OS as opposed to some loser linux freak with an old 486 linux server in his mom's basement. The cost of these things is therefore irrelevant to the actual OS.

And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?

It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.

In other words,...

[burgburgburg]

it's Wednesday.

Hmmmm...

[instantkarma1]

Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?

Would you like some more pie, Bill?

Re:Hmmmm...

[eclectro]

Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?

He was busy being "knighted"

very simple fix...

[mike77]

Anyone can do it.

DON'T use IE!

this will show them

[atari2600]

A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp

Microsoft says: Don't click URLs anymore...

[jea6]

"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb; [ln];833786. Remember, type, don't click.

Re:Microsoft says: Don't click URLs anymore...

[StringBlade]

Sure, but what "normal" user is going to type in a 300 character URL from an email or website link?

<http://www.lsp.steelpharm64v.com/host/index.asp?I D=019102309840v0h0293jf8o998239p8valiu23nf8qoa8329 nor87fahl9w8n4fl98q2l938nf97va0283p97thrl9q274g >

Yeah right.

HyperText Markup Language was created in part to *link* documents quickly (i.e. so the user doesn't have to type in the document location manually). If we're supposed to just give up hyperlinks, why not just kiss the World Wide Web goodbye?

From the article

[nate1138]

From the article text:

Doom worm currently reeking havoc across the globe.

So it's a smelly worm? Or are they trying to say that Windows stinks?

But, but, but Bill said...

[Space+cowboy]

... that Windows is far more secure than Linux or OSX because it gets tested so many more times out there in the wild..

[Editors note: replace 'tested' with 'tested and found wanting']

Simon.

No more dangerous than normal.

[doublem]

As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.

This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.

A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."

If they ran the file, it sent me a message with their computer name, username and other details.

About 80% of the users ran it.

I lost all faith in the human race that day.

I don't think MS cares anymore

[Ignorant+Aardvark]

I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.

According to Bill, this is a good thing

[burgburgburg]

While at a Longhorn Developers conference in London, Bill explained that ""A high-volume system like (Windows) that has been thoroughly tested will be by far the most secure," than it's low-attack competitors like Mac OS X and Linux.

Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.

Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."

Re:Here it comes...

[Incongruity]

Let's bash the shit out of MS. In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH. Or the... (etc etc) Whatever makes you feel less like an angry hate monger :)

The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)

Exploit

This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.

If I had a dollar

[BoomerSooner]

for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.

Re:If I had a dollar

[planetmn]

Why is it that a lot of people here don't know how to do a nice thing for somebody.

If my in-laws computer needs some work, next time I am over there, I'll take a look at it, or try to help over the phone, it takes all of what, maybe 20 minutes.

My uncle owns a small business, if I can save him some money by making recommendations for him or giving him some free tech-support, great.

If you're nice to somebody, they are going to be nice to you, believe me, in the end, it's a wash.

Plus, life is too short to be an asshole all of the time.

-dave

Re:If I had a dollar

[Luscious868]

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

You hit the nail on the head there brother. I'm so sick and tired of people that I barely know calling me when their computer breaks asking for help. It always turns into a friggin 2 - 6 hour event. You know the routine. Uninstalling all the crap that people have downloaded. "Hey, let's install this cool looking Bonzi Buddy thingy, what can it hurt?". The idiots should be shot. Removing spyware, removing the 80 virues that have found there way onto the system. "Hey look at this funny attachment, it's called 'Dont Open Me I'm a Fucking Virus and I'll Fuck Up Your Computer.exe' why don't I open it and see what happens. Maybe it's a funny joke or something."

I think I'm going to start telling people that I work for the post office and I'm currently taking court ordered anger management classes. That will shut them the fuck up real quick.

Re:If I had a dollar

[Phenris+Wolfe]

You don't get used as free tech support by a lot of people, do you? I for one know that certain members of my family, and certain "friends" of mine will probably be calling me for the first time since the blaster worm thanks to MyDoom or whatever it is. They don't have time for me except when their computer goes to hell. Surely I'm not the only one here....

Re:If I had a dollar

[GMFTatsujin]

I work for Local University (TM) at the medical library, which handles tech support for the campus. With the recent outbreak of the worm of the day, I've taken it upon myself to create a web page for our users on best computing practices. I'm still putting it together, so mostly it's just getting blocked out for structuring the content.

Here's one of the sections that I wrote more out of catharsis than actual informative intent. It certainly won't make the web, but it got my point across.

Don't Put Strange Things in Your Mouth

It doesn't take fancy book-learnin' to catch on when you recieve an emailed attachment that you didn't ask for -- especially when it starts turning up from lots of different addresses in a short period of time. Opening an unrequested email attachment is about as hygenic as chewing on a urinal cake, and you should know better. That means you, Doctor Six-Years-in-Medical-School.

Re:If I had a dollar

[StringBlade]

I do a lot of free tech support for friends and family. However, I take the time to educate them on what not to do and give them the tools they need to help protect themselves.

For example, when I find someone is prone to visiting lots of websites with "fun stuff" to download and play with (such as card-making programs and other crap like that) I find oodles of spyware and adware on their computer bogging it down. I explain to them that the sites they visit and the software they're downloading in installing this junk on their computer and that's why it's slow. Refraining from downloading these things will help prevent this in the future.

Additionally I give them:

• Spybot Search & Destroy
• Mozilla Firebird

and make sure their AV software (which most have) is up-to-date.

Finally, for the worst offenders, after giving them tips (writing them down even) and explaining it over and over again, I limit them to 5 - 10 fixes. After that, they cannot ask me for help unless it's a completely different problem (if I find it's the same old same old, I leave and tell them to fix it).

You can be nice, but you don't have to be a pushover. Developing a methodology for helping others simplifies the process and helps alleviate the frustration on a case-by-case basis.

As much as we all hate cliches sometimes they apply: Give a man a fish and he is not hungry for a day; teach a man to fish and he is not hungry for a lifetime

...or the other less well known proverb: Give a man a blanket and he is warm for a night; set him on fire and he is warm for the rest of his life. :-)

Re:If I had a dollar

[Afrosheen]

You're exactly right.

When enough people get to know you as the local computer guy, you'll get phone calls, visits, you name it. People will expect it to be free by default unless you set a price. Make it fair but worth your time.

Anyone on here bitching about 'feeling obligated' to provide 'free support', stop bitching. It's your own fault it's free. Charge a price. Believe it or not people are willing to pay their friends a reasonable fee, even if it's not cash. Tell them to rent a movie for you and bring it over, or bake a cake, or get a six pack of Guinness, whatever. I have a big box of Krispy Kreme sitting here from a friend of mine that needed spyware removed yesterday.

Once you get people trained to think that indeed, your time and expertise are worth something, you won't even have to make requests. People will open their wallets or bring you stuff automatically.

Don't let your passive-aggressive geek nature leave you with regrets or feeling used. Assert yourself.

Mozilla Firebird

[Peredur]

It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.

Not that simple

[blorg]

I use Opera myself and absolutely detest IE, but that doesn't help with the fact that IE is embedded in both the OS and very many other products - Outlook is an obvious example, but there are countless others, such as Winamp's minibrowser. It's very easy for developers to embed IE (e.g. the MSHTML control) in a product.

Mozdev has some tips about completely disabling IE, even in other applications.

Redundant headline

[DocSnyder]

"Another Serious MSIE Hole" could be shortened a bit:

• Another - unnecessary.
• Serious - less serious holes don't get any attention.

What's left: "MSIE Hole".

• Hole - what else?

Still left: "MSIE"

As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:

• ""

Re:wtf is an HTML executable?

[Hentai]

.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.

Cool idea in the right hands, but here it's a disaster waiting to happen.

So, is this really unfixable?

[ru-486]

Quote from the article:

"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."

They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.

Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)

New Acronym: "A.S.S. Hole"

[tds67]

Another Silly Software Hole.

Oh, it'll all blow over...

[ch-chuck]

It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.

Re:small detail, slightly OT

[shfted!]

Okay, you have a file, called trojan.exe on the webserver. You make a link in the html to link to "trojan.exe". Then you configure the web-server to tell the web browser that the mime-type (a way to indentify the content of the file) of trojan.exe is "text/html". IE sees "text/html" and says "ahh! I know what to do! Open this!", thinking it's a webpage. IE then looks at the file and says "ahh! This file ends in .exe! I know how to open this!" and executes the file. The user is thusly infected ;)

Of course, there is no prompt: who wants to see a prompt every time they navigate to another page on the web? And who wants to see a prompt every time they double-click an executable file in Explorer?