Another Serious MSIE Hole

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

The Demo

[trp642]

A little demo for those still using IE...

Re:The Demo

[RoLi]

The question is rather: "Why do Microsoft-sponsored TCO-studies never include the cost of viruses, worms, security holes and/or countermeasures against viruses, worms and security holes?"

In other words,...

[burgburgburg]

it's Wednesday.

Hmmmm...

[instantkarma1]

Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?

Would you like some more pie, Bill?

this will show them

[atari2600]

A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp

Microsoft says: Don't click URLs anymore...

[jea6]

"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb; [ln];833786. Remember, type, don't click.

No more dangerous than normal.

[doublem]

As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.

This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.

A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."

If they ran the file, it sent me a message with their computer name, username and other details.

About 80% of the users ran it.

I lost all faith in the human race that day.

I don't think MS cares anymore

[Ignorant+Aardvark]

I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.

Re:Here it comes...

[Incongruity]

Let's bash the shit out of MS. In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH. Or the... (etc etc) Whatever makes you feel less like an angry hate monger :)

The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)

Exploit

This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.

If I had a dollar

[BoomerSooner]

for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.

Re:If I had a dollar

[planetmn]

Why is it that a lot of people here don't know how to do a nice thing for somebody.

If my in-laws computer needs some work, next time I am over there, I'll take a look at it, or try to help over the phone, it takes all of what, maybe 20 minutes.

My uncle owns a small business, if I can save him some money by making recommendations for him or giving him some free tech-support, great.

If you're nice to somebody, they are going to be nice to you, believe me, in the end, it's a wash.

Plus, life is too short to be an asshole all of the time.

-dave

Re:If I had a dollar

[Luscious868]

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

You hit the nail on the head there brother. I'm so sick and tired of people that I barely know calling me when their computer breaks asking for help. It always turns into a friggin 2 - 6 hour event. You know the routine. Uninstalling all the crap that people have downloaded. "Hey, let's install this cool looking Bonzi Buddy thingy, what can it hurt?". The idiots should be shot. Removing spyware, removing the 80 virues that have found there way onto the system. "Hey look at this funny attachment, it's called 'Dont Open Me I'm a Fucking Virus and I'll Fuck Up Your Computer.exe' why don't I open it and see what happens. Maybe it's a funny joke or something."

I think I'm going to start telling people that I work for the post office and I'm currently taking court ordered anger management classes. That will shut them the fuck up real quick.

Re:If I had a dollar

[Phenris+Wolfe]

You don't get used as free tech support by a lot of people, do you? I for one know that certain members of my family, and certain "friends" of mine will probably be calling me for the first time since the blaster worm thanks to MyDoom or whatever it is. They don't have time for me except when their computer goes to hell. Surely I'm not the only one here....

Re:If I had a dollar

[GMFTatsujin]

I work for Local University (TM) at the medical library, which handles tech support for the campus. With the recent outbreak of the worm of the day, I've taken it upon myself to create a web page for our users on best computing practices. I'm still putting it together, so mostly it's just getting blocked out for structuring the content.

Here's one of the sections that I wrote more out of catharsis than actual informative intent. It certainly won't make the web, but it got my point across.

Don't Put Strange Things in Your Mouth

It doesn't take fancy book-learnin' to catch on when you recieve an emailed attachment that you didn't ask for -- especially when it starts turning up from lots of different addresses in a short period of time. Opening an unrequested email attachment is about as hygenic as chewing on a urinal cake, and you should know better. That means you, Doctor Six-Years-in-Medical-School.

Not that simple

[blorg]

I use Opera myself and absolutely detest IE, but that doesn't help with the fact that IE is embedded in both the OS and very many other products - Outlook is an obvious example, but there are countless others, such as Winamp's minibrowser. It's very easy for developers to embed IE (e.g. the MSHTML control) in a product.

Mozdev has some tips about completely disabling IE, even in other applications.

Redundant headline

[DocSnyder]

"Another Serious MSIE Hole" could be shortened a bit:

• Another - unnecessary.
• Serious - less serious holes don't get any attention.

What's left: "MSIE Hole".

• Hole - what else?

Still left: "MSIE"

As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:

• ""

Re:wtf is an HTML executable?

[Hentai]

.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.

Cool idea in the right hands, but here it's a disaster waiting to happen.

New Acronym: "A.S.S. Hole"

[tds67]

Another Silly Software Hole.