Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
When you break the law and possibly expose thousands of users to a root exploit, at least you could be politically correct about.
"GAYER THAN AIDS", what the hell?
I hope they sue him..
bug-fixes and patches???? When the full force of this hits, you ain't seen nothing yet!
Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.
...if the code was open from the start, how long would this flaw have lasted?
If your theory is different from practice, then your theory is wrong.
Microsoft code must be so ridden with bugs to create a exploit in just a week.
Or maybe it is a ploy by microsoft to force users to upgrade to XP
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
You sir are a moron. It's bad that the source got out. It means "clean house" implementations of similar technologies could fall to the MSFT whoredom.
Tom
Someday, I'll have a real sig.
It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.
My Thoughts, Kyndig
How many issues would be resolved by simply using an alternate browser (mozilla for example)? I know this would not fix all of the problems but I am sure it would help some.
Actually I think that, if Microsoft doesn't lose it's customer base to all the exploits found, it's going to make Microsoft stronger. Think about it, right now Microsoft is receiving the same kind of security review that makes OpenSource products so strong in the first place. Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
They can if the tool you use to open them is ridiculously poorly designed and permits buffer overflow (i.e. IE).
If your theory is different from practice, then your theory is wrong.
"1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task
It all goes to the quality of the coder. This is just plain bad code. I learned how to write something to check these kinds of things in middle school.
Evolution or ID?
If you were to embed myDoom after the overflow area in the bitmap then when outlook opened the file using ie's render could one have my doom that didn't even need to have the end user open the file? It would just execute replicate, then piss people all to hell? For that matter could I include the windows equivalent of rm -rf / ?
There is nothing wrong with being gay. It's getting caught where the trouble lies.
My feeling is that, in the context of preventing attacks, it's bad. With linux, discovery almost immediately leads to a fix cos it's the same volunteer community does the finding and the fixing, but Microsoft doesn't let the Bugtraqs of this world help. It's going to buckle under the strain of too many bugs at once.
:)
Of course, from the point of view of converting everyone to Linux, this can only be a good thing
For the love of God, please learn to spell "ridiculous"!!!
Please...you might as well say that BSD is dead. Nobody is happy about all the ruckus that the whole affair is going to raise, but it's a little early to pronounce Microsoft dead.
-h-
So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.
No system is 100% secure be it Windows or Linux.
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
Whether it's finding exploits, bugs or whatever; anything that anyone does with it will eventually make Microsoft stronger. If it's a security problem they 'll fix it. Maybe Microsoft is trying to capture open source developers and their free services; I don't know.
What I don't want to see is Microsoft making improvements on their product based on this experience. I don't want to see as much as two adjacent assembler instructions from it end up in Linux.
If you want to do something constructive, run the 2.6 kernel and start making the supporting software more secure. Don't waste your time supporting losers like Microsoft who demand your money up front and then deliver whatever crap they feel like.
Just ignore it!
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Obliteracy: Words with explosions
Is there any better way of Code Review by 'leaking' the source to the outside world. Seems MS likes this open-source model, but they need a back door to get to these benefits.
It would be a bit hard to admit:
"uhh, yes we do embrace open-source, but our business model is to protect our intelectual property", "recently our business model has been adapted to incorporate also the intelectual property of 3rd parties, also known as hackers", "the only way to do this legally is to put the FBI out on those folks what ensures that the code review can be reworded as 'theft' and will face the highest criminal punishment", "you know it's all terrorism and that kind of stuff", "It's terrorism on the American Capitalistic Marketing Model", "And we're going to nuke those hackers",
Probably without the approval of the United Nation
From Yahoo Financial: "For the six months ended 12/31/03, revenues rose 13% to $18.37 billion. Net income rose 7% to $4.16 billion. Results reflect increased demand for both desktop and server products, partially offset by a $1.48 billion stock option transfer charge."
Here's their financial statement.
You may dislike them. Pretending they're not successful is just ignorant. The source leak is a problem for them, but I doubt it'll have any serious repercussions much beyond this quarter.
Contrary to what a lot of people will be saying, the fact that there is allready an exploit now that the code has leaked doesn't show that open source is a security risk. The opposite is true. It simply proofs, that the code being out in the open allows for risks to be found and fixed. So it's actually showing the benefits of open source.
Of course it is a totally different story if you are a hated monopoly and the main proponent of security by obscurity.
Why hasn't something like this already happened with Mozilla?
Answer: Mozilla's code is higher-quality because of open-source peer-review.
Do you think that the hackers that have been trying to embarass Microsoft into fixing their old vulnerabilities finally said
"screw it then, THIS will teach Microsoft" ?
I don't know the meaning of the word 'don't' - J
It also shows that ms does their job.
.net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Even, for an IE hole, this is pretty severe - now worms just have to send html emails with an img tag that points to a specific bitmap and voila: anyone who uses an mshtml based email client(including webmail) and hasn't updated for a while gets infected just by opening the message.
Sure, sooner or later hotmail will stop showing bmps in messages and issue a warning like "if you get a message, do not open it, but delete immediatly", but hey, I bet the amount of worm emails in my Junk mailbox will increase drastically in the next couple of weeks.
Join the elite! Post at score:2! Ghostwheel is online.
He was right. Reading a bitmap has NOTHING to do with networking code.
Burn some Live CDs to hand out to friends,
n ux
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
-- @rjamestaylor on Ello
yes, but that's assuming that everyone who finds a simple exploit like this one actually reports it. i can imagine that there'd be a number of black hats that will find and use these kind of exploits and not tell anyone how they did it.
but i am happy that this leak happened. it just shows that the code should be out for peer review from day one. security-by-obscurity is second only to security-by-telling-people-what-not-to-do. (e.g.: "don't open that door, there's valuable stuff in that room")
Maybe there is finally a chance to fix the pending CSS issues which havent been fixed for years in IE, externally. Ah yes and PNG transparency might also be possible now :-)
Not everyone that looks at this code is going to be nice enough to tell the "good guys" about the exploits.
Instead, they will write and release exploits... leaving MS to find the particular code that is messed up.
--Phillip
Can you say BIRTH TAX
Being that the code leaked was Windows NT 4.0 and
:) Didn't they originally clame they
2000 source codes, why are we seeing an issue
with IE 5.0? Just goes to prove how close the
browser was tied to the operating system.
On a cynical note, this only bolsters security through
obscurity.
had fewer bugs than open source competition?
With some 10% code or more leaked, there is quite
a bit more worry about their own peer-review process
or should I say lack of.
I wonder whether Microsoft will stick to their new policy of only releasing security updates once a month if there is a big flood of such full-disclosure bug reports. In a way it's the worst of all worlds. Enough of the source code is available for the black hats to give it a good going-over, but not enough that users can patch their system and recompile.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
It's getting the same kind of security review - but none of the feedback. No white hat wants to admit to MS that they've seen the code, and black hats wouldn't anyway. All this may end up doing is increasing the number of "submarine" exploits out there that hackers use for their own benefit, rather tahn making super-viruses that make the exploit famous.
Last post!
Granted, it's coming at a very high cost, but their source code will have much fewer bugs when this is over.
There is only one problem: the source code is ilegal.
Most people who find and report bugs will probably never see this code, and if they do see it, they'll deny it. This means that most people looking at the source code for bugs are doing so for their own benefit.
It'd be very naive to believe that these black hats will release information about the bugs they found. In the case of this IE5 bug we can say that the guy who found it is probably a young fellow looking for m4d pr0pz.
IMO, this source leak is very bad for MS, for it will get the worst part of both, closed source and open source, worlds. In one hand, every bad guy out there can, and will, see the code, in the other hand every white hat is legally and ethically forbidden to look at the source.
Unless MS is trying to pull an SCO, I can't imagine a worst scenario.
But this IE exploit shows that the author was wrong on at least one account.
Wrong. He was right. This particular IE exploit has been fixed; it only affects an old version of IE. And IE is free, so there's no real excuse for not upgrading it. If I found a bug in an older version of an open-source app, and filed a bug report on it despite the fact that it had been fixed AGES ago in a newer version, I think I would be told to shut the fuck up and upgrade with little or no delay.
Quality, performance, value; you get only two, and you don't always get to pick.
On the other hand, there are those of us that believe that all source code should be publically available, and that looking at someone else's code does not constitute "theft" in any way.
Obfuscation :D
Well let me ask you this... look at this brick wall. Now tell me which one of the bricks is actually a rusty piece of metal that just looks like a brick.
It's pretty simple to see this bug now that we're looking right at it. And it obviously was not too hard to find when specifically looking for index-checking bugs. But it's even easier to let something like this slip when you're a tired microserf adding code at 4am trying to meet a deadline. And with the limited resources at Microsoft (huge as it is), that have to be divided into all the different parts of all the different software projects, it's really a hard sell to convince someone to look through all the gazillions of lines of code that have "Just Worked" in the past.
It's easy to judge, but since we really don't know the environment in which this particular bug was introduced, I think we should cut the original programmer a little slack. (not completely, though. Some culpability is appropriate seeing as Microsoft took our money and should be somewhat responsible for the damages caused by the vulnerability of their faulty products)
You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.
If Microsoft doesn't read Slashdot, that's their problem.
I think it goes more this way :
1. Fake a source code leak of some of the shittiest code in your projects
2. Act surprised
3. Wait for people to upgrade to XP where these (old) bugs are not present
4. PROFIT!
5. Wait 4 years, goto 1
2000 is for me the only decent windows OS in many ways. ..And it is also partly crappy!! ;)
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
AHahahaha, you know you just made the exact mistake MS did. You're using ints, not unsigned ints. Reject if greater does nothing if it's less than 0, which would still cause an overflow.
Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!
You're seeing an example of one of the very few instances where goto is considered "acceptable" to use. Sometimes you code a function which winds up a lot of complicated state, and a failure halfway through requires that you "unwind" the partially constructed state. This is most easily accomplished by having a "bailout ladder" which can be jumped into (via goto) from various points in the code above.
The only other solution involves lots of code duplication, or very bizarre function calls such as CleanupMyState(&context, 6) which just ends up use a Duff's Device in a switch() statement to simulate the use of goto in precisely such a manner, anyway.
When you find that the cleanest way to do something is goto, then the solution is goto. What is the point in cortorting your code just to follow a piece of dogma that was only meant as a guideline anyway? Remember, the point is clarity, not adherence to dogma.
Also, never look at:
.. this one's for you, MS!)
- patents (despite them being protected by patent law)
- sheet music from other musicians (despite them being protected by copyright)
- trademarks (despite them being proteted by trademark law)
- software code (despite them being protected by copyright
Remember kids, even tho ALL of this information is protected by decades-old, and even centuries-old legal frameworks, if you look at it you will be stealing money! Its as simple as that!
Yes, I'm being sarcastic. The parent poster is a 'Yes Man' moron beyond my wildest dreams. Maybe one day he will sit down and actually learn about copyright/patent/trademark laws and realize that knowing how exactly your peers do things is what has led us to such an incredibly robust technologicaly and scientificly rich society.
Sharing your methods does not cost you shit, even to the point that patent law is designed to promote sharing of information in return for legal protection. Same with copyright law. MS doesn't want you to see their code not for security reasons, but because it helps you build interoperable products and thus become a competitor. And we all know how anti-capitalist competition is!
"Old man yells at systemd"
Ah, but how many of them eyes are wearing white hats, and how many are wearing black hats?
In this case, the white hats working inside the Microsoft Compound had to turn a blind eye to these bugs in order to focus on their impossibly rushed deadlines. (Of course, now those same eyes are in panic mode since the leak.)
Meanwhile, the white hats outside the compound walls are powerless to fix the bugs, through fear of legal repercussions: The very existence of any fix suggested proves that they saw the source without paying the license tax and signing away their firstborns to an NDA.
The black hats, OTOH, shielded by anonymity and freed from the bonds of legal accountability and responsibility, they're free to see all the chaos, hate, and mayhem they can cause (and then go do it), secure in the knowledge that nobody can stop them.
Sure, some of them will be slowed, as patches trickle out after the fact. Sure, some of them will be caught, as their own idiocy gives them away. But nobody can stop them, because more of the eyes looking at the sources, with the power to change them, are wearing black hats than white.
This Windows disaster cannot afford to be called similar to the situation with Open Source Software. With the sources open, and the maintainers equally open, more of the eyes looking at the sources are wearing white hats than black. And thanks to the openness, the white hats are just as powerful, if not moreso, than the black hats.
Then how do you explain Nimda and SQL Slammer? Both of those affect Microsoft products (and their vulnerabilities) that are in the *minority* of those available. Apache trounces IIS in usage numbers (both because more web sites using it and because higher traffic web sites use it), and any of MySQL, Oracle, or IBM (I forget the actual name) outnumbers Microsoft SQL Server.
IMnsHO, exploit authors prefer Microsoft Windows products because they are buggy (note that the posted exploit actually affects a discontinued product, it lasted that long), because they are based on a buggy security model (oh, you are code? I'll run you automatically and save asking the user if he/she wants to run something from "MLM will make you millions!"), and because they are commonly used by people who don't know what they are doing. Any twit can install IIS--it's just a matter of following prompts. With Apache, you need a certain level of knowledge; particularly if you are not happy with the default settings and want to change them (especially the compiled in settings, which can obviously only be changed by recompiling the software; Microsoft writes that stuff out and makes it configurable, since they don't allow you to compile things).
i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.
/. crowd have no idea what they are doing....
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
Matt
You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid
Where you mentioned,
"Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.",
it feels right to mention that in releasing this, the win9x hold-outs are going to be scrambling to purchase the latest-and-greatest Microsoft offerings (Operating systems and the hardware to support them), unless they have access to a Linux-geek/young computer tech who will tell them to relax and migrate their "data" to a cd-rom/dvd-rom and install Linux instead.
Microsoft has wanted to see the win9x/win2k crowd go for a while now, this looks like a really rough way to do it (one stone, many birds).
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.
I guess you missed the original article, brainiac, but your code is flawed.
"Reject if greater" will fail if int is negative.
But hey, thanks for proving that you're as dumb as a box of rocks.
Coming soon - pyrogyra
GOTO isn't always bad. It is *very* rare that its a good idea, but sometimes it is the least ugly hack out of a bunch of ugly hacks when you need to get the code finished and have too little time to puzzle out a more elegant solution.
Getting a program working is the first goal of any real programmer. Getting it working well, or having maintainable code are both very important, but they are secondary to getting the program functioning in the first place. Especially with commercial products, sometimes spaghetti code that works NOW is preferable to textbook examples that work sometime next year. Perl wouldn't be nearly so popular if not for that fact of development.
There are also some interesting, and rather elegant, looping structures you can do with goto that are actually more elegant than the more purely structured counterparts- that isn't what seems to be going on here, just thought I'd mention it.
I would have to dig through the code to find the context of that goto, but they aren't always bad.
Code Complete by Steve McConnell has a good section on goto.
All that manpower, yet the most prominent face on this issue so far is an exploit.
Is this how the OSS community at large operates? Instead of releasing patches, they release exploits?
The issue as I see it now is: the OSS advocates with the big mouths tend to be the ones saying that ALL code should be open for public inspection, and that closed-source is bad for everyone. This new event however, seems to prove to the public at large that these "rogue" coders don't have the Public Good at heart at all.
OSS coders should stick to OSS - let the closed-source companies and coders be. Mixing OSS coders with closed-source is kinda like mixing Communism with Money.
i'm amazed that i survived - an airbag saved my life.
So you say the fix would be to upgrade to XP? That's far from free, and most machines running NT 4.0 now are to old to run XP. Besides, why upgrade when the OS you have does everything you need it to do?
Your analogy with open-source apps isn't right either. The 2.0 linux kernel, for example, is many years old now, but it's still being maintained and patched when needed.
How on earth could this little gem make it past QA? You'll have to admit it's pretty easy to spot when you're looking for vulnerabilities.
Sounds suspiciously like the average Open Source product:
...??
1. Release the source code to your projects
2. Read the GNU Manifesto and revel in your contribution to society
3. Wait for people to look at code and publish found holes, getting free QA resulting in major savings
4. Create Patch before major damages
5. Thank person who found hole
6.
7. No PROFIT!
keep in mind that you did ALL of the linux code, where as only 15% on the windows code was leaked and therefore greped.
if we take into account 332 'dont care's per 15% of MS code, all of windows must have... 2213 'dont care's in all of windows. 13 times more than linux.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
Point well taken. My response may have been a bit flippant.
As a thought experiment, imagine the following contest:
a) 1000 Linux developers are given (full) WinXP source code and locked in a room to find potential exploits.
b) In another room, 1000 WinXP developers are locked in a room with (insert distro here) source code to find potential exploits.
Which group finds more holes in a week? Which group finds more serious holes? Up until last week, this was purely a thought experiment, with OSS claiming the virtual victory. Last week, it became real.
(And don't you think that it's possible that Microsoft has been conducting contest (b) FOR YEARS trying to find holes to prove OSS insecurity?)
The cure for cancer is coming: Reovirus
where would you get free patches for Red Hat 7.3?
I think the point is that you can patch Red Hat 5.x for free by upgrading to a more recent version of Red^H^H^HFedora for no charge. IE 5 is the last version IE to run on Microsoft Windows 95, and Microsoft charges for newer versions of Windows.
I don't know about the original poster's ideology, but I certainly expect to get the "source code" to a book when I buy one, or even when I browse in the bookshop or library. I expect to get the "source code" to a newspaper when I buy one, or when I flick through it in the newsagents deciding whether it looks interesting enough to buy. I generally expect to be able to read recipes when people give them to me, and I *definitely* expect pre-processed foods to contain a list of ingredients when I buy them.
As for PIN numbers, I have never tried to sell my PIN to anyone, so I don't see what right anyone has to know what it is - but then you were just being flippant with that comment, weren't you?
flossie
Write now. Defend liberty
It's funny you should say that, because I was wondering the same thing. However, I am a programmer, and quite a good one too, so I checked the notepad source (in /win2k/private/windows/shell/accesory/notepad) and I can assure you that there is no way whatsoever that this could occur.
This is an exploit which effects Users, running a WEB BROWSER. Please tell me one single (however insignificant) thing a Normal User who is running a web BROWSER could possibly give half a fuck about which requires administrator privledges.
Seperate user accounts, securing the system itself, etc, that is _ONLY_ security-related when you are the administrator of a server and require your box be up 24/7 (or at least somewhat often)
Think about it for two seconds: You're a normal user, you're using your personal computer. Hell, you're using it to surf the web, this isnt any system which other people are dependent on having a high uptime or anything. You go to a webpage, and some arbitrary code gets executed.
What files could be effected? Well, you're running as a normal user, so luckily for you only the files which you give a shit about will be harmed, while the easily replaceable part of the system remains intact.
This whole "multiple accounts == security" line is pure bullshit extract. The files which a USER, not a System Administrator, cares about, are files which that USER created, downloaded, edited, etc. Files which the User has access to.
If some malicious code executes as root/Admin, so what? Your important files are trashed and you need to spend an extra hour reconfiguring your system? That extra hour or two doesnt mean squat compared to the years it may take to restore the files which you created personally.
"You Should Keep Backups anyway" is Irrelevant. As that can just as easily be applied to root-accessible files, the point is that non-admin privs are just as bad as admin privs on a personal system.
And this exploit _is_ talking about a personal system, unless you're in the habit of running IE5 on a high-priority server instead of the laptop sitting next to it.
-- 'The' Lord and Master Bitman On High, Master Of All
Blackhats like CIA, KGB, China intelligence etc have had access to this code for much longer no doubt. Anybody think that MS delivering of the code to china hasnt been propagated to their intelligence agency? This only shows that there are no security in hiding security mechanisms. A quick glance at the crypto industry should be pretty revalating to MS.
MS i in for a ride and it should be hammered around that most of theese exploits would NOT be stopped by Palladium. Palladium is just a buzzword and does not stop errors in protocols or implementations of them. Thats not going to stop MS from marketing palladium as a tool to stop errors in their code.
HTTP/1.1 400
Software is always about compromises. It is stupid to go for "correctness" in a performance-critical part of the code.
Would you like your images to render faster or the underlying code to be goto-free?Please change your browser because otherwise you will get rooted (i cannot explain why, please, please believe me).
Would you take this serious ? And what amount of time would it take to find a exploit for a explanation like this:
Found a serious buffer owerflow in IE when loading a bitmap image...
This would result in exploits in a couple of hours and would give only the false impression that there are no exploits up to now...
The source code is leaked since friday and you don't gain anything by telling only Microsoft that this and that vulnerability exists. Till they fix it its to late. And without a proof of concept everyone could claim he found a serious bug.
You do realize IE6 is a free download for 98/2000 and up, don't you?
If this were an OSS program, everyone on Slashdot would be falling over themselves posting to "upgrade to the latest version, it's fixed." But when it's Microsoft, suddenly there's some sort of unnamed hassle when it comes to just downloading a setup program and running it.
You don't actually know the context here, though? The words "don't care" can have different connotations, for example, "we don't care what this function returns, since we don't depend on it", and not just "don't care if this function causes mayhem"...