Slashdot Mirror
Several Critical MSIE Flaws Uncovered
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
Weird - the advisory doesn't mention SP2 specifically.Also, it has 'to be determined' next to Windows 2003.
Is it just me, or have there been a ton of browser vulnerabities discovered recently? It seems that every couple of weeks or so there is a hole found in IE or Firefox/Mozilla or others even. Are security firms concentrating their efforts on browsers or are browsers simply more inherently insecure than most other software?
Beware of he who would deny you access to information, for in his heart he dreams himself your master.
I have often also wondered about all those flaws that have been discovered and not declared, just quitely made use of. At least with open source the oppurtunity for discovery as well as a rapid fix has become obvious.
Chaos - everything, everywhere, everywhen
Good point. Speaking as a researcher I can say that with the advent of Windows XP SP2, Windows 2003 SP1, finding vulnerabilities remotely exploitable vulnerabilities in the OS is significantly harder. Focus has shifted to the new low hanging fruit, common userland applications such as Firefox/IE.
Having seen a sneak peak at IE7, that could change too...
The solution to all these browser exploits (IE, Firefox, Safari) is simple: create a restricted user to run the browser only. This can easily be done in Windows XP/2K, Linux and OS X. Restricted users cannot affect other users or system files. As long as you don't keep important data in this account, you can just periodically erase this user and create a new one.
Well, you would think the development team would either know how or want to take advantage of client side features.
Their apps basically round trip everything to the server for processing. Never mind how friggin' slow it is, they insist on avoiding doing anything "client side."
And they do *just* enough to make it IE specific.
I totally agreee with you that if your going to do some type of internal app, most people would use all the resources available to them.
Not where I work, though. Drives me nuts. ARG!
/me sips his coffee and ponders a new sig...
I think it's that browsers are more hacked-together. No one would be stupid enough to try and make an email client be an applications platform - but that's exactly what both mozilla and MS do with their browsers. That leaves a whole lot of exploitability.
I am trolling
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.
But to say there is nothing to discuss in quite disengenous. What needs to be discussed is why these holes continue to exist in MS products.
You are being MICROattacked, from various angles, in a SOFT manner.
No, it hasn't. The rate of flaw discoveries in Mozilla's applications (Firefox included) has remained statistically level since before Firefox was called "Phoenix." Quite obviously, the Mozilla Foundation's marketshare has not remained steady since then, as you argue.
Security through obscurity doesn't work. It is a fundamentally flawed concept, which I would've thought Slashdotters realized. To suggest that an open-source project like Firefox doesn't know that is simply absurd.
The rapid response of the Mozilla Foundation, even if the ten-day hush-hush rumor is true, far outpaces Microsoft's publically announced thirty day delay after this vulnerability's announcement. And that's not counting the delay between the IE flaw's discovery and announcement.
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
Which I believe is what Microsoft used to do, but they gor complaints from administrators who have to plan updates (security or otherwise) and therewanted a release schedule rather than ad-hoc updates.
Is Internet Explorer still really of any benefit to Microsoft? Once upon a time, it might have been used to push ActiveX, or reinforce the Windows platform by encouraging integration. But security worries, and legal trouble, have put paid to that...
To my naive eyes, it seems that IE is more trouble than it's worth. It's earlier bugginess puts a weight on later development to duplicate previous rendering errors, and it is strongly challenged by Opera, Mozilla, and the like. Also, their developers have to take care not to break compatiability too much - or at least, to sort out how to get various plugins to work with newer versions. The whole thing is a running sore with regards to their reputation, and the number of idiots running the browser means everything has to be dumbed down.
It seems that the wise thing for Microsoft to do, simply from a selfish level, is to ditch the IE project. Open source what can be open sourced, develop a light, secure, bare-bones and idiot-proof version for bundling with their OS, and re-dedicate their resources elsewhere.
Internet Explorer has no future.
It seems like, every day, I'm reminded that my Opera purchase was a good decision.
Really, I've been amazed, for YEARS that anyone uses IE. I've been amazed for MONTHS that anyone uses Firefox. But that's just me.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
It's just a question of marketing. By limiting the patches to once a month, it /seems/ as if the number of security vulnerabilities actually is not that big. A lot more Joe Users would start raising questions if they saw that they have a security flash popping up twice a week...
Exploits creators are lazy. They normally reverse engineer the patch to create the exploit. So having a set time when the admins can schedule their updates reduces the amount of time between release of patch and application of patch.
Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
You mean "parsers written using common C string handling techniques are notorious for security issues". There are other string handling libraries such as Vstr that aren't as vulnerable to buffer overflow, but many programmers who work with C or C++ don't know about them.
And now, let's look at the next quote. So what's the administrator thinking on this one? It's pretty simple: "Okay, so now this damnable embedded application, this junk browser that has to be on my operating systems, isn't gonna be patched for a month? The way they did it before would have been acceptable if I could patch the application without worrying about it breaking the OS or making me reboot. But NEITHER of these patching methods works well for me. I've either gotta patch applications that might destabilize my systems all the time, or I've gotta give hackers the keys to my network for a month!"
So, while the point you're trying to make - i.e., that neither of the upgrading options Microsoft has provided are acceptable to admins - is a valid one, it's a situation Microsoft brought on themselves.
Ugh, are you serious? I was hoping to deny write priviledges to WINNT and WINNT/system32 for the machines I admin to try to cut down on spyware/malware since they like to install there. Guess it could break some apps.
String handling is not not the only kind of parser attack, and buffer safe routines do not necessarily protect you from the full range of buffer issues that can occur. Integer issues in particular are a growing concern even with buffer safe libraries. Your average programmer does not have an in depth understanding of the C standard on things like type promotion and sign extension. Google on David LeBlanc's SafeInt library and look over the code for some in depth understanding of this.
Of course, there's a lot of fertile territory in parsers for all sorts of non-buffer related exploits. Cross domain context and external includes were both used in the most recent Firefox exploits. These issues are not unique to XML and HTML formats. I've seen exactly the same problems occur in binary OLE document handlers. This is why I stated that the parsers as a whole are complex issues. They touch so many areas and intermingle so many other concerns that they can be a security nightmare.
*sigh*
The spotlight belongs on 1) incompetent programmers 2) bloated insecure code 3) a culture of "responsible disclosure" that encourages the release of buggy, insecure code that will be patched and patched indefinitely.
I don't care how many security holes are in IE, or in Firefox. The question is, "does this program have at least one critical security problem"? The answer is yes to both products. They are both bloated and insecure as far as I'm concerned.
Don't fool yourself into thinking that an open source license will magically turn programmers into gifted developers. Firefox is huge and complex, I don't expect we'll ever see an end to the security holes.
I really don't know the solution, short of writing my own stripped-down browser that runs every module in a chroot jail (which would actually be a good idea, I think djb is working on that), but that's the world we're stuck in.
I see no value in recommending Firefox over IE or vice-versa.
When I see Firefox developes hack together & release a non-trivial fix in an hour with practically no testing, it makes me squirm.
Well, except you really have it backwards.
Notes is a messaging/workflow management application platform that can be trivially used as an email system, a use for which it is overkill, given that the least common denominator capabilities of Internet email systems are so extremely limited.
I think Notes is mispositioned in a marketing sense, given what it is. It completes against Exchange, which truly is an email system that has been overextended into a platform. This naturally leads to a lot of dissatisfaction with the product when it's used for plain old Internet email, which it is 90% of the time. Most IT departments don't have enough on the ball to develop workflow management applications, or even use non-Microsoft products.
It's too bad, because there's a lot of good stuff in there.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Some software may rely on bugs such as buffer overruns to work. Two big examples are Bleem which relied on using a dirty trick to access and modify the LDT base address in order to bypass the kernel's memory managment and create/modify threads directly and Ultima 7 which used a CPU bug to access 32 bit flat memory while remaining completely in real mode.
There might be "a lot of good stuff in there" and Notes might be "not Microsoft" but it still sucks. Notes doesn't have any good scripting or heterogenous integration features.. sure you can do it all with the Notes/Domino supplied solution, but what if you don't want to use those tools exclusively? Furthermore I can't run Notes or integrate easily with Mac OS or *nix (and no, I don't consider WINE to be seemless integration).
Plus as a mail client, it is not overkill at all, indeed it truly sucks.
Notes is really the antithesis of the do one thing well.
Apache, a decent mail client and workflow client (not saying one exists) is a superior platform.