Slashdot Mirror
Several Critical MSIE Flaws Uncovered
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
I know some people around the Mozilla camp were a bit afraid of how the media would cover their recent security problems. But, once again, Microsoft's really come through by offering problems of their own to take the spotlight off Firefox.
Is this story a dupe?
I could swear I read about security problems in MSIE before...
I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything.
Although exploits were found in Firefox, they were patched rapidly. It's not standard on all our desktops.
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
/me sips his coffee and ponders a new sig...
People taking advantage of Microsoft's upgrade release cycle to discover security flaws when there's a month to go to the next upgrade!
I hereby demand that everyone only look for security flaws the week before the scheduled security update so that Microsoft can continue to claim it patches all their flaws in a timely manner!
There's no rush cause we've got something to sell!
m spx
http://www.microsoft.com/windows/onecare/default.
lisa bonet ate no basil
Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web. Get Firefox http://getfirefox.com.
The dangers of knowledge trigger emotional distress in human beings.
Yes, it is.
The linked article with the flaws is about as useful as lipstick on a pig. So even when there's something to see there's still nothing to see. I think there's some Taoist wisdom in there somewhere.
Weird - the advisory doesn't mention SP2 specifically.Also, it has 'to be determined' next to Windows 2003.
who came up with the clever design idea of making eEye's slogan "Vulnerabilty Is Over" and then pasting it at the bottom of each vulnerability report as if it's a status message?
/. stuff.
reminds me of the Simpsons scene where someone is reporting a crime via a radio and says "over" at the end of the transmission. then Wiggum says "thank god that's over". karma for the first person to find the quote, but I only have the real kind not the
I have often also wondered about all those flaws that have been discovered and not declared, just quitely made use of. At least with open source the oppurtunity for discovery as well as a rapid fix has become obvious.
Chaos - everything, everywhere, everywhen
You need to realize that there's a difference betwen public and private disclosure.
I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed.
Take your head out of the sand and realize that there's more going on around you than meets the eye.
The solution to all these browser exploits (IE, Firefox, Safari) is simple: create a restricted user to run the browser only. This can easily be done in Windows XP/2K, Linux and OS X. Restricted users cannot affect other users or system files. As long as you don't keep important data in this account, you can just periodically erase this user and create a new one.
Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser. Lots of people access their email through a browser, and that tendency seems to be increasing. This makes browser security absolutely paramount. It is the biggest gateway into the system.
BG: What, Firefox has a critical flaw? They are hogging all media attention for that? Fuck that. Hey tech team, how many more IE vulnerabilities have not been reported yet?
Tech team: 349 that we know of, SIR!
BG: Good. All critical?
Tech team: ALL CRITICAL, SIR! YES SIR!
BG: Good. Hey PR team, take the first 10 of them, contact some security firm and 'leak' them.
PR: YES SIR!
BG: Now we will see what firefox is going to do about this.
(Evil laugh all around)
ALL of the Firefox exploits lately? In the last two years there have been 17 reported Firefox vulnerabilities and 81 reported Internet Explorer vulnerabilities. The browser with the most recent, critical vulnerability is Internet Explorer. Do tell, where does the spotlight belong?
Making the world a better place, one psychotic episode at a time.
Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.
It should have a Javascript DOM-based moving or something. Marquees are, like, so IE3.
Better yet, be thoughtful of screen-reader users, and make it a static list that has scrolling abilities.
You can hold down the "B" button for continuous firing.
No, it hasn't. The rate of flaw discoveries in Mozilla's applications (Firefox included) has remained statistically level since before Firefox was called "Phoenix." Quite obviously, the Mozilla Foundation's marketshare has not remained steady since then, as you argue.
Security through obscurity doesn't work. It is a fundamentally flawed concept, which I would've thought Slashdotters realized. To suggest that an open-source project like Firefox doesn't know that is simply absurd.
The rapid response of the Mozilla Foundation, even if the ten-day hush-hush rumor is true, far outpaces Microsoft's publically announced thirty day delay after this vulnerability's announcement. And that's not counting the delay between the IE flaw's discovery and announcement.
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities
As long as both of them had the same number of users.
In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.
Sorry but I need to say this..
'Mozilla 1.0.3 vulnerabilities'
That would be Firefox 1.0.3.... Mozilla Suite aka just mozilla and FireFox are two separate programs and have very different versions. Saying Mozilla 1.0.3 is very misleading. Please use the correct name or it makes your news story look very silly. Who cares if a version of mozilla from 2002 has security holes.
</rant>
Belive in Technology and AMAZE yourself. -- RIP ZDTV/TechTV
It also may be a good idea to compare the criticalness level of MSIE vulnerabilities to the Firefox ones that get published.
People just don't bother with minor problems in IE -- on the other hand, there is much vested interest in digging every smallest issue in Firefox, and dragging it into the press.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Is Internet Explorer still really of any benefit to Microsoft? Once upon a time, it might have been used to push ActiveX, or reinforce the Windows platform by encouraging integration. But security worries, and legal trouble, have put paid to that...
To my naive eyes, it seems that IE is more trouble than it's worth. It's earlier bugginess puts a weight on later development to duplicate previous rendering errors, and it is strongly challenged by Opera, Mozilla, and the like. Also, their developers have to take care not to break compatiability too much - or at least, to sort out how to get various plugins to work with newer versions. The whole thing is a running sore with regards to their reputation, and the number of idiots running the browser means everything has to be dumbed down.
It seems that the wise thing for Microsoft to do, simply from a selfish level, is to ditch the IE project. Open source what can be open sourced, develop a light, secure, bare-bones and idiot-proof version for bundling with their OS, and re-dedicate their resources elsewhere.
Internet Explorer has no future.
Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.
Try printing from MS Publisher or editing an MS Org chart in PowerPoint; Neither will work unless you have admin privilege, because both expect to write to %systemroot%.
If MS doesn't care about the problem (and these two examples are still present in the latest version without any apparent intention of being fixed), why should 3rd party software develpers care?
Yes, all the Linux, UNIX, OS/2, Solaris, etc. etc. users are going to dump Firefox and switch their systems to Windows so they can use IE7 and then Firefox will die.
And now, let's look at the next quote. So what's the administrator thinking on this one? It's pretty simple: "Okay, so now this damnable embedded application, this junk browser that has to be on my operating systems, isn't gonna be patched for a month? The way they did it before would have been acceptable if I could patch the application without worrying about it breaking the OS or making me reboot. But NEITHER of these patching methods works well for me. I've either gotta patch applications that might destabilize my systems all the time, or I've gotta give hackers the keys to my network for a month!"
So, while the point you're trying to make - i.e., that neither of the upgrading options Microsoft has provided are acceptable to admins - is a valid one, it's a situation Microsoft brought on themselves.
String handling is not not the only kind of parser attack, and buffer safe routines do not necessarily protect you from the full range of buffer issues that can occur. Integer issues in particular are a growing concern even with buffer safe libraries. Your average programmer does not have an in depth understanding of the C standard on things like type promotion and sign extension. Google on David LeBlanc's SafeInt library and look over the code for some in depth understanding of this.
Of course, there's a lot of fertile territory in parsers for all sorts of non-buffer related exploits. Cross domain context and external includes were both used in the most recent Firefox exploits. These issues are not unique to XML and HTML formats. I've seen exactly the same problems occur in binary OLE document handlers. This is why I stated that the parsers as a whole are complex issues. They touch so many areas and intermingle so many other concerns that they can be a security nightmare.
These are the voyages of the browser Explorer, It's mission; to explore strange new exploits and seek out new viruses and hacker civilizations, to boldly expose data not exposed before!!
*cue music*
Cake or Death? Cake Please!
Let's pretend for a moment that this would actually work. It's not possible to get people to implement it.
It's hard enough to get any of the browser teams to commit to implementing a complete sandbox, even though that could be done without inconveniencing the users.
It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.
Getting users to go through a lot of inconvenience to create a new account to run their browser in, that's really tough.
But even if you could do it, it wouldn't be effective.
A restricted account could still be used to compromise their privacy, it could still be used to destroy data they consider important... their bookmarks, information maintained on websites they connect to, and so on.
And that's assuming it would remain restricted: once I can run native code on your machine, getting out of a restricted environment is just a matter of time. It's easiest on Windows, of course, but even your typical UNIX or Mac OS X box has all kinds of mechanisms that a restricted account can use to extract information from your "real" account, or launch code (directly or through a boobytrap) into the "real" environment.
The only "restricted environments" I have used that I would consider secure enough to not treat malware running in that account as an immediate threat, apart from physically separate boxes, are FreeBSD Jails or completely emulated systems (VMware, Virtual PC, etc).
But we do know one thing that does work very well. And that's having a sandbox that has no holes in its design. That means there's no holes that the developer's reluctant to close, and no holes that users are reluctant to see closed. That means that any holes that do occur are bugs, and as such can be quickly fixed without embarassment and without discouraging users from applying them.
It's not perfect, but it works much better than a whole sandboxed account, and it's much easier to implement and MUCH more convenient.
So: the first absolute requirement for building a secure web is for the browser manufacturers to commit to a completely closed sandbox. That means there is no mechanism inside the sandbox to get outside the sandbox even as far as to see information stored about other websites. That means: no XPI installers, no ActiveX or Active Scripting, no "open safe files after download", no use of "Desktop" applications to open documents (even if you think the document is local), nothing. Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to explicitly download the document and so move it outside the sandbox, and THEN explicitly open it in the unsandboxed environment. Those two steps must never be shortchanged.
What does that mean to the user, then?
Not much, in most cases. For Firefox users that means they'll have to download XPI files and then load them from the menu or their desktop file manager. For Safari users, no more "open safe files", and no more warnings the first time they open an app because the browser won't ever be opening apps behind their back. For Windows, there would be a bigger impact: a few tools like Software Update would be separate applications, but the bigger impact is that some third-party applications would need to be redesigned to use the new safe API.
Windows, I can see their reluctance. The rest? I don't get it... they're not gaining all that much by having a leaky sandbox, and the fact that even such small leaks can be exploited is sure a good argument for having at the very least no designed-in holes at all.
Note to security companies: Schedule your next flaw announcements on June 15.
Yes, everyone on the same date.
I don't see how basically a patch against what is most often just a few lines of code can open more holes, either. That's just dumb.
I see you have never worked on an enterprise-class application, otherwise you would know that just changing the boolean algebra inside an if() statement can have catastrophic consequences. Usually what happens is there is a bug. To fix this bug, the developer must modify this conditional (i.e. a transaction is not always processing because the if() skips it under weird circumstances). However, there is some obscure requirement that, despite being well-documented, is difficult to understand. That if() statement has conflicting requirements, and the logic needs to be expanded to accomodate both situations. However, desparate for a quick, one line fix, the developer changes a single line (or character, e.g. "!" not logic). This breaks a bunch of other stuff.
Some applications are like a house of cards -- precariously perched, even one small error can bring the whole structure down. Good configuration and requirements management can mitigate this risk, but the possibility of error is always there.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Just FYI: IE only starts faster because MS preloads it into memory at startup. To compare FF to IE on (more)equal footing, start FF and then try to open a new window. This is closer to how IE works on Windows.
Space for rent, inquire within
You don't have to run the application to pre-load parts it it into memory. In fact, does't the whole windows shell share a lot of components with IE?
MS does the same thing with office to make it start faster.
I've never had a problem with Publisher 2003 needing systemroot access. If you're running older versions, you don't need to give them root access. All you need to do is give them write permission to the directory without replacing the permissions on the files within, that way nothing alter existing files. There's nothing special about systemroot other than it's a place many system files are stored.. let the user create new files there isn't going to comprimise security any more than letting them create new files somewhere else.
If you need web hosting, you could do worse than here