Highly Critical Hole Found in IE

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

Patch available

[thrillseeker]

here

Re:Patch available

[babbling]

That won't fix the problem completely. To complete the fix, iexplore.exe should be replaced with a program that runs firefox.exe instead.

Re:Patch available

[Stellian]

Mozilla has bugs to. Lots of them. The difference, however is the time it takes to patch them.
Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
It was only when I have rediscovered the bug, and posted an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.

--
Stelian ENE

Re:Patch available

[weisen]

I think that it's a matter of attitude, also. The referenced security blog says:

      We're going to continue to look into this but remind you also that safe browsing practices can
      help here, like only visiting trusted websites, etc.

The idea that the user should be careful about which sites they browse to is insane. It's hard to imagine a corporate culture that thinks this way, if it's a pervasive attitude, ever producing a reasonably secure product.

It's one thing to expect the user not to download an executable and then run it as Administrator. It's quite another to expect people to be "careful" which Google hits they click on.

Re:Patch available

[dusik]

>> "Outlook requires IE as well or it just won't work."

That's because you're not done until you replace Outlook with Thunderbird ;)

Highly Critical Hole Found in IE?

Must be thursday.

Re:Highly Critical Hole Found in IE?

[lowe0]

I could never quite get the hang of Thursdays.

Perhaps it would save time...

[Threni]

...if researchers just identified the bits that *weren't* totally insecure?

Re:Perhaps it would save time...

...if researchers just identified the bits that *weren't* totally insecure?

Come on, the RFC on this is several years old!

Damn networking hardware monopoly is hampering progress!

It is not a dupe!

[Life700MB]

It's a brand new hole!


--
Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95

Hole?

[jav1231]

Is it shaped like a woman's mouth? I mean, that's a highly critical hole.

Why are IE security flaws even reported anymore?

[wernst]

Can't we just take it for granted that IE is just choc-full-o-holes, and these holes will always get discovered by some third party, and MS will eventually make a patch for it. Then lather, rinse, and repeat? Why do stories like this even make it to Slashdot anymore?

Re:GAH

[dotpavan]

the cure to a problem is not hiding it.

Do what now?

[Rob+T+Firefly]

TFA: Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers

So this article updates us to the fact that they plan to update us with an article prior to the update?

because

[dotpavan]

.. MS will eventually make a patch for it..

its the time period that sometimes makes it more panicky.

Could be worst...

[__aaclcg7560]

It could've been a very cynical hole in IE concerning when Windows Vista will finally be released.

How does this fare with previous statements?

[OneSeventeen]

With security being #1 in IE7, and numerous IE7 articles published by both microsoft and non-microsoft advocates praising the security and reliability of the new MS Browser, can we conclude that even with their upcoming browser media hype is still the best feature?

Personally, I understand if people don't want to use Firefox, it isn't the best browser either, no browser is the best across the board. I don't, however, understand why people want to continue to use Internet Explorer. It has been proven time and time again to be buggy, and patches take weeks longer than in most other browsers.

Not being a hardcore developer myself, I don't know what causes this, but might this have been avoided if Microsoft adhered to the Javascript standards rather than "tweaking it" for IE?

Re:How does this fare with previous statements?

[CagedBear]

Development problems aren't caused by hardcore developers. They are caused by hardcore management.

Re:How does this fare with previous statements?

[MindStalker]

Well it is a beta IE7 after all. Either way Vista will have IE seperated from the OS. The version of IE7 for XP will still be incorperated with the OS. So realistically IE7 for XP and IE7 for Vista will be very different browsers as far as security goes, and one can not assume a security hole for XP with exist (or matter) in the Vista version.

Proof of concept

Re:Proof of concept

[SB_SamuraiSam]

That's why it works on IE.

Someone translate this for me:

[brouski]

How would this put MS in the market, hit by the ever-growing shots of vulnerabilties?

Come again?

Re:Someone translate this for me:

[stevesliva]

All slashdot stories must end with a dumb rhetorical question that triggers useless comments pointing out the stupidity of the rhetorical question. Q.E.D.

Not possible.

[babbling]

Can't... it's required for Windows Update! If you don't update, you're screwed!

Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist?

Re:Not possible.

[bedroll]

Disable ActiveX in the Internet Zone and add *.windowsupdate.com and *.microsoft.com to your trusted sites.

ActiveX really should only run from trusted sites anyway.

got it backwards

[gurutc]

IE is the hole, into which are placed 'features' such as this exploit, tied to the feature called 'activex.' Remove these 'features' and all that is left is the nothingness that is a hole.

Use it for good not evil

[slashbob22]

createText("install firefox.exe");
createTextRange(-1);

And just let the exploit install firefox. It's just that easy.

mirror

[eclectro]

here.

IE user, your house is on fire. Run for the hills! Go! Go!

divorce

[Tachikoma]

And would the divorce of IE7 from Vista's Windows Explorer help?
maybe, but i still recommend divorcing windows entirely. i've loved computers before (not sexually ... you perverts!) but not until my power book did one love me back...

Dupe!

[p0]

Dupe!

Re:Good week for MS

[stupidfoo]

Well, of course it can, that's the point of an HTML Application. The problem is that they can be executed without the users permission.

Re:Why are IE security flaws even reported anymore

[caffeination]

Not quite true. Mostly because of the sheer amount of lazy bastards reading Slashdot while they should be working, a high proportion of this site's visits are through Internet Explorer. Even if they will use some newfangled firebird or netcraft when they get home, this hole matters to them *now*.

Re:Dupe!

[WillAffleckUW]

No, according to InfoWorld, there are two bugs, so it's not a dupe, it's a second bug.

But, good catch!

I am...

[PFI_Optix]

...Jack's complete lack of surprise.

Re:It's funny

[Zocalo]

Also, I note that there is no mention as yet (there is another story on the way) of the highly critical security flaw found in Sendmail which also had a proven potential for remote and local exploitation and arbitrary command execution. Actually this is potentially quite interesting; with remotely exploitable problems with both IE and Sendmail announced at almost the same time, I wonder which one we are going to see exploited by the blackhats first? Admittedly there are already updated packages for most Linux distros and commerical UNIX versions, plus a new release of the software (no offical Sun patch for Solaris yet though) which is going to tip the results a little, but still...

Re:GAH

[TortiusMaximus]

The Grandparent Post never said hiding the problem was a cure. Hiding the problem *until there is a cure* would lower the number of exploits, that's all. Might delay a cure too.

Easy formula

[EraserMouseMan]

A simple math analogy will demonstrate the formula for /. sentiment. A negative multiplied by a negative equals a positive. Hackers hacking Microsoft == good news. Hackers hacking Firefox == bad news. Any good tech company can easily turn evil simply by an association with Microsoft.
GoDaddy == Good.
GoDaddy * Microsoft == Evil

In the same vein (but totally against any mathematical logic), any company (including evil ones) that are associated with Open Source and/or Linux automatically become good.

Oracle == Evil
Oracle * Linux == Good
China == Evil
China * OSS == Good

Re:Easy formula

[yammosk]

In the same vein (but totally against any mathematical logic), any company (including evil ones) that are associated with Open Source and/or Linux automatically become good.

Oracle == Evil
Oracle * Linux == Good
China == Evil
China * OSS == Good

Obviously OOS and Linux are and absolute value functions.

Oracle == Evil
Linux(Oracle) == Good
China == Evil
OSS(China) == Good

Re:It's funny

[mizhi]

That in the very previous /. story about a Sun product vulnerability, the hackers get ripped, but when it's Microsoft, the software company gets ripped.

Here's the difference: In Sun's case, the hackers didn't alert Sun to the vulnerability. They just DOS'd a free service that Sun provided the world, causing headaches for people attempting to use the service. Their actions accomplished absolutely nothing (the grid was not affected), and resulted in Sun pulling a previously free product behind a security wall for which people are required to subscribe. Good going!

In this case, a researcher discovered a flaw in the browser, and instead of being an a$%hat by writing yet another worm or malicious program, alerted Microsoft to the bug. Which is now in the process of being patched.

Slashthink.

[Captain+Scurvy]

So collectivist nerds can sit and giggle self-contentedly to themselves when MS looks bad.

DDOS is a vulnerability?

[SanityInAnarchy]

I wish I had mod points, because you'd be -10 moron.

If DDOS is a vulnerability, it's one that all systems share, and thus, we'd have to be extremely jaded and cynical for blaming Sun for getting hit with one.

It doesn't help that the existance of vulnerabilities in Microsoft's products is probably the reason it was so easy to attack Sun.

Re:It's funny

A DDoS isn't a vulnerability any more than someone throwing a brick at your face.

IE 7 in Vista would have been safe

[ThinkFr33ly]

IE 7, when run on Windows Vista, would not have fallen victim to this or any other exploit of this nature. The reason for this is the fact that IE 7 on Vista runs as a user with virtually no privileges, regardless of privileges of the user using IE 7.

Essentially all actions that require higher privileges, such as writing to non-temp locations on the file system, executing applications, installing plugins, changing settings, etc, will be done through the use of a broker.

The broker is very small, perhaps only a few thousand lines of code. This makes auditing the broker far easier than auditing the hundreds of thousands of lines in IE 7.

When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.

If IE 7 has a buffer overflow or exploit of some kind and tries to do something nasty it will always fail because it is running as a user with basically no privileges on the system.

There is a video that describes this in detail on Microsoft's Channel 9 web site.

Re:IE 7 in Vista would have been safe

[Tumbleweed]

This just goes to show that if you give MS enough time, they'll eventually be able to reinvent UNIX-like security. That's a relief.

Re:IE 7 in Vista would have been safe

[metamatic]

I remember hearing that ActiveX would only allow privileged operations if the code was digitally signed and verified as trustworthy, and hence would be as safe as Java... so you know what? I'll believe IE 7 is secure when it has been out for 6-12 months and hasn't had a major vulnerability reported.

Sure, Microsoft probably has a convincing sounding explanation for why this time, their system will be secure. But they had a convincing sounding explanation many times in the past, and it never made a damn bit of difference. Sooner or later, you have to look at their track record, assess their credibility, and examine their claims with a skeptical frame of mind.

Re:IE 7 in Vista would have been safe

[Tim+C]

How so? It's not uncommon for "special" system processes to need to be started as root but to give up the extra privileges as quickly as possible, but I have never heard of an "ordinary" user process switching to an even less privileged user account.

Besides which, the security model in NT-based systems is much richer than that in Linux-based systems. Unfortunately a few poor design/marketing decisions and a generation of sloppy coders too used to 9x-based systems has gone a long way to obviate that advantage, as far too many people simply run with administrative privileges.

That said, the clueless will always be a danger to themselves, whatever system they run.

Re:IE 7 in Vista would have been safe

[kbielefe]

the security model in NT-based systems is much richer than that in Linux-based systems

I beg to differ, unless you qualify that with default. Even then, there is little difference in capability in actual practice, as you pointed out. The security model in Linux has almost always been as rich as you want it to be. Process and role based access control has been available and used in Linux for several years in systems where that level of control is desirable, and has even crept into default installations of some server and even desktop distros in the last couple of years.

For example, all the applications that connect to the internet on my home desktop already have similar restrictions to the IE7 restrictions the grandparent pointed out, and are probably more configurable and transparent. There are also several other layers of security that will probably prevent an attacker from ever getting to that point. Now you can say you've heard of an "ordinary" user process switching to an even less privileged user account.

Admittedly, it wasn't easy to set up, but it is very easy to use and maintain. When I first made the changes, my wife didn't even notice a difference, and she couldn't see what the big deal was. I'll be very interested to see if Microsoft can manage to make it effective, easy enough for the average joe to install, and transparent enough that the average joe won't get annoyed and turn it off. I don't see how they can do it without limiting the extra security features to their own products in very inflexible configurations.

MS Claims Latest IE 7 Beta is not Susceptible

[squidguy]

The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog.

Per the same blog, the 20 March release of IE7 Beta is not vulnerable.

Caveat emptor... I haven't tested it.

Safest browser ever available

[Otis2222222]

Here. Guaranteed not to be exploited by any javascript or plugin vulnerability. Or by any site that uses frames.

Re:Safest browser ever available

[phantomfive]

Lynx only seems safe because it has such a small marketshare. As soon as more people use it, hackers will target it more. You will see.

Re:Safest browser ever available

[Beryllium+Sphere(tm)]

The only thing funnier than jokes about Lynx vulnerabilities is that there have been real ones. Remote shell access in Lynx, Lynx command injection, Lynx NNTP buffer overflow.

Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.

The 1st IE7 worm after the 'divorce' from windows

[rubberbando]

shall be named "alimony"!

But they spend 20 billion on making windows secure

[SmallFurryCreature]

So clearly this bug does not exist in Windows XP SP2 and most certainly the same bug does not exist in the completly Windows Vista.

Didn't we just have an article about MS wanting to go after Big Blue's business in the serious computer market? That they had spend 20 billion dollars on getting Windows ready to compete with the big boys and that IBM better look out?

Some MS fan boys of course swallowed that line hook, line and sinker. The same line MS has spun since it began business. "The next version will be lots better then what our competitor offers so please buy our [inferior] product now, we promise to ship the next version on time and as promised. Honestly. Have we ever lied to you before, or failed to meet a deadline, or failed to live up to our own hype?".

So the question by the poster of how this will affect MS in the market.

Not at all.

Simple as that. MS can keep producing crap and the public will continue to lap it up. I don't even care for the reasons and excuses anymore. They start to sound more and more like what you get at an Alcoholic Anonymous meeting or a session for battered wives.

As a LAMP developer I was recently offered a position with the opportunity to grow into .NET development. Gee thanks. What is the bonus package like? Kick in the nuts?

For those wondering what IE 7 and Vista will be really be like. More of the same old crap just a lot more useless crap that nobody really uses but that adds a lot of bloat that makes it impossible to debug. IF IE 1 - 6 have been buggy security holes and IE 7 has so far had the exact same bugs and security holes as 6 then it is obvious that MS hasn't really done anything with that supposed security audit of theirs.

First WMF now this. Vista is just another re-release of the same crap code that MS has been logging around since Billy boy first stole his basic interpreter.

Business as usuall. No doubt they will make a fat profit on it.

The Good News for Windows Users

[hahiss]

The good news is that at least we know that IE 7 is backward compatible with IE 6 vulnerabilities.

Highly Critical

[gnovos]

This hole will complain endlessly about your banal surfing habits and tell you taht are beginning to look a little fat. It's amazingly critical.

not as bad is it sounds

[tota]

for sure, I don't mean to be defending IE, but according to the original bug report (copied from Full Disclosure ML):
*******
I can't find any info on this delicious IE bug, but it seems to be publicly known:

                r=document.getElementById("c");
                a=r.createTextRange();

It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested with, including crashing. It works on these versions of mshtml.dll:
XP SP2: 6.0.2900.2802 - latest
WS2003: 6.0.3790.0
*******

So EIP goes to a random address, big deal. This is not exploitable unless you can allocate a huge chunk of memory and place lots of NOPs followed by the payload, then you've got to hope the random jump lands in that region. Not likely to work.

This is bad (crash) but not remotely exploitable (no worm on the horizon)

Re:not as bad is it sounds

[say]

I doubt the code says EIP.jumpTo(rand.newInt()). There is probably a way to foresee what address the EIP will pick, and that makes this potentially exploitable. But obviously it would be very, very difficult.

Re:In other news...

[argent]

*sigh*

This is most likely the latest instance of the deep design flaw that the Microsoft HTML control has had since 1997, a flaw that no other browser (open source or commercial) suffers from, a flaw that Microsoft is going to have to break every application that uses the HTML control for anything but simple HTML display to fix... but which they absolutely have to do.

Compared to sendmail... this would be like Allman "fixing" the backdoor that the Internet Worm used by changing the password from "WIZARD" to "DEMON", then making patch after patch to keep the backdoor open... instead of simply taking it out as he did. Genuinely fixing a design flaw, rather than patching over instances of it, THAT is what "concentrating on security" means.

misplaced trust

[Scrameustache]

add *.windowsupdate.com and *.microsoft.com to your trusted sites.

You gullible, gullible fool : )

Updates are necessary, Windows Update is not

[InvisiBill]

I can't remember the last time I used Windows Update. Automatic Updates does most of what I used WU for, even more easily. If I want other updates, Windiz Update is very similar, but works in non-IE browsers.

Re:IE 7 in Vista sounds irritating

[necro2607]

When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.

Wait, so I right click an image, choose "save to desktop", and then a dialog will come up asking me if I "really want to" do that?

You know, my usual response to dialog boxes like that is something along the lines of: "No, I was just clicking that button for the hell of it. I didn't want to actually do anything." (with a nice sarcastic tone)....

If that's really what using IE (and Vista) is going to be like, well, damn, I'm just that much more glad I bought an iBook last month instead of a Windows-based laptop.

Doesn't help

[Bacon+Bits]

Disabling ActiveX doesn't help. The workaround is to disable active scripting. That will also disable everything in , , and tags. That means everything from Java applets and Flash to JavaScript (and therefore stuff like AJAX and most DHTML events).

In other words, the "fix" is to use your browser in 1995 mode.