Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Unofficial IE Patches Block Attacks

Posted by ryuzaki0 on from the egg-is-good-for-the-complexion dept.

Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."

26 of 233 comments (clear)

  1. Other patches: by NilObject · · Score: 5, Funny

    There's two other patches out there that work pretty damn well:

    1 and 2.

    1. Re:Other patches: by Volanin · · Score: 4, Insightful

      1. [apple.com] and 2. [mozilla.com]


      Yeah, but only number 2 "include source code for review."
      --
      If I clone myself, can I call it a thread?
      If a girl winks to us, can I call it a race condition?
    2. Re:Other patches: by chrome · · Score: 4, Informative
      Yeah, but only number 2 "include source code for review."

      Not entirely true. You can review the code for darwin, and you can review the code for WebKit.

      The only thing you can't review is the UI drawing code in AppKit/Quartz/Cocoa etc.
  2. Re:Why doesn't Microsoft... by Dante+Shamest · · Score: 4, Funny
    Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox? It would save them a hassle and a lot of work.

    Are you related to my girlfriend? Because she asks smart questions like you. =)

  3. Are there not risks even with official patches? by El+Cubano · · Score: 4, Insightful

    As always, the advice is to weigh the risks before opting for an unofficial hotfix.

    Is this not something that smart admins/companies so even with official patches and fixes? To me, the fact that the source was released shows that these people are quite serious about being taken seriously. I suppose that is better than MS assurances that they extensively tested the fix before release.

    1. Re:Are there not risks even with official patches? by Ravatar · · Score: 3, Insightful

      Without releasing the source, they have almost no credibility. If they hadn't released the source, slashdot would be packed with cries of "who would actually run this?!" "wtf, no source? no thanks".

    2. Re:Are there not risks even with official patches? by tshak · · Score: 5, Insightful

      I suppose that is better than MS assurances that they extensively tested the fix before release.

      This quite far from the truth. Reading source code will not find the integration problems that can come up when you release a patch on millions of machines with different configurations.

      --

      There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
    3. Re:Are there not risks even with official patches? by whitehatlurker · · Score: 4, Insightful

      And yet, we will accept the same from MicroSoft without the assurance of source ;-)

      --
      .. paranoid crackpot leftover from the days of Amiga.
  4. How do they even write these patches??? by MoxFulder · · Score: 4, Interesting

    I don't even understand how they manage to *write* third-party patches. I mean, it must be hard as hell to do without the IE source code. I think they write a separate DLL which acts as an intermediary to the flawed insecure library or something, but it sounds like an enormous pain-in-the-ass process. Or do these companies have access to MS code through Shared Source program or something?

    Yep, the more I watch the ills that befall the Microsoft-bound, the more I'm happy with my decision to go Linux-only a few years back.

    --
    My bicyles
    1. Re:How do they even write these patches??? by Anonymous Coward · · Score: 5, Informative

      We certainly don't have access to Microsoft source code. I ran Internet Explorer in a debugger and traced through the execution of the exploit (which was publicly available at this point). Most memory corruption vulnerabilities result in an exception, which is caught by the debugger. Once you have the location of the exception, you can identify which function the vulnerable code is in.

      Once I had the name of faulty function, I disassembled it using IDA Pro and found the bug by reading the disassembly. With enough reverse engineering experience reading disassembled code is not much harder than reading C source code. It just takes longer.

      The IE vulnerability is caused by a funcion called with incorrect parameters which returns SUCCESS instead of an error code. The caller belives that the function suceeded and tries to use an uninitialized variable. The patch is a single byte change in mshtml.dll. The patched function now returns a valid error code and the vulnerability is stopped.

      This free patch is just a demonstration of what we do every month as part of our LiveShield product. It is a lot more advanced, but the idea is similar. We use the vulnerability analysis techniques described above to create "shields" that detect and stop specific Microsoft vulnerabilities. The coolest part is that the shields can be inserted and removed at runtime, without having to reboot any of the running applications.

      Alexander Sotirov
      Security Research
      Determina Inc.

    2. Re:How do they even write these patches??? by romka1 · · Score: 5, Informative

      "The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key," Sotirov wrote in a message posted to security mailing lists. He said the DLL fixes the bug by patching a single byte in MSHTML.DLL when it is loaded in memory. "This change makes the 'createTextRange()' function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20," Sotirov explained.
      from the article

      --
      Visit my site @ http://www.madtorrent.com
    3. Re:How do they even write these patches??? by QuantumG · · Score: 4, Interesting

      You should do your work here in Australia. We have laws that guarentee our right to reverse engineer software to fix security issues.

      --
      How we know is more important than what we know.
    4. Re:How do they even write these patches??? by Anonymous Coward · · Score: 5, Interesting

      I don't use debuggers as much as you'd think. I prefer to disassemble the code and read it until I understand what's going on, and then confirm it with a debugger. Some other people use debuggers as their primary tool, and resort to disassembers only when they are really stuck. I guess it's just a matter of personal preference and temperament.

      When I do use a debugger, it's usually WinDbg. I like the command line interface and it has very good support for all versions of Windows. A lot of other security researchers use OllyDbg. For kernel debugging I use both WinDbg and SoftIce. SoftIce has the advantage of being able to follow code from user space to kernel space and back, which is very useful for analyzing kernel vulnerabilities.

      Alexander Sotirov
      Security Research
      Determina Inc.

  5. I'm waiting for the official IE patches by WillAffleckUW · · Score: 3, Funny

    Of course, I'll probably be retired before they're out.

    --
    -- Tigger warning: This post may contain tiggers! --
  6. weigh the risks by enrevanche · · Score: 3, Insightful

    Certainly you should weigh the risks with any patch but since an "official" patch would come from the originators of the flaw (and numerous others) why should it be considered any better than an "unofficial" patch? At least these patches can be scrutinized by the outside world for problems. A MS patch will be forever hidden. The perils of closed source!

  7. But how many would install them? by E+IS+mC(Square) · · Score: 5, Insightful

    Given the fact that the average IE user would not even be aware of the flaw, how would he even know such third party patches even exist?

    Most of them are going to be patched only when MS releases the patch, AND they have selected to be updated automatically.

    Its a horrible situation.

  8. Re:Fat, slow, and lazy by dtfinch · · Score: 4, Insightful

    If it was just a testing thing, they wouldn't wait until the 2nd Tuesday of the following month. Minor patches can wait, but delaying critical patches is inexcusable.

  9. Re:Free as in... by Arandir · · Score: 3, Interesting

    In an old interview Bill Gates said, and I paraphrase, "people don't pay for bug fixes." This explains a lot.

    --
    A Government Is a Body of People, Usually Notably Ungoverned
  10. Tested and deployed by ninja_assault_kitten · · Score: 3, Informative

    I had our IT department test and deploy the silent installation this morning. We're a web-based software company and there's been zero reported impact to our development staff as 6pm EST.

    While it's clearly not the best solution, it does work and provides a much needed layer for the vast majority of corporations who simply cannot and will not disable active script.

  11. Applying Patches Is Not Free by patio11 · · Score: 4, Informative

    Microsoft releases one patch day a month because their corporate customers, the lion's share of their market, demand it. And they demand it because "release a million little patches as soon as that individual patch is done" is unworkable in a corporate environment. You can plan around one big patch a month -- the magic word is "scheduled downtime". It is less bad for some customers to be periodically marginally more vulnerable for a period of two weeks or so then to be continusouly vulnerable to unscheduled downtime due to patching. "Publish early and often" works well with an enthusiast running one machine but when you've got an IT department overseeing a cast of thousands spread over 14 time zones things get a little more dicey.

    --
    Help poke pirates in the eyepatch, arr.
    1. Re:Applying Patches Is Not Free by apoc.famine · · Score: 4, Insightful

      I'm missing the part where the sense is....If MS released all patches as soon as they were ready, everyone who wanted to patch right away could. If large corporate IT depts still want to patch every 2nd tuesday, they still can! Scheduled Downtime is Scheduled Downtime is Scheduled Downtime. I see no connection between when MS releases a patch and when an IT department schedules their downtime to roll that patch out. (Well, other than the fact that the patch has to come first. ;)

      This whole "scheduled patching" bit really is BS. All it does is leave critical problems unpatched longer than necessary, so that managers can point to MS when bad shit happens to the network. "Well, we couldn't patch until two days after patch-day, because we needed to test the patches." works lots better than "We got fucked because I decided that it wasn't critical enough to test and deploy right away."

      While I can see where it would make a lot of people more confortable to know that there is patching every third Wed or something, I just don't see the value in withholding critical patches because "they aren't scheduled yet". At the very worst, let the IT departments decide if they want to schedule additional downtime, because ultimately, they know whether it will affect their systems or not. But then again, MS knows best, all the time, doesn't it?

      --
      Velociraptor = Distiraptor / Timeraptor
  12. In memory fix by roman_mir · · Score: 4, Insightful

    the patch fixes the affected DLL in memory by overwriting a byte that is stored in RAM for MSHTML.DLL this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL? I believe the patch needs to be installed from an administrator account, but even then, this doesn't mean that it is good design decision, to allow an arbitrary application to overwrite in memory code of another application. Of-course if that wasn't possible this specific patch couldn't exist, but still, the OS allows questionable application behaviour to say the least.

    --
    You can't handle the truth.
    1. Re:In memory fix by Zenki · · Score: 3, Interesting

      Then how do you expect debugging to work? Pretty much all OS's offer an API to let the debugger read/write bytes from program memory. A similar hack could be done on Linux by writing into /proc.

  13. Anyone remember? by WalterGR · · Score: 5, Insightful

    Does anyone remember the previous third-party patch to IE? This is from December of '03.

    Slashdot: "Open Source Firm Releases Patch for IE Bug [UPDATED]"

    An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer... Update: Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code. (link)
    --
    The Online Slang Dictionary
  14. opensource? by sumdumass · · Score: 3, Interesting

    It would be interesting to see microsfts official patch when it becomes availible and attempt to see how close it is to these unofficial patches.

    Maybe the code would be completley different but would it achieve its goal by going about the same ways as the unofficial patch? Or would it be patched on a level deeper then we could access. I guess the most interesting part would be that a third party without access to the source code could actualy come together with a solution before microsoft. What would be more interesting is seeing how close those solutions match match each other. Sort of a test to how these third party programers can predict the neccesity or orders of different code they only have limited access to.

  15. Assembler and debugging references by AltControlsDelete · · Score: 3, Informative

    For x86 assembler, Intel is a good source of information: http://www.intel.com/design/Pentium4/documentation .htm#manuals. You'll want to check out volumes 2A and 2B at a minimum for reference material.

    I would be surprised if Alexander used the Visual Studio debugger; more likely he used SoftICE or one of the Windows debuggers (NTSD/CDB/KD/WinDbg). SoftICE is a commercial product sold by Compuware and provides both user-mode and kernel-mode debugging. A version of the NTSD debugger comes with Windows, but is less useful than the one that comes with Debugging Tools for Windows. NTSD and CDB provide user-mode debugging, the only difference between the applications being that NTSD opens a new console window and CDB does not. KD is the kernel debugger. WinDbg provides the same functionality as NTSD/CDB/KD but with a (spartan) Windows interface.