New IE Holes Discovered

joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

Incident response times

The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...

Re:Incident response times

Neither does Microsoft, as shown several times when their updates causes 3rd software to break - even in areas the patch wasn't supposed to touch.

Feel free to Google.

No Exploit, eh?

What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.

Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.

Re:No Exploit, eh?

Truly. Also, if there is exploit code, someone is using it, just maybe not as part of a trojan or virus yet. Patch or no patch, you can bet that there will be an exploit being used in the wild within a matter of hours or a day at the maximum. The latest trojan/worm/virii are programs that deliver huge amounts of machines to spammers and hackers to become part of their DOS botnets or spamnets, with built in backdoors, etc. Were you on irc the day that the mirc xdcc flaw was discovered? I received no less than 30 malformed xdcc requests that day. Discovery of a new flaw is like free candy to script kidz. Twice the 0wned machines, half the hacking.

Re:Incident response times

... as shown several times when their updates causes 3rd software to break ...

It's even worse when done by design [winntmag.com]. Once a scoundrel - always a scoundrel.

Re:Incident response times

Itd be really strange if Mozilla broke my Window Manager or something. What exactly would they need to test it with?

I can understand Internet Explorer needing to be tested against the rest of Windows and its APIs but Mozilla is a stand-alone web browser - as long as the API isnt affected it ['full regression testing'] shouldnt matter too much IMO.

Re:Incident response times

Mod the parent up. This one hits the nail on the head and is the heart of what's wrong with MS Windows and right with Linux. What Microsoft claims as integration is done in a way which brings the whole house down when one small part fails. The co-mingling of applications with the OS. Legal documentation even showed that this was originally done for anti-competitive reasons and now is being presented as the latest half-baked why MS Windows is supposedly better than Linux. This is not the design methodology used in the *nix world.

This is also something to watch out for when developers try to mimic the Microsoft Windows system while making Linux more and more user friendly.

IMHO

LoB

Re:Incident response times

This is not the design methodology used in the *nix world.

Code reuse is code reuse, whether it is Windows, Unix, or any other OS/app. Modern programmers are taught to do code reuse, and saing "This is not the design methodology used in the *nix world" is plain stupid.

When gzip security hole was discovered, it hit hundreds of Unix applications, because they reused the code from this library. Is the "design methodology" any different?

The gzip bug demonstrated that it sometimes can even be worse on *nix, due to source code coping instead of shared libs, so that the bug had to be fixed in multiple places.

By the way, Netscape was / Mozilla is actively trying to make itself a platform for writing applications using its XPCOM/XUL and other technologies. It is not very successful so far, but when it will, its bugs and patches will hit lots of independent applications, just like bugs/patches in IE do now.

Re:Code reuse is code reuse

You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff

And you don't know anything about gzip vulnerability and instead generalize your ideas of how it should be to how it is actually done.

Lots of applications were using customized version of gzip, e.g. Linux kernel used a trimmed down version of gzip. They could not be simply recompiled with new library - the bug had to be fixed in every copy of the source code - yet, it was code reuse via copy/paste as much as it could possibly be. Too little applications used shared library, so even those application that used standard gzip had to be rebuild with new static library.

And if *nix world moves to using shared libraries more, it will face the same problem Microsoft has - a single security fix in a single shared library can potentially break any of hundred applications that use this library, and all these applications has to be tested with patched version. Which is still better than patching hundred applications independently.

Re:Incident response times

Oh, the joys of forceful integration... ;-) Now do you understand the importance of clean independent components with defined and carefully thought out APIs?

Re:Incident response times

Please list one problem someone has had because of a Mozilla security fix.

Re:Incident response times

Doesn't matter - MS claims a 24 hour response time. Lets see it happen.

Re:Incident response times

A critical bug in Konqueror and all of KDE becomes useless.

This gets back to the terms sproketboy used: no "commingling" in a "properly written application".

I won't go into a 10-page lecture on software engineering. But just because an application is depended on by any others doesn't mean they're comingled, or improperly written. A good component app will have a limited number of interfaces to the rest of the system (on the order of 10-200, and hopefully towards the low side).

Testing the program's correctness on those interfaces gives you a high trust that it'll work correctly in the larger system.

Microsoft(tm) IE(r) isn't like that. It doesn't have defined interfaces to the rest of the system. Its not an application which runs on the OS kernel and talks with other apps. It's source code is intermixed with much of the rest of the Windows OS. Testing every interface isn't enough to show that a new version is working right... you'd have to go through every line of code and see how it might possibly perturb Windows itself.

Compared to component-interface testing, that's a prohitably lengthy task; a combinatorical explosion of places to check.

no Kate working no editors

Again, Kate is one component, and testing that component's agreement with each of its public interfaces should be enough to verify there are no critical bugs. That only works if the components are well-separated enough. But separation leads to slowness, and Microsoft wants to be fast.

Microsoft doesn't either

In the company where I work (a large bank, 40000 work places) the latest IE security patch caused grave problems with (client certificate authenticated) SSL connections. Many internal applications broke down at random after about 10 minutes. This is costing massive amounts of time and money.

Re:Incident response times

Microsoft has been using the paying community as QA since at least MS-DOS 4.0 Have you been living in a cave all these years?

The whole premise behind FSF is that it is FREE, the user accepts some responsibility in the transaction, in this case by reporting bugs and helping to test beta versions before the code is released live. You seem to be saying that Microsoft has never released code that was not finished, 100% Quality Assured, no Security holes.....

If you believe so strongly in your statements, why do you post AC?
So I say Mod the Grandparent DOWN, MS whiners be damned!

Re:Incident response times

Microsoft has released service packs that kill peoples applications, so much so that they have had to remove the service pack and put in a differnt one to patch the broken patch. Even Microsoft can't check the way everything works with everything.

The big differnce is that with open software, you can patch it yourself, or hire somebody to patch it for you. With MS, you can't patch it, and unless it effects enough people, you can't get MS to patch it either.

Re:Incident response times

Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up.

Have you seen what happens to people who report security issues to MS? Follow the full-disclosure and bugtraq lists sometime; you will be astounded. MS repeatedly ignores reports until there is an exploit. They have gone so far as to lock hotmail accounts of people reporting issues.



They have repeatedly demonstrated a knee jerk reaction to deny problems until they're public, at which point they announce that they've been working been on it all along.

Honestly, with their resources, they could give Linux a serious run on patch speed, but only if they change their mindset first.

Re:Incident response times

It's been a while since I followed bugtraq/NTbugtraq. Does Microsoft still charge people $90 (up front -- but supposedly refundable) if they want to report a security bug?

If they are, then I can see why researchers aren't playing their silly game, especially if they discover several bugs. Further, Microsoft is giving up a small advantage they could have over open source. If they allowed non-public reporting of security bugs, then they could have that information before the crackers get it, while open source bugs are generally reported to open developer lists.

it wouldn't change anything

I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

P.S. Is it news anymore that IE has holes?

Re:it wouldn't change anything

Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

You may be right, but it still doesn't change anything. I think this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.
If you get a standard stupid automated copy/paste reply, report the holes.... but you SHOULD give the company some notice. As stated in the article, not giving the company any info just makes it bad for anyone having to use IE.

Is it news anymore that IE has holes?

Nope. Seriously, who here gives a crap about IE holes? Everyone here probably knows that using IE is about as secure as getting water in a fishingnet.

Re:it wouldn't change anything

this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.

I believe the current "best practice" is to wait at least 1 week for the vendor to initially respond... and to give them at least 1 month to create a patch if they (privately) acknowledge the problem.

But giving them ZERO hours is about as bad as it gets.

Re:it wouldn't change anything

I used to work in Microsoft technical support. From my experience, MS does everything to avoid receiving bug reports from end users, their system is designed in such a way that bug reports are automatically dropped, unless the originate from a pro support client (which pays millions of dollars for support). What this guy did is not only right, but also it is the only moral thing to do. Companies like MS should pay for their bad business practices.

Re:it wouldn't change anything

I agree with you in theory, but if you look at it from the perspective of "how do you get the average user interested in alternatives?" angle, this might be the way to go.

Consider that people use IE because "it's there," and not generally for any other reason. These people are going to continue to do so until the consequences are too high. Really, the same should apply to corporations too. The more often they get bent over, and the rougher those encounters are, the more the point gets "driven" home...I've been on a campaign lately trying to get people to switch from IE. I've been pushing Netscape 7.x instead of Mozilla though, as I find explaining the difference is tedious to say the least. I'd prefer if they used the AOL-brand free version, but Netscape is better than nothing.

Really, this should go for all MS products with shoddy track records. Any time you have to explain why "the computer was infected with another virus, even though you had AntiVirus software," be very _blunt_ about the reasons. Internet Explorer was designed to kill Netscape, not be secure..."Yes, you're virus signatures were up-to-date (not likely), and you still got a virus." That's because MS knew about the problem 3 months ago but it wasn't made public so they didn't fix it. It's not Norton/McAfee's fault. This virus didn't exist until yesterday...

Now, I'm not saying I think every use should immediately switch to Linux, but I do recommend Mac OS X quite often. I know that nothing is perfect, but it's time people started using _anything_ other than Windows and IE. Don't hide the flaws of the other systems. Yes, Mac OS X did have a problem recently. Nothing is perfect. Most things just happen to be more perfect than Windows and IE.

-Ben

Re:it wouldn't change anything

It is pretty pathetic to deal with some big software company like Microsoft when reporting bugs... There is no simple way. A friend of mine did some scripting and discovered an obscured w2k bug (no big deal just causing yet another blue screen) by pure chance. He did some detective work and nailed down to the exact condition that triggers the problem. Since we are not doing security or serious low level programming, we don't have links with any relevant person in MS. When contacting the local MS office (we are in a small country, btw), the guy on the other end of the phone had no clue and put us thru technical support. Read: demanding $$$.

At the end, we did not bother. After a few more months, it was made public (not by my friend though). Nowadays, reporting MS bug becomes a dangerous maneouver... If MS is really serious about security and good quality software, they would put a contact on the front page and offer reward for anyone who spots a new major bug. Before then, I don't see why we need to be nice to MS.... They say they are capitalist. We should respect their value and don't do any free work for them...

It's hardly bad...

Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.

Re:It's hardly bad...

Real programmers don't need to regression test the whole world for a simple bug: they fix the broken method, recompile and repackage. Real programmers design clean APIs and classes where the public methods don't need to change to fix a silly bug. On the other hand if the security fix requires breaking class compatibility then it's not a bug, it's a poor design failure...

New Rival to Internet Explorer...

Microsoft are about to announce a replacement for Internet Explorer called 'MS String Vest'.

A spokesman was quoted as saying, "It's the only way we can release a product with more holes than IE".

It is unconfirmed if StringVest will be integrated into Windows XP SP2 or if we will have to wait until LongHorn is released.

I've been trying my best to switch people away

...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.

Re:I've been trying my best to switch people away

Absolutely.

I have a neighbour whose computer is currently fried - it'll apparently not boot at the moment, and needs a reinstall of whatever version of Windows it runs. She came over recently and said at some point she needs to use the Internet, and when I offered to let her use my connection said "Oh, I'd be using it for hours".

So I offered her a laptop. I told her if she makes sure she uses it on the side of the appartment closest to mine she'd be within range of my wireless network "so you'll not have to do anything, just switch it on and start browsing".

"Oh" she said, obviously hearing words like "wireless" and "network" and "browser", "That sounds far too complicated!"

I am still gobsmacked about that one, but you're right: it's the words. The more you try to explain to someone how much better (or even how much easier) something is, the more complicated they assume it is. And that really works against you when trying to explain how much simpler something is because by default they assume they'll have to do all the stuff they do now: if you explain they'll not need to, it's hard to word it in such a way that it doesn't sound complicated to a non-technical user.

I suspect that's Mozilla's real problem (and the problem with so many platforms previously that were technically superior, and much more user friendly) - the technical people are the ones who realise the benefits, so everyone assumes you have to be a genius to use them.

Re:I've been trying my best to switch people away

I use Mozilla Firebird [mozilla.org], myself, and like you, I've tried to encourage my friends to switch.
Doesn't help much when I'm forced to use a university workstation (like today), but I find it's a better quality browser than IE. Renders faster, blocks pop-ups, and I find tabbed browsing to be pretty much invaluable.
Of course, the best thing about Firebird is, I can still watch Doctor Who: Scream of the Shalka [bbc.co.uk] ;-)

There are, of course, some times when you have to use IE (like Windows Update, though I guess I could always just download each update manually).

The big problem I've hit is that, even with all these MSIE vulnerabilities that come out on a near-weekly basis - not to mention annoying pop-ups and pop-unders, and other little security-related issues - I don't seem to have any success.
So what's your persuasive technique for getting people onto pre-1.0, non-MS, reliable-but-not-100%-complete software?