Latest IE Hole Lets Gopher Root You 567
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
My thoughts: (Score:2, Insightful)
See if this story follows pattern (I think it will).
Re:All three gopher links left.. (Score:5, Insightful)
Re:...and yet (Score:2, Insightful)
The reason there are aren't reports of security holes in gopher code in other browers is that no-one has looked, not that the holes don't exist.
Or... (Score:2, Insightful)
**Sigh...** (Score:2, Insightful)
No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...
Re:And how's that working for ya? (Score:4, Insightful)
Not necessarily... (Score:1, Insightful)
Re:All three gopher links left.. (Score:5, Insightful)
Re:Too damn obvious (Score:5, Insightful)
Why the h3ll is anyone motivated to find bugs in IE's gopher protocols?!? It must have been a real slow day at Oy Online Solutions [solutions.fi] for them to find this.
Re:All three gopher links left.. (Score:1, Insightful)
Re:Or... (Score:3, Insightful)
I wish it was that simple. There are hordes of people out there who have jobs where if they install anything on their work computer they will get in trouble.
I am one of these people. I have no choice but to use MSIE and Outlook on NT at work.
I feel so dirty.
And thus the previous comments [slashdot.org] about blocking gopher are important to many.
What the hell is this about? (Score:5, Insightful)
And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?
So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.
So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?
I.E. helps terrorists (Score:2, Insightful)
Who needs a patch? just download OPRA and bam fixed.
Re:The remedy (Score:1, Insightful)
Buffer overflow, buffer overflow, buffer overflow (Score:3, Insightful)
Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?
Should buffer overflows be as outdated as Gopher itself?
Re:Wow... (Score:5, Insightful)
<script>
document.location.replace("gopher://e
</script>
Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...
I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"...
Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE [jscript.dk]. What was that you were saying about "quickly"?
Gerv
Re:**Sigh...** (Score:3, Insightful)
Perhaps so, but avoiding buffer overflows isn't rocket science. It's a simple matter of bounds checking. There's really no excuse.
Even tho gopher is dead, this is a problem (Score:5, Insightful)
A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.
None of this has anything to do with the number gopher servers left on the Internet.
-josh
For all of you slamming MS (Score:3, Insightful)
Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
There are just too many morons out there buying their stuff, so the situation won't change anytime soon.
And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.
Re:All three gopher links left.. (Score:2, Insightful)
Gopher had the advantage of a clean protocol & easy to use clients.
FTP had the advantage of being widely deployed.
Had not prettified clients like web browsers come along at the time they did, ftp was doomed, but once the clients were easy enough to use there wasn't enough incentive to replace crufty old FTP.
Re:What's worse? (Score:3, Insightful)
Ah, the ubiquitous inevitibility argument.
That argument is, of course, bullshit. Use of a modern HTML DTD such as 4.01 strict enforces consistent behavior on the client side. Javascript may still be a problem, but handicapped accessiblity guidelines will require that content be delivered without its use.
There was a time where I could not browse the web with anything but IE because of the MS incited erosion of HTML standards. But the resurgence of attention to those standards, combined with a significant and growing user population using non IE browsers, have forced most web sites to un-adapt from the defacto Microsoft standard.
As for Opera specifically, it is the only browser out there which consistently obeys pre- HTML 4.01 strict DTDs. I am a paying user of Opera, and use it on all my GUI systems.
Re:My thoughts: (Score:5, Insightful)
You also missed step 2.9, where the hapless sysadmin spends 3 days trying to figure out Microsoft's patch dependency tree, which is not published. And even M$ admits that they use different, and incompatible, patch mechanisms for different product lines. So if I pull out the install disk to add an additional function to Visio, do I have to reinstall Office XP patches? Why or why not?
sPh
Re:Too damn obvious (Score:4, Insightful)
- The program's maintainers are less likely to check these portions of code for errors because users don't complain about them as much.
- The legacy protocols probably contain code from the pre-security awareness days. They're more likely to contain such "new" security concerns as Format String bugs and signed/unsigned conversions.
- Other people doing audits on the same software have probably been over all the basics many times using automated tools and buffer overflow spamming.
I know the above post was probably meant as a joke, but the guys above are probably more clever than you think.