Latest IE Hole Lets Gopher Root You 567
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
All three gopher links left.. (Score:2, Interesting)
sPh
Stats, anyone? (Score:4, Interesting)
Re:All three gopher links left.. (Score:3, Interesting)
http://www.scn.org/~bkarger/gopher-manif
Active gopher sites. (Score:5, Interesting)
However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/ [umsl.edu]
gopher://gopher.cac.psu.edu/ [psu.edu]
(These actually return data -- some others I found the server up but no data returned).
As to why gopher died out, Tim Berners-Lee offers the following:
(from his book, Weaving the Web)
Re:Stats, anyone? (Score:2, Interesting)
First, there's the question of what constitutes a security hole. some might say allowing rampant JavaScript popups is a security hole. Others might require that binary code actually be executed on the machine, or that the HD is modified.
Second, the number of security holes found, in the case of closed-source browsers, is the number of security holes that its company wants to bother telling you about. It's entirely possible that there are hundreds of security holes in IE that MS knows about and hasn't divulged. Maybe they were quietly fixed in previous IE patches. Maybe they're left unfixed so MS can look like it's making speedy repairs when someone finally finds the bug on their own and tells the press. Again, there's no way of knowing how many of the bugs are being reported.
Finally, the number of security holes found may correlate strongly with how insecure a browser is. But it could also be that said browser is just used more. Or its code is readable, so such bugs can be found. Or it is actively being developed by coders who care about security. Or no one uses the browser and it's insecure as hell but nobody cares.
Too many variables. Any study on the number of security holes known is only going to tell you one thing: the number of security holes *known*.
Re:All three gopher links left.. (Score:3, Interesting)
As I pointed out yesterday [slashdot.org], there's more info [solutions.fi] about the bug and it's prevention available from Oy Solutions, who found the exploit.
Re:All three gopher links left.. (Score:4, Interesting)
Re:All three gopher links left.. (Score:3, Interesting)
<a href="gopher://hostile-link" on mouseover status.text="http://www.friendlysite.com" return true>click here!</a>
Now my javascript is rusty and I have not tried this ... but you get the idea.
This *could* be intentional... (Score:4, Interesting)
Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.
Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.
For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...