Latest IE Hole Lets Gopher Root You

rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""

All three gopher links left..

[sphealey]

Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

sPh

Stats, anyone?

[DesScorp]

Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.

Re:All three gopher links left..

[shadow303]

Funny you should mention a resurgence. I just found this manifesto of people wanting to revive gopher.
http://www.scn.org/~bkarger/gopher-manife sto

Active gopher sites.

[AJWM]

The last time I actually used a gopher site was about a year ago, some wire service was running it for its news stories.

However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/ [umsl.edu]
gopher://gopher.cac.psu.edu/ [psu.edu]
(These actually return data -- some others I found the server up but no data returned).

As to why gopher died out, Tim Berners-Lee offers the following:

"It was just about this time, spring 1993, that the University of Minnesota decided that it would ask for a license fee from certain classes of users who wanted to use gopher. Since the gopher software being picked up so widely, the university was going to charge an annual fee. The browser, and the act of browsing, would be free, and the server software would remain free to nonprofit and educational institutions. But any other users, notably companies, would have to pay to use gopher server software.

"This was an act of treason in the academic community and the Internet community. Even if the university never charged anyone a dime, the fact that the school had announced it was reserving the right to charge people for the use of the gopher protocols meant it had crossed the line. To use the technology was too risky. Industry dropped gopher like a hot potato."

(from his book, Weaving the Web)

Re:Stats, anyone?

[InfiniteVoid]

There is no way these type of statistics are going to be accurate.

First, there's the question of what constitutes a security hole. some might say allowing rampant JavaScript popups is a security hole. Others might require that binary code actually be executed on the machine, or that the HD is modified.

Second, the number of security holes found, in the case of closed-source browsers, is the number of security holes that its company wants to bother telling you about. It's entirely possible that there are hundreds of security holes in IE that MS knows about and hasn't divulged. Maybe they were quietly fixed in previous IE patches. Maybe they're left unfixed so MS can look like it's making speedy repairs when someone finally finds the bug on their own and tells the press. Again, there's no way of knowing how many of the bugs are being reported.

Finally, the number of security holes found may correlate strongly with how insecure a browser is. But it could also be that said browser is just used more. Or its code is readable, so such bugs can be found. Or it is actively being developed by coders who care about security. Or no one uses the browser and it's insecure as hell but nobody cares.

Too many variables. Any study on the number of security holes known is only going to tell you one thing: the number of security holes *known*.

Re:All three gopher links left..

[br0ck]

Exactly.. it wouldn't take long for a page that says <gopher://ut2003demo>Download the UT 2003 demo</a> to nuke a bunch of computers. (Where's the demo anyway, dammit, I'm dying to play!)

As I pointed out yesterday [slashdot.org], there's more info [solutions.fi] about the bug and it's prevention available from Oy Solutions, who found the exploit.

Re:All three gopher links left..

[silicon_synapse]

Why does a user need to click on the link? Why not just use a javascript location.href= or whatever to automatically load the link? It's my understanding that Yahoo Profiles still lets you embed javascript in a picture URL. What's to stop someone from creating an automated attack and then getting chatters to check your profile? The possibilites seem endless.

Re:All three gopher links left..

[Jucius Maximus]

"I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?"

<a href="gopher://hostile-link" on mouseover status.text="http://www.friendlysite.com" return true>click here!</a>

Now my javascript is rusty and I have not tried this ... but you get the idea.

This *could* be intentional...

[surprise_audit]

Anyone consider the possibility that it may be policy at Micro$oft to allow such holes in the software?

Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.

Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.

For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...