Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Another Gaping Microsoft Security Hole Goes Unpatched 1035

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

This discussion has been archived. No new comments can be posted.

Another Gaping Microsoft Security Hole Goes Unpatched

Comments Filter:
  • We'll see plenty of coverage within the next 48 hours, Microsoft statements by the end of tomorrow, and a bugfix by month's end. The big question is going to be, how will people cope in the midst of it all? Will this kind of lagtime offer virus creators to do a whole world of damage? Considering how things have spread recently, I wouldn't be surprised at all if they did. Might be time to start browsing with my iBook more often.

    What kind of steps can people use to protect themselves now, is there any kind of toggle or security setting that can be turned on in IExploiter 5.0(tm) to keep us a little bit safer?
    • by dsb3 ( 129585 ) on Tuesday December 11, 2001 @11:17PM (#2691255) Homepage Journal
      What kind of steps can people use to protect themselves now?

      If you really want to toggle IE into secure mode you just need to click the little "X" in the top right corner of the window.
    • You ask if there is any toggle in IE? Did you read the article because it explained in there that there is indeed a toggle you can flip. Basically you have to turn off file downloads to protect yourself.
    • According to the article, the issue only comes up if you are prompted to save/download a file, and choose to open it from it's current location. The file may appear to be a .txt or whatever, but if you open it from its current location you can't know for sure whether it's an executable.

      The suggested solution is to never open from the current location. Choose save instead, which will reveal the real file type.
      • Not true. (Score:3, Informative)

        by autopr0n ( 534291 )
        URL: http://autopr0n.com/random.txt [autopr0n.com].
        Mime type: application/octet-stream
        Actual type: text file
        Action: shows up in IE as a regular text file.

        Now, when you take a real .exe file, rename it to .txt, and then send it as application/octet-stream IE will prompt to download/open, and if you click open it will open it in notepad. For example
        URL: http://autopr0n.com/random.txt [autopr0n.com].
        Mime type: application/octet-stream
        Actual type: win32 executable (shows you how long your computer has been running, actually)
    • What kind of steps can people use to protect themselves now, is there any kind of toggle or security setting that can be turned on in IExploiter 5.0(tm) to keep us a little bit safer?

      Honestly? I seriously would recommend browsing the web only with Mozilla [mozilla.org]. I had been using IE, but I switched to mozilla full time after 0.9.1 (except for work related browsing on my company's web pages, which are written exclusively for IE browsing.) It's been buggy, it's still a little buggy, but I haven't had many real showstoppers because of it. And no one's published any attacks yet, but because it's NOT integrated into the OS, I'm somewhat less concerned about the damage it's capable of causing.

      If you're stuck with IE, then might I recommend a proxy filter such as The Proxomitron [proxomitron.org]? You can modify the incoming http headers to do anything you want, including altering file extensions!

      John

  • Negligence? (Score:3, Redundant)

    by joeb2001 ( 192296 ) on Tuesday December 11, 2001 @11:13PM (#2691226) Homepage
    I have a very basic understanding of the law, and I am wondering if MS could be sued for negligence.
    • No they don't!

      You DO read your EULA don't you??? :)

      They claim NO WARRANTY on the software you use.

      The software they keep private, the software they won't let you view the source code for, the software that they have used to create a global monopoly.

      They have a LOT of nerve! huh!?

      Don't like it? Donate to the EFF! :)
    • Try to get a basic understanding of the vulnerability, first.

      Any way to skip all dialogs, ie. to run an application without ANY dialog with this vulnerability has NOT been found. In all variations of the exploit there is always the normal file download dialog, but the following Security Warning dialog is skipped.

      This sensationalized story is nothing more than Microsoft-bashing.

    • Re:Negligence? (Score:5, Interesting)

      by xah ( 448501 ) on Tuesday December 11, 2001 @11:42PM (#2691431) Homepage
      IANAL, I'm a law student. Right now, Microsoft could not be sued for negligence, because no one has been hurt by their failure to exercise due care.

      As soon as trade secrets are stolen, or hard drives are trashed, or economic harm takes place, however, a negligence action may arise.

      The first barrier is the economic loss rule. If the contract damages are higher than the tort (negligence) damages, there is a defense to tort. In English, there's no lawsuit unless the bug costs you more than buying your copy of Windows cost you.

      The next barrier is the contractual disclaimer, the "EULA" as Microsoft calls it. The waters here are less well charted. To be realistic, it depends on how severe the harm actually is.

      The wild card is intentional harm. If Microsoft in fact intentionally included this bug, knowing of the danger, for the purpose of advancing their business enterprise, legal actions could arise that are not precluded by the EULA. This would be difficult to prove, however.

      I think /.'s knee jerk assessment of "death of the Internet, film at 11," is premature, however. I hope I'm not wrong, but I think the bug won't prove that severe. Just browse at "medium security" in IE, for example, right?

      If I were a lawyer, I would want to sue Microsoft. They have $30 billion in cash or so sitting in bank accounts. It would be more tempting for them to settle claims than it would be for an Enron, for example.

      Don't worry about the legal angle. If the harm is severe enough, justice will be done.

  • If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now? Could it be that (GASP!) security through obscurity actually worked in this case?
    • by J. J. Ramsey ( 658 ) on Tuesday December 11, 2001 @11:31PM (#2691367) Homepage
      "If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"

      You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.

      That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
    • Could be that the ones that DID know about it didn't say anything. How would you have known? Security through obscurity may "work" but there's no audit checks to determine if it does or not unless someone aggressively uses a security flaw.
    • by psocccer ( 105399 ) on Wednesday December 12, 2001 @12:41AM (#2691724) Homepage
      Microsoft actually has a KB article about this, and it is intentional. Apparently, they don't believe a web developer is competent enough to handle mime types, IE has always tried to glean information from the file, be it by the extension or otherwise, to determine what it should think the file type is. At work especially I have been bitten by this "feature" many times.

      The most irritating aspect of it is that you simply can't get around it. For example, we have a web-based flyer/catalog generation program at the office. The advertising department enters records such as item code, part number, color, size, etc, some text, and attaches items to the record. Hardware distribution (like shovels/rakes/nails/etc) has extremely low margins, so purchasing something like Quark Express or another database driven tool is out of the question. Well, we found Adobe Pagemaker to be sufficient, and lo and behold it supports importing tagged text. So from our database, they select items and it can export SGML-ish text to be imported into Pagemaker.

      Now here comes the rub. Pagemaker wants the files to be .txt for finding easily in the import box, but if you send IE a content type of text/plain it will display it. No big deal, just save right? Well, IE also believes since it got < and > tags that it MUST be HTML, despite the fact that I'm saying it's plain text, so it's going to add the proper html header and footer along with content encoding tags. Pagemaker doesn't like that. And to be even more irritating, is that we'd like to be able to just have the save box pop up. Well, normal browsers that handle things standardly will accept the content type, and if they don't understand the content type they will usually pop up a "save as" box. OK, so now we pass back content type of application/x-hdi-export, surely no browser knows of this, and Netscape/Moz/Opera handle this correctly. But we also pass a default filename, in the Content-disposition part, with a name ending in .txt. So what's IE do? Display it in the window, still thinking it's HTML, all because of the extension.

      So what it comes down to, is I also have to mangle the output name be making it .txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW because for "common" types such as text/plain or application/octet stream, it examines the content of the file.

      And for those of you who thing "why not right click -> save as", well the generation needs several arguments, such as sorting, template name, etc, so it's a form, and you can't click the button and tell a form you want to save the download.

      This isn't the only time I've had a problem, I don't want to even get in to how IE badly handle dynamically generated PDF's, how since 5.5 it ignores the settings to not embed PDF since that's the only work-around, and how 5.5 also asks the "open here/save" question TWICE when passing it some file types.

      Overall, they may tout it as a feature, but if they'd just follow the damn standard like everyone else I wouldn't have to waste so much time finding workarounds for their "features"
      • Here's the fix. (Score:5, Interesting)

        by corky6921 ( 240602 ) on Wednesday December 12, 2001 @03:40AM (#2692209) Homepage
        "So what it comes down to, is I also have to mangle the output name be making it .txt_ so that IE will not try and read it, along with passing it a bad content type, otherwise if it's application/octet-stream or some such, it will STILL RENDER IT IN THE DAMN WINDOW..."

        I had this same problem. Basically, you must make sure to pass the filename as part of the content header, but not attached to the end of the script name. This way, IE will always pop up a window asking you to save. It will tell you that it is saving your script name, but in reality, it will save the page you want it to.

        First, write the page from your database to your local server as a file. Then do the following (my script is written in PHP; translate as needed.)

        I wrote my database contents to a variable called $content, then executed the following code:

        # put content into file called download/$page_num.html
        $fp = fopen ("download/${page_num}.html", "w");
        fwrite($fp, $content);
        fclose($fp);

        if ($action == "download") {

        # set up file download to client
        header("Content-Type: text/unknown\n");
        header("Content-Disposition: attachment; filename=\"${page_num}.html\"");
        header("Content-Transfer-Encoding: ascii");
        $fn=fopen("download/${page_num}.html", "r");
        fpassthru($fn);
        unlink("download/${page_num}.html");
        exit;

        };

        Note the key difference between my script and yours is the fact that I'm not passing anything but a content header to IE. Don't use your_script.php?filename=xxx... that doesn't work. Just write the filename as a variable and put that variable in the content disposition header. Also note that the Content Type can't be text/html, or, really, anything that IE will recognize.

        This works in both Netscape and IE. Note that if you're working cross-platform using text files, you'll have to convert line breaks. I use the following code:

        # get os for carriage returns :P
        if(strstr(getenv('HTTP_USER_AGENT'), 'Win')) {
        $content = eregi_replace("\r","",$content);
        };

        Again, that's PHP -- translate if necessary.

        Here's the final trick I'll pull out of my bag: if you set a Content Type to application/vnd-msexcel or somesuch (I could be off on that), and send the client a tab-delimited text file, it will open in Excel. Same goes for plain text and Word. It's a great trick to pull when you know your client is going to be using Windows and will say, "Hey, how did you get your script to make an Excel file? That's so cool!" (Always nice to have a little extra trick to impress your clients... ;)

        Hope this helps --
        Erica
    • If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now? Could it be that (GASP!) security through obscurity actually worked in this case?

      The nimda virus used a variation of this "Content-type/TLE" switcheroo.

  • Re-post? (Score:5, Funny)

    by Zspdude ( 531908 ) on Tuesday December 11, 2001 @11:16PM (#2691250) Homepage
    Does anyone else notice that this story has been posted before, many times, with only slight variations each time?
  • by elliotj ( 519297 ) <slashdot.elliotjohnson@com> on Tuesday December 11, 2001 @11:18PM (#2691264) Homepage
    someone decides to put up a website to demonstrate this vulnerability. the site deletes everything on your harddrive. someone else decides to embed this into an HTML email. this email is sent to lots of people and deletes their harddrives.

    will MS be held responsible? will the person who put up a website as a 'proof-of-concept' be held responsible? what about the guy who sends around the email?

    ultimately folks, I think the end user is going to be held responsible. i don't know about the rest of you, but the company I work for will hold me responsible if our systems fail. and blaming MS isn't going to help me one bit.

    now that this cat is out of the bag...what can we do to protect ourselves if we can't switch from Windows b/c our jobs won't let us?
  • hmm.. (Score:3, Informative)

    by Suppafly ( 179830 ) <slashdot@nOSPam.suppafly.net> on Tuesday December 11, 2001 @11:19PM (#2691270)
    Somehow you can just get a feel that this story has been posted by michael instead of someone actually knowledgeable about tech issues


    If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything.


    This is just not true. You specifically have to download things before they can do anything using IE and if you are dumb enough to use outlook and let it have the ability to execute file attachments automatically, you deserve what you get.

    • I think the logic he's using is that Outlook embeds IE's HTML-viewing component, and is therefore susceptible to the same attack... and you can't disable HTML viewing in Outlook.

      As for whether those statements are accurate, I have no idea.

  • by Oily Tuna ( 542581 ) on Tuesday December 11, 2001 @11:19PM (#2691273) Homepage Journal

    Michael says : "completely open any time you browse the web with IE. "
    Story says "who view a specially constructed Web page"

    Okay, the hole isn't good - and MS must fix it - but the article as posted by /. is wrong.

    Your computer is open if you stumble across a specially constructed site. If you browse /. the news, stock quotes etc. then you're prett much safe.
    • Pretty much safe ... UNTIL ... someone hacks a server (gee, let's take doubleclick.com for example) and re-writes the billion or two popup ads that get sent out a day.

      Ooops. Guess everyone's exposed now.
    • by mandolin ( 7248 ) on Wednesday December 12, 2001 @12:49AM (#2691751)
      No shit. I've think I've decoded the /. exploit-article posting formula:

      1) Take MS exploit.

      2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].

      3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].

      4) Ignore the linked article, and claim something stupid. In this case that MS isn't in a hurry to release a patch when in fact they have been testing a patch.

      5) Jump to conclusions, like " It's a fundamental design issue".

      6) Somehow tie the whole thing into the anti-trust suit.

      Did I miss anything?

      • by OblongPlatypus ( 233746 ) on Wednesday December 12, 2001 @01:26AM (#2691896)
        There may very well be similar linux issues, but couldn't you have found better examples?

        2) The Alan Cox changelog story isn't about security through obscurity, it's a silly political statement regarding the DMCA. And the other link is about Red Hat preemptively releasing a security advisory in an attempt to *avoid* obscurity.

        3) The bug in this story is a *local* root hole, which doesn't even apply to most windows versions, and which certainly doesn't make for a relevant comparison in this case.
      • An argument that proceeds from false premises is flawed no matter how logical its conclusions may seem.The specific flaws in these premises are:

        2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].

        The first link is to a story that questions Alan Cox's decision not to expose himself to a Sklyarov-type persecution under the DMCA by revealing the reasons for certain security bugfixes in a kernel patch-level release.Despite the fact that Alan didn't reveal the specific nature of the bug that was fixed, the bug was, in fact, fixed.

        The second link refers to a remotely root-exploitable hole in wu-ftpd.Although almost every Linux distribution includes wu-ftpd, it is well-known as a source of security problems, and in those distros where it is installed and enabled by default the distributor usually takes fair pains to make sure that it is installed as securely as the state of reasonable knowledge of its problems allows.Also, IIRC, wu-ftpd also runs under Windows, where it serves the function of being an alternative to IIS's ftp server functionality.At this moment, I don't have the time to research the irrefutable facts, but my anecdotal impression, which comes from my experience as both a Windows and Unix admin indicates that the score in the IIS vs. Apache + wu-ftpd exploit game is more than a little lopsided in favor of IIS being the cracker's friend.

        3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].


        Ah yes ... the "ptrace() 'bug'" ... how the Microsoft apologists LOVE that one.A design flaw, rather than a true "bug". There is absolutely NO evidence that this vulnerability has ever been exploited, yet, please allow me to ask you one question ... the ptrace() system call worked exactly as designed ... that the design was flawed ... well, no one's perfect ... .believe it or not, I even cut Microsoft some slack on design flaws unless the flawed design is so totally bone-headed that a freshman Comp Sci student wouldn't have done it that way.

        Now for the question ... HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it.A day or two?
    • by woggo ( 11781 ) on Wednesday December 12, 2001 @01:45AM (#2691976) Journal
      Your computer is open if you stumble across a specially constructed site.


      That's a little like saying "an unlocked door is only insecure if a burglar enters through it," isn't it? Your computer is open and insecure; the existence or non-existence of special trickery sites is irrelevant, especially considering how little we can trust existing sites (some high-profile site gets cracked/subverted every few months at least) or even existing certificates (cf. the recent M$/Verisign debacle). The point is that having a broken security model is unjustifiable, and to claim that a breach this large is not a big deal because someone is unlikely to stumble across an exploit page is irresponsible at best and blatant shilling at worst.

  • Guess What? (Score:2, Interesting)

    Content-type is an HTTP header. To recieve this info must be transmitted via HTTP. You may have noticed that Netscape (and even Lynx, and yes even on Linux) have no problem displaying local html/ pdf/ whatever files without recieving an HTTP transmission, and thus no Content-type header.

    Yep, they do the same thing and look at the file extention to determine how to render files.

    I'm not saying there's not a bug, or it's not severe, but examining the file extention to determine type is hardly an IE-only thing.
    • Yes, you're right, for local browing, most browsers on most platforms rely on file extensions, not on a Content-Type header.

      Still, what's the relevance? This story isn't about how IE is a total piece of crap because it uses local file extensions to figure out what to do with them. It's a story about how a) this bug has existed for almost a *month*, and absolutely every computer running any of the affected versions(and we're talking, what, three, four years worth of affected versions) are totally WIDE OPEN. And HAVE BEEN FOR A REALLY, REALLY LONG TIME :)

      And, b) these are *remote* files they're dealing with, not local files. So, yeah, *nix browsers and pretty much every other browser looks at file extension on local files, but relies on Content-Type headers for remote files. Well, here's news; IE will use file extension on *remote* files :) Anyways, those browsers are smart enough not to execute untrusted code, even if they do run across it(JavaScript, Java, whatever). They do what's called "sandboxing". Something that is /sorely/ lacking from MS's vocabulary.
    • Yes, but those browsers go only by Content-type when receiving an HTTP transmission, and use extension otherwise (or /etc/magic, possibly).

      The flaw here seems to be that you can trick IE into behaving as if it's looking at a local file when it is in fact looking at a file it just received via HTTP.

      You send it something it initially thinks is "HTML", thereby bypassing its warnings about executable files, but later decides is executable...and therefore runs.

      At least, that's what I gleaned from the article... it was a bit sparse.

    • I thought that the accusation was that they use one method to show the user the name and they use the other method to actually operate on the file. If they use the file extention to determine file type and also use the file extension to decide what to do with the file, then there is no security risk.

      If any other browsers are using one method for identification to the user and another method for execution, then it's not IE-only.
    • Re:Guess What? (Score:2, Interesting)

      by monkeydo ( 173558 )
      It's even funnier than that.

      The only way IE could be vulnerable to this kind of exploit is if it relied on the content-type in the header and _ignored_ the file extension. The whole point of the "vulnerablity" is that IE doesn't display the _actual_ extension, but instead it displays what it is told by the MIME header.

      Si if Netscape et al are not affected by this vulnerability it is precisly because they are doing what Michael is accusing Microsoft of doing: ignoring the content-type all together and relying on the file extension.
    • Re:Guess What? (Score:4, Insightful)

      by mrseth ( 69273 ) on Tuesday December 11, 2001 @11:33PM (#2691392) Homepage
      Not exactly. Linux and Unix determine file type by magic number. Try renaming a postscript file (or whatever) as foo and type

      file foo

      and you'll see that it still returns the correct file type.
      • Re:Guess What? (Score:3, Insightful)

        by spongman ( 182339 )
        Sure, but browsers don't use this mechanism to determin file type in the absence of a mime-type header. They all use a mapping from extensions to applications. Mozilla's is in the option dialog (I'm not sure where it's persisted), and IE's is in the registry.
    • by coyote-san ( 38515 ) on Tuesday December 11, 2001 @11:42PM (#2691436)
      The upstream comment is 100% pure bullshit.

      When you're using Netscape or Lynx and the URL starts with "http:", it's speaking HTTP. It can use that protocol to send whatever type of data the server wants to send - text/html, application/x-pdf, whatever. You seem to be confusing HTTP and HTML - the communications protocol and what's being communicated.

      Meanwhile, the canonical way to identify the type of a file on a Unix system is to look at for "magic numbers," and then hopefully verify them by parsing what you think is the header and making sure checksums are valid, values are sane, etc. Any Unix application developer that looks at the extension *alone* should usually be fired on the spot. (The sole exception is completely unstructured text where you have to use it as a hint, e.g., ".c" means C, ".cc" means C++.)

      This isn't just a bad attitude, it reflects the fact that Unix tools have to deal with pipes and often don't have any filename (much less extension) associated with the data stream. If you require a file extension to understand what you have, you've crippled your application.
  • by LauraLolly ( 229637 ) on Tuesday December 11, 2001 @11:21PM (#2691289)
    I have handed out sheets discussing similar vulnerabilities to corporate IT folk. Then I have asked them what they plan on doing.
    1. Wait for the patch?
    2. Switch OS?
    3. Switch browsers?
    4. Clean up the mess?

    Most end up knowing that they will clean up the mess, because "The top guys like Microsoft so much - it has so many features." Nobody is willing to do an honest cost accounting for the top guys.

    Until the collective IT folk give an honest accounting of how much MS is really costing them, there will not be a switch away from MS. The moment they do - stampede!

    • by buzzini ( 177741 )
      This is a shameless pandering to the preconceptions of the Slashdot crowd. The statement that "Nobody is willing to do an honest cost accounting for the top guys" is simply not true, and it's an unfair dismissal of IE's very real successes in that space.

      IT guys can and do choose other browsers. Last I heard, Navigator still had over 1/3 of the corporate browser market. Suggesting that IT folk would be cowed by the "top guys" flies in the face of every experience I've had with them: that they're pragmatic, honest, and outspoken.
  • telnet server.foo.com 80

    Connected to server.foo.com.

    Escape character is '^]'.

    /HTTP /GET file-to-have-your-advice.
  • Gee. it's not only that. Everything in Windows is so deeply threaded that it is possible for a virus to lodge itself in the start-up sequence anywhere, and go unfindable.

    For example, there are seven or eight differnt start-up objects in Windows 9x:

    • msdos.sys [hidden file]
    • config.sys
    • autoexec.bat
    • registry [many different keys]
    • system.ini
    • %windir%\system\vmm\*.* [just sucked up whole]
    • startup folders [yes, you can have startup folders nested.
    What a program is to do with a file is done in three different ways as well.

    It's little wonder that the thing is open to attack. You can't hunt it down unless you pretty much hack it, and follow their goofy retro thing with the 64-bit sequence: {01.22.23....}

    Lack of forethought, I imagine.

  • if you try and open an .exe that is named as a text file, the file associations within windows will launch notepad (or associated program) and NOT fire off the renamed application, ditto with .html and .wav files (or any other associated file), are they sure they arent talking about a file named something.txt.exe?
  • by silicon_synapse ( 145470 ) on Tuesday December 11, 2001 @11:22PM (#2691298)
    I watched a good bit of this thread on bugtraq (check the archives). Several people on the list attempted to reproduce the exloit as detailed by the original poster and failed. Whether that was their mistake or not is anyone's guess. I didn't try it myself. It only seamed to affect certain builds. I'm certainly not saying IE users aren't vulnerable, I'm just saying get details before making too much noise. MS won't release a fix until they're good and ready, so let's just sit on the flames a bit and try to find out what is going on in reality.
    • by jamie ( 78724 ) <jamie@slashdot.org> on Tuesday December 11, 2001 @11:34PM (#2691396) Journal

      The vulnerability was posted to Bugtraq on Nov. 26. One person tried to reproduce it the same day and failed. Its discoverer, Jouko Pynnonen, pointed out on bugtraq later the same day that:

      Some details needed for reproducing and exploiting the flaw were left out of my posting because there is no good workaround or a patch available, and the flaw could be quite easily used maliciously. Using those details it would be relatively easy to create a worm that infects a system when a user "opens" a plain text file from an infected website, for instance. For the same reason there wasn't any test page URL included in my posting. That, and technical details will be published later.

      Considering Microsoft's obstructionist response ("it's not a vulnerability, we'll fix it when we fix it, stop asking questions"), Jouko has been very kind not to publish any additional information about his discovery.

      Nevertheless, other people tried to reproduce the exploit and succeeded. Jonathan G. Lampe posted on Nov. 29:

      I have confirmed Jouko Pynnonen's and StatiC's findings that IE 5.5 sp 2 allows executables to run as soon as a user has elected to open what appears to be a normally harmless ".txt" file. (IE 5.5 trusts the filename provided in the link over the filename suggested by the header's filename tag and/or the use of an "application/octet-stream" content type.)

      Here is the ASP equivalent code to StatiC's php tidbit...

      I'd say the odds are pretty good that this is already being exploited in the wild.

      There was some discussion of whether IE6 was vulnerable in the same way as IE5; the published exploit didn't seem to work on IE6. Jouko had originally commented that "Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same."

  • by famazza ( 398147 ) <fabio.mazzarino@gm[ ].com ['ail' in gap]> on Tuesday December 11, 2001 @11:22PM (#2691303) Homepage Journal

    This sounds to me just like the GM/Ford cases at the 60's about negleting consumers. Isn't time to DOJ put a period on all these things?

    First that stupidity of Nimda IIS bug, that can't be fixed until next IIS release. And now this Security through obscurity crap?

    Now I want to ask. "Where will M$ take us". I know where I want to go, but what about them?

  • Microsoft does it's best (or worst) to provide something. But, heck, it's FREE. IE costs us nothing.

    What I DO pay for is my virus scan. I'd like to know that if something gets through and hurts my security, the virus scanning software would catch it.

    I wish people would stop getting mad at people for providing otherwise OK software with bugs in it, when those programs are FREE, and wish people would start getting mad at the virus scan companies (who my company pays lots of money to) for not catching threats.
  • I'm not terribly shocked--using a 3-letter extension to store that much metadata is absurd.

    Luckily, the MacOS doesn't do tha.... oh, wait.... they do now... [arstechnica.com]

  • In related news... (Score:2, Interesting)

    by KILNA ( 536949 )
    Opera 6.0 is now available for download. If you tried an older version of this browser and thought it sucked, try it again. It's light, fast, more standards compliant, and its rendering engine is very compatible with the way I.E. and netscape work so it works practically everywhere. You can browse MDI-style, which means you can have all of your browser windows as sub-windows of the main one, OR you can go NS/IE style and have a separate window for everything. Its skinnable (but you don't have to use a skin), it has more privacy and security features than I can count. You can turn off javascript pop-ups (or merely relegate them to popping up in the background). You can spoof the broswer string as being I.E. or netscape for those sites that are browser bigots. I cannot say enough good things about this software. And its available for BeOS, Linux, Solaris, Mac, OS/2, QNX, Symbian OS and of course Windows. Get it here [opera.com].
  • by Eloquence ( 144160 ) on Tuesday December 11, 2001 @11:38PM (#2691415)
    First, there is really not enough information about this bug to draw any conclusions yet. It may be harmless, or it may indeed be devastating. That's the result of Microsoft's idiotic non-disclosure policy, which fits in well with their entire company philosophy.

    Second, don't just bitch about IE. If you haven't already, check out the alternatives:

    • Mozilla [mozilla.org], now in Version 0.9.6, is very feature-rich and fast and the most standard-compliant browser in existence, but not for computers with less than 128 MB of memory.
    • kmeleon [sf.net] (Windows) and galeon [sf.net] (Linux) are Mozilla derivatives with smaller footprint.
    • Opera [opera.com], which is closed source adware and requires registration, is a very fast browser that is especially recommended for "information surfers" because of its excellent navigation and caching.
    • Konqueror [konqueror.org] is KDE's built-in browser. Thanks to Qt/Embedded and/or KDE-Cygwin, it might be ported to Windows as well.
    • Lynx [browser.org] and W3M [w3m.org] are up-to-date text mode browsers capable of displaying most pages which do not depend on images or animations.
    There is a choice, you just have to make it. And no, I didn't copy&paste this from elsewhere and I actually tested all of these, so you may mod me up without guilt. My personal recommendation: Opera (and Mozilla once I've upgraded to 512 megs and V1.0 is out).
  • by Selanit ( 192811 ) on Tuesday December 11, 2001 @11:41PM (#2691426)
    From the article:

    "Microsoft will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message." (emphasis added)

    From the article's intro:

    "Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever."

    Also: "And keep in mind that Microsoft is in no hurry to do anything about it . . ."

    Full marks for a more thorough description of the exploit and how it came about -- but did the poster actually read the article before posting? Looks to me like he hit the original report [solutions.fi] but not the article, which says that MS did initially plan to let it go, but did an about-face after a while.

    Nasty flaw nonetheless -- glad I switched to Mozilla.

    • by jamie ( 78724 )
      The Newsbytes article is a little confusing... it leads by claiming Microsoft "will" patch the flaw. But if you keep reading, you see that they originally did not consider it a flaw at all (which explains the slow response time). Then it turns out a beta of the patch has been tested internally, but then we see this:

      "A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch."

      In other words, "no comment." Sounds to me exactly like "refusing to provide any information." So what was incorrect about Michael's writeup?

  • by Tachys ( 445363 ) on Tuesday December 11, 2001 @11:48PM (#2691468)
    I notice many people complain about MS using the web browser and file browser as the same thing. But it seems everyone else is doing that too. KDE's Konqueror is a combined web/file browser. Nautilus also does this. If this is such a bad idea why is everyone doing this. The only desktop that I know of that doesn't try to do this is the Mac OS.
    • I agree! (Score:3, Insightful)

      by Ender Ryan ( 79406 )
      Integrating the file browser and the Web browser is completely pointless, at least as far as any implementation of this fad had gone so far.

      With both IE and Konqueror, you have a good web browser (excluding problems already mentioned with regards to IE...), and that web browser also acts as the file manager, except all that each is doing is mimicking what their predecessors did without providing any extra functionality that is inherent in a web browser.

      Sure, IE has some neato wiz-bang "features", but it's ridiculous to claim that it adds anything to local file browsing that wasn't already provided by the previous program. Same goes for Konqueror.

      Granted... they are both better file browsers than their predecessors, but that functionality is completely separate from web browsing and could be removed and used to create a totally separate file browser. There is absolutely nothing gained by integrating the two.

    • And with Apple's proposed adoption of file extensions as the standard filetype recogntion scheme, they'll be in the same boat as all the others anyway. The more I think about it, the more I realized what an interesting area file metadata & it's repurcussions is.

      Stong metadata allows applications like Signwave FinderMail to exist (individual emails are stored as individual files, and handled in the Mac Finder like any other files, in folders and sorted by date and so on), and it was what BeOS was pushing hard & well with their advanced filesystem, and Microsoft may be copying in supposed plans to make their next generation filesystem out of SQL Server, rather than NTFS.

      It seems like file extensions suck as a way of managing all this, and I think all the major vendors & open source development groups realize this, but it's a lowest common denominator that we're having a hard time shaking off.

      And that brings me to my point and my question. Does this problem affect only the Windows versions of IE, or is it a problem on the Macintosh too. What is the proposed fix to this? Clearly it seems to be an architectual problem, but will the solution also be architectual? Will MS accelerate any efforts to move away from file extensions? (I doubt it, but you can always hope...). Will this discourage Apple from adopting them while deprecating what they've used in the past? I'd like to see how big the fallout of this could be, particularly if an nasty exploit crops up & there's no easy fix. Hmm...

  • Fire Michael (Score:3, Insightful)

    by EchoMirage ( 29419 ) on Wednesday December 12, 2001 @12:03AM (#2691538)
    Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

    Hey Malda and VA Software executives, or whoever is in charge of keeping a minimal amount of decency on this site: why do you keep letting crap like this make the front page? This is not informative, insightful, or in any way useful. This is just a rant by a pissed-off bigot, pure and simple.

    The vulnerability is real, but it is presented in such a hate-filled manner that it's unbearable to read. Michael has done nothing but spew venom in this posting. He's doing the right thing by bringing this to the attention of millions, but he does so with only malicious subtext to his main point.

    This reads like a stream-of-conciousness scream from a 13-year-old who's just had his Nintendo taken away from him. This isn't journalism, it isn't even information, it's just garbage.

    Please, do us all a favor: if Michael can't clean up his act and give us his material in at least a somewhat-presentable manner, fire him. You're losing respect for your site with postings like this. And no, this is not a troll, I'm serious.
    • Re:Fire Michael (Score:3, Insightful)

      by NatePWIII ( 126267 )
      I would have to agree, with this one. I'm not so against the bias, everyone has their bias, especially /.'ers.

      However, the information presented in this article is telling a lie whether it be through ignorance or just for sensationalism. Please, at least research and then present semi-true information before spreading it to thousands of others, it destroys the credibility of the site and underlying organization, namely Slashdot.

      The last few weeks I have noticed the quality of Slashdot's postings has deteriorated. Alot of duplicate postings etc... I don't know maybe I'm just too critical... any thoughts along these lines?
  • by NatePWIII ( 126267 ) <nathan@wilkersonart.com> on Wednesday December 12, 2001 @12:06AM (#2691550) Homepage
    With all of the email viruses, internet borne viruses, worms, holes, DDOS attacks, it surprises me that anyone even uses the internet or related technologies at all. It will be a sad day when the whole idea of the internet is just "dumped" because of hackers (the bad kind), holes and bandwidth abuse. It seems like daily that I read through the articles on slashdot and find a new hole, exploit or virus that is being used or abused. Take for instance the recent decision to shut down the first IRC server, because of repeated DDOS attacks, that is truly a shame. As I have said often before, abuse it and lose it...
  • Please, get it right (Score:3, Informative)

    by OblongPlatypus ( 233746 ) on Wednesday December 12, 2001 @12:22AM (#2691637)
    Those of you who read the articles will consider this redundant, but I've seen so many different interpretations of how the exploit works (and many wrong ones modded up), so I thought I'd clear it up:

    You make a trojan or other malicious executable, and name it 'something.txt'. Then you make your HTTP server tell browsers that this file has content type 'application/octet-stream'. IE will read the content type header and realize that it's an executable, and ask you if you want to open it or download it. But since the file name indicates a text file, there's absolutely no indication that a program will be executed if you choose "open".

    DISCLAIMER: I haven't tried this. This is just my interpretation of what I've read in the various articles. Also note that some versions of IE will use the word "execute" instead of "open" in the pop-up dialog, which might help tip some users off.
  • FUD (Score:3, Insightful)

    by Wonko42 ( 29194 ) <ryan+slashdot@@@wonko...com> on Wednesday December 12, 2001 @12:29AM (#2691670) Homepage
    Gee, michael, could you try and work in just a little more FUD? The exploit does require user intervention in order to execute malicious code. It pops up a dialog box asking if you want to open a file. The only security issue here is the fact that the name of the file can be changed by the malicious server. But regardless of what the fake name is, if the user clicks Cancel or Save To Disk, the exploit is thwarted.

    Besides, it's not like Microsoft are the only folks who take forever to release patches [pcworld.com].

  • by Futurepower(tm) ( 228467 ) <M_Jennings @ not ... futurepower.org> on Wednesday December 12, 2001 @12:41AM (#2691722) Homepage

    If the volunteers for OpenBSD can go through the software and eliminate security problems in advance, Microsoft, with 30 billion dollars in the bank, could also. Since Microsoft doesn't do this, maybe there is some reason. Maybe the U.S. government has dictated that they leave bugs in.

    Software is only an operating system if it can be trusted. If it can't be trusted, there should be some other name, like fnord. Microsoft Fnord XP.

    --
    U.S. planned to attack Afghanistan before the second WTC bombing. [hevanet.com]
  • by scorcherer ( 325559 ) on Wednesday December 12, 2001 @12:45AM (#2691737) Homepage
    post a link to the picture of 'another gaping security hole'.
  • Long time problem (Score:3, Interesting)

    by niola ( 74324 ) <jon@niola.net> on Wednesday December 12, 2001 @01:11AM (#2691838) Homepage
    I know from my web development experiences that this has long been a problem. In fact, recently me and a friend were contracted to make some modifications to a site built in perl. The client was an all-MS shop and did not notice that sometimes the contents of the CGI's got dumped out the screen raw. It turned out that since they all used IE, it automatically assumed the output to be HTML and rendered it, but when we used Mozilla, since no propoer MIME header was sent, the browser just rendered it as text. Kind of scary that this can go on without anyone doing something about it.

    --Jon
  • by foobar104 ( 206452 ) on Wednesday December 12, 2001 @01:16AM (#2691859) Journal
    Ironically, I ran into this one just the other day, but didn't recognize it for what it was.

    I develop software for a living, and one of my tools is a web-based thingy with a CGI interface. A typical URL might look like this:

    http://foo/bar.cgi?blah=blah&filename=quux.jpg

    This CGI script returns a web page with info about the file "quux.jpg," which exists on the server.

    When I serve this URL up to IE 6 under Windows 2000 (maybe other versions; that was the only Windows IE I tried) the browser thinks it's downloading a JPEG image, and asks me where I want to save it.

    My script sends a nicely formatted Content-type header of text/html, but the browser is stubborn and won't listen.

    So in my case, this wasn't really indicative of a security hole, but rather a pretty dumb design flaw in the browser that should have been caught in testing.

    (Oh, and FYI, my "fix" was to reorder the CGI parameters as the URL gets constructed, so the filename never comes last. I'm not happy with this, and I may implement URL-encoding the filename's "." character instead, then decoding it on the server side. But the spec says I shouldn't have to do that, so the whole situation has left me kind of pissy.)
    • I had a similar problem once, when I had to make a CGI that would send back a spreadsheet to be passed off to the right application from either Netscape or IE. The eventual solution was to change the content-type slightly for each browser, and for IE to append a fake parameter with the right extension so IE would open it correctly.

      It was a workaround for IE, really, Netscape handled it fine with the correct content-type. IE didn't handle it correctly unless you munged the content-type AND added that fake extension...
  • The real gaping hole (Score:3, Interesting)

    by Krach42 ( 227798 ) on Wednesday December 12, 2001 @01:37AM (#2691941) Homepage Journal
    You want to see it for yourself? The problem is that IE get's a file that ends in say, .ZIP, asks the user to download or open from current location, and if it's "open from current location" it actually executes the code as an executable, even if it _IS_ a .ZIP. There's nothing special here, and it doesn't need you to have web administrator access, I did it here: http://www.cs.nmsu.edu/~dfoesch/funny.zip [nmsu.edu] If you want to see the exploit first hand, select "open file from current location" and then if it asks you what application to use, just click "ok" (ok, you might have to select the first entry) and PRESTO! Notepad.EXE! Running remotely on your computer! This could easily be any arbitrary program, I just chose Notepad.
  • Procmail Scanner (Score:5, Informative)

    by ColaMan ( 37550 ) on Wednesday December 12, 2001 @01:41AM (#2691956) Homepage Journal
    I have to plug something here.

    Check out the procmail-based scanner at impsec.org [impsec.org]

    If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.

    The following is something I received today that would slip through otherwise (notice the original content-type)

    > SECURITY WARNING!
    >
    > The mail system has detected that the following
    > attachment may contain hazardous program code, is
    > a suspicious file type, or has a suspicious file name.
    > Do not trust it. Contact your system administrator immediately.
    >
    > X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
    > Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
    > Content-Transfer-Encoding: base64
    > Content-ID:
    >

    End of blatant plug :-)
  • this works how? (Score:3, Interesting)

    by pangloss ( 25315 ) on Wednesday December 12, 2001 @05:10AM (#2692394) Journal
    upon first reading michael's post, i thought this wouldn't work, because ie has that annoying behavior of examining the first bytes of file to determine its mime type, sort of like apache's mime-magic module. and then ie in 5.5sp1 had to go and break the content-dispostion header, but i digress.

    anyway, i tried to recreate this bug, with no luck. maybe someone can explain what i'm doing wrong, assuming this is a valid hole in i.e.:

    server: apache 2.0.28 beta for win32
    client: ie 5.5 sp2 (not sure if it's stock sp2 or has a hotfix on top of sp2. there's some Qxxxxxx following in the "about" box)

    in httpd.conf, created the following:
    <Directory "c:/foo/bar">
    #AddType audio/x-wav .bat
    #AddType audio/x-wav .txt
    AddType application/octet-stream .txt
    AddType application/octet-stream .bat
    </Directory>

    created two files:
    a.bat:
    @echo off
    format a:
    b.txt:
    this is a just an .exe renamed to b.txt

    ie renders the .bat file as text in the browser.
    in the case of the .txt, ie prompts to open or save, defaulting to save. selecting open opens the binary file in notepad.

    changing the mime-type to audio-x-wav just renders the files as text in the browser (no prompting in the case of the txt/exe).

    so what's the big deal?
  • by ymgve ( 457563 ) on Wednesday December 12, 2001 @05:23AM (#2692416) Homepage
    For all the fanboys that scream out that Opera is better than IE (and it is, I love it too) - in this case it is vulnerable too, as this link [geilerserver.de] proves. The file save dialogue will show the text.txt filename, but if you select to open it directly, it will run.

    Opera 6.0 is not vulnerable - but take note - even though it is much better and has less exploits than IE, it's still not completely free of them. (On the other hand, the only secure applications are those on an unpowered computer, or a program of 'Hello World' complexity)
  • Slander? (Score:5, Insightful)

    by tacocat ( 527354 ) <tallison1@t[ ].rr.com ['wmi' in gap]> on Wednesday December 12, 2001 @06:12AM (#2692497)

    Let me say I will be one of the first to jump on the "I Hate Microsoft" wagons. But this article is just plain wrong, as in inaccurate.

    The first paragraph of the referenced story talks about how they are currently in testing for this security hole. Whereas, the poster is stating that Microsoft has no specific designs on when this will ever get fixed.

    Inaccurate, Fanatical Extremism like this is only going to hurt Open Source, Slashdot, and those associated with it. While Microsoft may be wrong in this case. It doesn't do us any good to exhibit poor sportsmanship. Leave that for the politicians

  • Hmm (Score:3, Interesting)

    by underpaidISPtech ( 409395 ) on Wednesday December 12, 2001 @08:45AM (#2692706) Homepage
    I have been unable to get this to work as described in the article, or by the other attempts posted so far. The closest I have come [soundmethod.net] is to create a Redirect or Rewrite rule that takes a request for a *.txt file and points it to a .bat file (thereby fullfilling the "text" requirement"), which is then soft linked to your malicious executable. This still displays the file's name however. And the dialogue asks you to "run" this program. The extra step of the soft-link bypasses a warning about running the file; if the redirect went straight to the .exe, the browser will complain about security.

    Either way, this is entirely server-side. The article states that simple HTML can pull it off. I am wondering if that is just a smoke screen.

    - I have tried renaming an .exe file to .txt, that just spits binary data at you in Notepad.

    - I tried a cgi [soundmethod.net] (source is here [soundmethod.net]).

    Now, this time the dialogue displays the requested file (.cgi) instead of the executable filename (not a redirect). However, you are then prompted to "choose a program to run this..." which means that the requested file has to have an executable extension, or a known extension. Wav, mp3, mpg won't work as the format is obviously invalid.

    3) I tried messing with the mime.types in Apache, various soft links and combos of all 3 methods. Basically I fail to see how standard HTML without any server-side config or scripting can fool the browser or get it to exec code unwillingly, as described in the article.
    Maybe if I renamed the file to mayIhaveyouradvice.txt.pif or something, but the extension IS displayed to the user. Maybe the average user doesnt pay attention, but its kind of hard to miss.

    Obviously they have ommitted something crucial because (my box - W2K, IE 5.5 SP2) this "bug" is not happening, and it's not happening for other people too. If this is so easy to implement in palin HTML and would affect "millions" then I think other /.ers would have hit on it by now.

Quark! Quark! Beware the quantum duck!

Working...