Posted on 12/11/2001 9:11:38 PM PST by toupsie
|
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST 
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
Thanks for clearing that up, but calling me "Bill Gates" was uncalled for and an insult that could not go unchallenged!
But, what I see every time one of these threads appears is a gaggle of Macists who insist that they are better than everyone else because they have a Mac. Or the Linuxoids who insist Linux is a gift from God. And, of course, there are the Windowtrons who enjoy rebooting. I am none of the above, though I make a few bucks now and then maintaining some PC/Windows software, so that keeps me in Windows to some extent.
My gripe with Linux was a major lack of driver availability and a piss-poor GUI. The next time I buy a PC I will certainly research the driver issue up front for Linux or FreeBSD compatibility. Until then, I will just have to struggle along with Windows.
Linux has it's fault, but that isn't one of them, IMO.
Did you use KDE? Sounds like you used GNOME. It sucks, but pretty much every distribution lets you choose which desktop you want to use.
That's what I was thinking. They wouldn't even have to request it. How many NSA programmers are working undercover at MS? It's certainly not zero. How many are in oversight positions?
MICROSOFT SSSUUUCCCKKKSSS!!!!!!
Security Note: File extensions spoofable in MSIE download dialog
OVERVIEW
Oy Online Solutions Ltd's security experts have found a flaw in Microsoft Internet Explorer that allows a malicious website to spoof file extensions in the download dialog to make an executable program file look like a text, image, audio, or any other file. If the user chooses to open the file from its current location, the executable program will be run, circumventing Security Warning dialogs, and the attacker could gain control over the user's system.
A piece of HTML can be used to cause a normal download dialog to pop up. The dialog would prompt the user to choose whether he/she wants to "open this file from its current location" or "save this file to disk". The file name and extension may be anything the malicious website administrator (or a user having access there) wishes, e.g. README.TXT, index.html, or sample.wav. If the user chooses the first alternative, "open the file from its current location", an .EXE application is actually run without any further dialogs. This happens even if downloading a normal .EXE file from the server causes a Security Warning dialog.
The user has no way of detecting that the file is really an .EXE program and not a text, html, or other harmless file. The program could quietly backdoor or infect the user's system, and then pop up a window which does what the user expected, ie. show a text document or play an audio file.
No active scripting is necessary in order to exploit the flaw. The malicious website can be refered e.g. in an iframe, in a normal link, or by javascript.
DETAILS
The flaw is in the way Internet Explorer processes certain kind of URLs and HTTP headers. No further technical details are disclosed this time, as there is no proper workaround and the vulnerability could be relatively easily and unnoticeably exploited to spread virii, install DDoS zombies or backdoors, format harddisks, and so on.
The flaw has been successfully exploited with Internet Explorer 5.5 and 6. An IE5 with the latest updates shows the spoofed file name and extension without a sign of EXE, and issue no Security Warning dialog after the file download dialog.
Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same. The user gets a download dialog with the spoofed file name and extension, and can choose between "Open" and "Save". Opening the file causes the program to be run.
Older versions such as IE5.0 behave somewhat differently. The dialog indicates the user is about to execute an application; the dialog has the word "execute" instead of "open", and a Security Warning dialog appears after choosing "execute". It still shows the spoofed file name and extension instead of "EXE".
Any way to skip all dialogs, ie. to run an application without ANY dialog with this vulnerability has NOT been found. In all variations of the exploit there is always the normal file download dialog, but the following Security Warning dialog is skipped.
Technical details of the vulnerability will be revealed later.
WORKAROUNDS
Opening a file type previously considered safe, e.g. plain text or HTML file isn't safe with IE. Users of the browser should avoid opening files directly and save them to disk instead (if opening them is necessary at all). If this flaw is being exploited, the file save dialog will reveal that the file is actually an executable program. Dealing with files from an untrusted source isn't advisable anyway. Another workaround is switching to another browser such as Opera or Netscape which don't seem to have this vulnerability.
VENDOR STATUS
Microsoft was contacted on November 19th. The company doesn't currently consider this is a vulnerability; they say that the trust decision should be based on the file source and not type. The origin of the file, ie. the web server's hostname can't be spoofed with this flaw. It's not known whether a patch is going to be produced. Microsoft is currently investigating the issue.
You obviously know nothing about the logos history (it's their second logo, btw) or that it was changed because in the late 90's Jobs declared the "rainbow" logo, from 1977, too dated. And it was just as dated as the "bone" colour schemes of their computers, their industrial design, their operating system and other things he set about changing to revive the corporation.
Maybe you didn't even notice but it's not even really a "rainbow" as the colours are out of order--done on purpose, too. The bitten apple represents lust, knowledge. The misordered rainbow brought with it hope and anarchy. It's about CORPORATE identity. The colour aspect is still there, it's just moved to the products and the logo is coloured to match the product's design.
You were really, really reaching. Are you sure you're not on Microsoft's payroll? At a time of heightened competition, from IBM and others, they used to have their own "seminar caller" type setup where paid employees would send letters to magazine editors, posing as regular users, praising Microsoft products. They would post online doing the same and so on. They were masters of spin, with carefully timed vaporware pre-announcements and what was called "FUD" (for creating Fear, Uncertainty and Doubt about competeting products). These facts came out in testimony during the recent trial.
I laugh when Rush, caller drones, and even some Freepers insist the "new economy" fell because of the anti-trust litigation against Microsoft. If this nation's economy is so damned closely tied to one corrupt corporation so as to fall into recession when efforts are made to reign in unethical business practices we have no business calling ourselves the world's only superpower, making claims of having a vibrant free market economy. If that is so, we're a laughing stock.
LOL. It's not safe to use a web browser to view web/HTML pages.
Nice slogan but it fails to capture the inherent corporate greed, mafioso methods of competition and general loathing for the customer.
Every fix-it patch creates major disruption to my computer.
As a java developer, I don't understand anything but that. That's how Java works. Applets run in a 'sandbox' by default, they can not write to or read from the local hard drive. But you can 'sign' an applet, and then either the first time, or every time, they run it it will ask for permission.
I can't *imagine* allowing non-local code to execute on your machine without permission.
That is *very* poor software development.
How much? :-)
I don't know, it isn't even safe to web browse, or read email with MS software. You don't have to be a power user to run into MS's poor programming.
MS tools aren't even safe enough for the average consumer.
I'll try to read up on these, but I have a question. Does the article address the smae issues talked about extensively as "open ports" in the new Microsoft OS? From my reading it doesn't--it is talking about something that effects windows in general--is this your reading as well. If that is the case, do your solutions address the open port issues? Sufficiently or completely?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.