Posted on 12/11/2001 9:11:38 PM PST by toupsie
|
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST 
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
I just spent two days helping a neighbor get her "plug it in and it works" IMAC, with MAC OS 9.x, to do the most basic of things, such as printing to her Hewlett Packard inkjet printer. Someone had put Netscape on it, and printing from Netscape scrambled the HP drivers. The only way I could get it to work was to remove Netscape and go with Microsoft's Internet Explorer.
MAC OS, through the 9-series (not including NeXSTEP/OPENSTEP/Rhapsody/OSX), is quite possibly the WORST operating system and graphical user interface ever conceived by the mind of man. How do you explain to a little old lady that there is a layer of abstraction between an application and a window, so that closing a window does NOT close the underlying application? If you close a window in MAC 9.x, without closing the underlying application, you can't get a new window for the application without forcing one open, via e.g. the keyboard shortcut CMD-n.
If a user double clicks an icon on the desktop to launch, say, a web browser, closes the window of the web browser, then double clicks the icon again, NOTHING HAPPENS!!! The user has to hit CMD-n to force open a new window! This is insane! What's worse, if the user doesn't double click the icon the second time, but only single clicks it (MANY users can't click fast enough to get a good double click) and hits CMD-n, then instead of getting a new window for the web browser, the user gets a new empty folder on the desktop (because the single click, in place of the double click, highlighted the desktop, NOT the icon)!!!
MAC OS 9.x is utter and complete garbage.
[And MAC users are real idiots. I once spent a whole morning on an emergency service call because a user couldn't find one of her applications. Turns out she had dragged a folder inside of itself - so the application was one layer deep than normal.]
Is "Not finding an application" unique to that particular OS?
Furthermore, don't Macs have a find file feature?
If so, any competent technician should have been able to tell her how to find the application in less than a minute.
Here is why MS looks worse. When a bug is found in MS, it is lambasted across every computer publication known. When open source software is found to have a bug, a programmer simply changes it. No need to go all the way back to the originator. Also the vast majority of inexperienced admins and users use MS because it is the most user friendly, and therefore you will see far more mistakes made with MS. Whereas open sourced systems such as Linux are predominately used by experienced and advanced users who know how to keep a secure system.
The public, then ends up with a disproportionate view of MS.
But also, MS software just has far more errors than most other software.
The issue is 'incentive'. With a 95% marketshare, MS does *not* have any incentive to improve their coding practices. As long as they could use contracts to prevent any kind of 'free market' at the OS distributor level, they were don't increase sales thru better software.
That's one of the biggest reasons that a Soviet-style 'single provider' market is sooooo bad. That's why 'capitalism' is so much better.
If you can apply that logic to any monopoly, then it is meaningless. Try applying it to government schools.
'Perfect'? No one is asking for 'perfect'.
Just 'basically safe'.
Look, MS has been making web browsers for *almost a decade* now. And they *continually* put out new versions with serious vulnerabilities. In many cases, known vulnerabilities from the last version that they should have patched. Did you read where MS doesn't consider this significant, and may not even put out a patch!?
And they do this with *all* their products.
How many versions of IIS have been released with the *known* buffer-overrun hole?
This is a poor quality product.
It is only the 'best' browser left standing because MS literally 'murdered' the competition illegally.
I can tell you that 9 of 10 people I know like it. I can tell you that 7 of 10 geeks I know like it.
And Brittney Spears is the top selling 'vocal' artist.
So? The one argument I can not understand in defense of MS is, 'but they have the volume'! Massive volume in our corporate/socialist economy comes from control of the distribution channels. Autos, music, movies, software.
American corps sell low-quality crap by controlling the auto dealerships/radio stations/movie theatres/OEM's.
Would you consider, "But they sell more" to be an argument that a Ford is a better car than a Lexus? Or that 'Harry Potter' is the best film of all time?
I don't think so. And it doesn't apply here, either.
MS is where they are because they were willing to commit the corporate equivilant of assault and murder.
Any computer is going to require some level of experience with it in order to become proficient. The Mac OS is far from perfect, but it has served me well for a long time, I'm also quite comfortable with the various windows os's as well - both have strong and weak points. It is just that your argument against the Mac OS could easily be just as well applied to any other OS.
"Oh, this thing broke and this other thing is confusing (to me), so the OS and the whole platform sucks." <- This is not something unique to the Mac OS BTW!
Then why, in the states which might settle the private lawsuits with MS, can the consumers not get compensation for being cheated by MS?
Because in those states, the law says that '3rd parties' can't get compensation in lawsuits.
The 'consumers' don't select or buy Windows. The distributors -- Dell, Compaq, etc, do. The 'consumers' simply buy whatever computers the major distributors offer.
The law actually considers 'end users' a 3rd party to the choice to purchase an OS. By far, most consumers do *not* choose. They have it chosen for them.
No, because by definition, there cannot be a choice. There is obviously a choice with OS's.
Try applying it to government schools.
They are unconstitutional to begin with. Everything done by the gov, must be done by force. So the free market cannot apply to the gov. So that is a bad analogy.
Oooh. Nice point.
If MS doesn't have a monopoly, then neither do the public schools. Or the Post Office, for that matter.
The problem is that many people don't understand economics beyond a 4th grade level. They think the only kind of monopoly is one with 'exclusive' control, with no competitors.
In the real world, monopolies are created thru controlling distribution channels. But most people don't understand how you it is even possible to use contracts with distributors to create a Soviet 'single-supplier' market.
But if 'exclusivity' is the only definition of a monopoly, then the Post Office and Public Schools aren't even monopolies. And I hope no one would make *that* case.
It's a perfect analogy. He/she is a genius.
If 'having other choices' proves something isn't a monopoly, then the public schools aren't a monopoly.
And neither is the post office.
Both are just publicly funded industries much like the 'airlines' industry.
You are right to say that no Internet-connected machine is really 100% secure, your implication that the fact that Linux is open source somehow makes it less secure is questionable, at best.
Many, many people (including me) would argue the opposite: that its open source development process tends to make it more secure, not less.
Still, nothing can replace good administrative practices.
With this kind of leverage, only an incompetant company could fail to gain market share.
The reason Apple dropped market share is simple: price. For any given price point you can get more hardware and software with a PC. Especially more software. Much of what home users have is pretty much free (And not always illegal. I have many sophisticated programs that are simply a version behind the latest. I get them dirt cheap at garage sales, or at the office when we upgrade or replace computers.)
Apple has everything possible to avoid price competition on their hardware. As a result there are fewer machines out there and less demand for software, and less production of software.
Another reason for loss of marketshare is AppleTalk, the world's most inefficient networking OS. Maybe easy to install, but crap for more than a few users. Until recently, IP on a Mac was difficult and required third party software, like "Dave" to use network printers.
A third reason for loss of market share is Apple's indifference to database applications and connectivity to mainframes. Not everyone makes their living running Quark.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.