Microsoft To Plug Devastating Browser Download Hole

Newsbytes ^ | 12/12/2001 | Brian McWilliams

[toupsie]

Microsoft To Plug Devastating Browser Download Hole

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.

The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request.

The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files.

A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch.

By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts.

Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said.

Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit.

Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser.

However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site.

According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said.

Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads.

Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types.

A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said.

Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen.

Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company.

Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng

Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp

Reported by Newsbytes, http://www.newsbytes.com .

13:09 CST
Reposted 13:33 CST

(20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)

[Bush2000]

That's the funniest line I've seen in the Apple/Windows war. I think I'll steal it. The funniest part of it is - it has some foundation in truth. Graphic artists, interior designers, apparel designers - all overwhelmingly use Macs, because they have better software for these applications.

I have to admit: I stole it from AppyPappy. So, by all means, please continue the tradition of graceful theft. ;-)

[Mid-MI Student]

Hre is a free computer lesson.
Look at a Mac screen, do you see the thing at the top of your screen?
Well if you have an open application then go to "File" then right under file it should say, "New xxx" ic could be a browser, document, file, ect... whatever you need for that program..

Its easy!

[Bush2000]

Could have fooled me as often as Windows Users have to take in the rear end because of their operating system's poor security.

Thank you for proving the point: You Mac guys are preoccupied with anal metaphors.

[Bush2000]

I don't believe all Mac users are gay...

Neither do I. But it's fun to get under Mac users' skins.

[Texaggie79]

that its open source development process tends to make it more secure, not less.

Yes but what is your reasoning behind that? Because you have more minds and concepts involved, right? Also you must take into account that ALL source code is known and nothing can be hidden. The more one is capable to freely study the source code, the more capable they are at hacking it's weaknesses.

[texlok]

Let's think about this, IE, IIS, and Outlook have had/have massive problems with virii/trojans/worms/etc.

The logical thing would to switch to Netscape, Apache, and use Eudora or Pegasus e-mail cliehts.

But are people going to do that? Nope, they are going to keep complaining everytime they get hacked or have something destroyed, because like the good sheeple they are, they will keep coming back to MS.

If people left in droves, I guarantee MS would start taking security and bugs a little more serious.

[Bush2000]

I want a girl friend who is a Mac user.

Careful what you ask for ... she may leave you someday for a chick named Butch. ;-)

[Mid-MI Student]

ic=it...

[Texaggie79]

I'm a PC user, but I will say that anyone in the artistic industry, such as design, music, animation, ect is WAY better off with a MAC. And though many in the art industry are gay, not all are. Especially musicians.

[toupsie]

You know what a flamer Rush Limbaugh is! He is on the radio right now touting how great Apples are.

[evolved_rage]

If people leave MS in droves, then suddenly there would be more hacks, cracks and viruses for Mac OS, Netscape, Apache, Eudora...

[Dominic Harr]

Maybe you didn't hear me the first time.

The only point I'm making is that if 'having other choices' is proof of no monopoly, then even the old Soviet state-owned stores had a monopoly.

The people could and did choose the black market, as an alternative.

In a real economy, a 'monopolist' uses force, threats, kickbacks and intimidation to garner illegal contracts to control the market. All of which is illegal. And all of which MS has been convicted of.

[Bush2000]

If MS doesn't have a monopoly, then neither do the public schools. Or the Post Office, for that matter.

Tell me something, Harr: Are there laws requiring you to use Microsoft software? Because if I decide not to send my kid to public school (or any school for that matter), they're gonna drag my ass to jail or take my kid away. And there are no competitors to the Post Office for simple mail delivery. None. Nada. Zilch. I could always go with FedEx or UPS. But I'm gonna pay through the nose. The reason that there is no competition is that the government has mandated the existence of the USPS and subsidized its wasteful growth. There are no such laws or federal monies propping up MS.

[Bush2000]

You know what a flamer Rush Limbaugh is! He is on the radio right now touting how great Apples are.

Limbaugh is a prima donna. He might as well be gay, the way he indulges his ego.

[B Knotts]

The more one is capable to freely study the source code, the more capable they are at hacking it's weaknesses.

This is based on the fallacy of security through obscurity.

As is said in cryptography: The security of an algorithm should not depend on its secrecy.

If security through obscurity really worked, Windows and IIS would rarely be compromised.

[RnMomof7]

Better yet, get a Mac!

Love my Mac....never catches anything..just keeps on ticking!

[Texaggie79]

Do you know the definition of "EXCLUSIVE". Because that is a monopoly, having EXCLUSIVE control of a market, commodity, or service. Tell me, how is it that I can get a Dell with Linux when MS is a monopoly?

[Bush2000]

I'm a PC user, but I will say that anyone in the artistic industry, such as design, music, animation, ect is WAY better off with a MAC. And though many in the art industry are gay, not all are. Especially musicians.

I disagree. There was a time when the Mac had an advantage with creatives but that advantage has been eliminated; in fact, Adobe sells more than 71% of its software for the PC -- according to its annual report -- versus 30% for the Mac. Same with Macromedia. And so on. I think you're working on the misperception that, because Macs come in pretty design cases, they're better than PCs. That's nonsense. Software is software. Hardware is hardware. If anything, Mac users are more touchy-feely about design. But that doesn't translate into better performance.

[Dominic Harr]

Because if I decide not to send my kid to public school (or any school for that matter), they're gonna drag my ass to jail or take my kid away.

"or any school".

You have a choice.

And there are no competitors to the Post Office for simple mail delivery.

There are literally hundreds of thousands of 'courrier' services out there that will deliver a letter. You have many, many choices. You can even get your neighbor kid to just drop it off for you, if it's in town!

You have a choice.

There are no such laws or federal monies propping up MS.

This administration is *clearly* trying to prop MS up.

MS has been *convicted* of serious criminality, and this administration seeks no punishment, just 'promises' of future honest behavior.

With private monopolies it's a *lack* of enforcing the law that props them up. As in this case, now. The US govt is just *now* finally enforcing the law, and only under duress.

[toupsie]

If people leave MS in droves, then suddenly there would be more hacks, cracks and viruses for Mac OS, Netscape, Apache, Eudora...

You are assuming that everyone else makes the same level of poor quality software as Microsoft. Its like comparing a Ford Focus (Microsoft) to a BMW (Apple). You do get a better computer for the money like you do for a car. Its as simple as that.