Posted on 12/11/2001 9:11:38 PM PST by toupsie
|
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST 
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
It's hard to say. Microsoft has a terrible track record at ignoring known security risks to add features they think are "cool". Some of the security flaws are through negligence, and some are through willful disregard.
Here is another possibility - the government may have requested Microsoft to leave a backdoor entry point for "key loggers" and such. USG is definitely leaning on the anti-virus software vendors to allow their spyware to be installed without the user's knowledge.
Nope no tech support. For my job, I "fly" satellites/spacecraft from a mission control room for a living. :)
PS, watch for anti-virus company stocks tommorrow.
You can hear the microsofties now-- this is great for business!
Isn't it nice to never have to worry about this stuff?
:)
I can't use Windows. I have an IQ over 18.
See post #9.
And configure and update and patch them all properly of course.
Gee, is that all?
I understand why one of our tech MS support folks once said, "hey, I'm glad this stuff doesn't work very well, that's why I have a job."
Here's the root of the problem: Executable document files. Nice function but it's a fuse you hang out for all the world to light.
Don't sell (or buy) elevators until you're sure they are safe.
We have a near monopoly supplier of tools that are not safe to use for the mass of consumers.
I fault the company selling them for being irresponsible, the consumer for buying them, and the technicians, IT staff and trade media for supporting the dangerous scaffolding.
Until these functions can be made safe - out of the box - it's irresponsible to spread them to unknowing and vulnerable users.
thanks for your reply, I was unclear and brusque; I apologize.
Yes, that's part of it. The other part is ... well, I probably shouldn't say, 'cuz now that I think about it, it'd be really really easy to exploit it & do damage. Basically it makes trojan horses very easy to create.
Gee, this is a conundrum, because I kinda like the feature in question. That is, I understand why they decided to treat files the way they do.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.