Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft To Plug Devastating Browser Download Hole
Newsbytes ^ | 12/12/2001 | Brian McWilliams

Posted on 12/11/2001 9:11:38 PM PST by toupsie

  Microsoft To Plug Devastating Browser Download Hole

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,

11 Dec 2001, 1:09 PM CST Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.

The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request.

The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files.

A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch.

By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts.

Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said.

Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit.

Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser.

However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site.

According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said.

Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads.

Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types.

A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said.

Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen.

Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company.

Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng

Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp

Reported by Newsbytes, http://www.newsbytes.com .

13:09 CST
Reposted 13:33 CST

(20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)


TOPICS: Breaking News; News/Current Events
KEYWORDS:
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 261-269 next last
To: D-fendr
Oh I missunderstood. My apologies! Its the hackers that find the holes and use trojans to nail people. Some of what I install defends against those. I agree. Wish the browser did all that for you!!
41 posted on 12/11/2001 11:33:42 PM PST by RadioAstronomer
[ Post Reply | Private Reply | To 39 | View Replies]

To: RadioAstronomer
Of course those who choose to do harm with the tools are responsible. But there is also a minimal level of due diligence required of the tool makers.

Pimply-faced amateur script kiddies can blow things up. This is not a viable scheme. Folks are walking out of stores with boxes of dynamite and your average teenager in the Phillipines can light the fuses.

Here's the very least I think should happen: Out of the box, the browser and operating system have all doors closed and scripting, executable documents disabled. Granny gets a very secure and safe box that does very basic stuff.

From there, it should require technical knowledge to use the dangerous functions. And everyone who thinks they want to try it should be warned of the risk and notified of the proper procedure.

That's at the very very least.

42 posted on 12/11/2001 11:50:32 PM PST by D-fendr
[ Post Reply | Private Reply | To 41 | View Replies]

To: jennyp
I understand the appeal of the functionality, but… I should have also addressed my previous post to you.
43 posted on 12/11/2001 11:52:22 PM PST by D-fendr
[ Post Reply | Private Reply | To 40 | View Replies]

To: D-fendr
I agree completely, however, most users of windows have port 139 wide open for any hacker unless they are running a firewall, and most of those do not defend against trojans and/or bot scripts. People also download without realizing it tiny scripts than send data about your habits and the software installed back to the originator. I think most people would be amazed if they ran ad-aware just how much "spyware" is on their computer.
44 posted on 12/11/2001 11:54:55 PM PST by RadioAstronomer
[ Post Reply | Private Reply | To 42 | View Replies]

To: jennyp
You can download just about any trojan you want from many places on the web should you desire one.
45 posted on 12/11/2001 11:56:35 PM PST by RadioAstronomer
[ Post Reply | Private Reply | To 40 | View Replies]

To: toupsie
Get a Mac (as you said), and use iCab as your browser.

Best internet program I have used to date.

46 posted on 12/12/2001 2:18:51 AM PST by Hugh Akston
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mid-MI Student
Bump for later reading.
47 posted on 12/12/2001 2:36:57 AM PST by WyldKard
[ Post Reply | Private Reply | To 2 | View Replies]

To: RadioAstronomer
Do you wear a belt and suspenders too? :-)
48 posted on 12/12/2001 2:56:11 AM PST by alley cat
[ Post Reply | Private Reply | To 7 | View Replies]

To: alley cat
Ok you got me. I am dense at 5:00 after 11 hours :) Did not get the joke! LOL!!! Sigh!
49 posted on 12/12/2001 3:11:00 AM PST by RadioAstronomer
[ Post Reply | Private Reply | To 48 | View Replies]

To: RadioAstronomer
Naw, just run AnalogX Script defender, A good firewall, realtime Trojan/bot detector, realtime virus detector, and a good spyware blocker. I run all of those as I surf and download. Doesn't slow me down at all and my computer is better protected for it also. p.s. This is even behind a hrdware firewall box.

firewall, bot detector, virus detector, spyware blocker, AND hardware firewall box! Whew!!

Belt AND suspenders, just to make extra sure pants don't fall down. It is an old joke, guess I am showing my age...

50 posted on 12/12/2001 3:16:17 AM PST by alley cat
[ Post Reply | Private Reply | To 49 | View Replies]

To: toupsie
extremely vague description ... publicity seeking?
51 posted on 12/12/2001 3:16:59 AM PST by fnord
[ Post Reply | Private Reply | To 1 | View Replies]

To: alley cat
LOL!! Got it. Boy, am I dense; and I "fly" satellites and run a radio telescope! ROFL!!!
52 posted on 12/12/2001 3:19:36 AM PST by RadioAstronomer
[ Post Reply | Private Reply | To 50 | View Replies]

To: RadioAstronomer
Do us all a favor: Point them satellites and telescopes at Osama and tell us where he's at so's we can drop one of them big daisy cutters on him!
53 posted on 12/12/2001 3:26:22 AM PST by alley cat
[ Post Reply | Private Reply | To 52 | View Replies]

To: toupsie
So you're saying that MS based virii won't run on high-dollar Macs?

Probably true, but it also means that Mac virii won't run on Windows. Seems logical ...

54 posted on 12/12/2001 3:29:04 AM PST by fnord
[ Post Reply | Private Reply | To 1 | View Replies]

To: Noxxus
Switch to Linux...

Ha. Tried that, and threw it in the trash (bit bucket). I will have to buy a new PC before I will be able to run Linux and have functioning sound, modem, and a decent looking display. So much for Linux being cheap!! And, don't believe the hype about Linux never crashing. I've seen Linux lock up a machine as effectively as Windows ever could.

55 posted on 12/12/2001 3:33:49 AM PST by Fresh Wind
[ Post Reply | Private Reply | To 4 | View Replies]

To: toupsie
Or you could save your investment in Intel hardware and go with Linux

Linux runs on Intel processors and has for a long time, and if you do any sort of search on the web, you will find more Unix exploits for the script kiddies than you can shake a stick at. No operating system is hacker proof unless it is completely isolated from the outside world. Even Macs. The only reason Macs don't get hacked so much is that hackers generally hack servers, which are almost always either MS or Unix based. Apple has virtually no presence in the sever world (and yes, I was a Mac evangelist for years as I watched Apple squander every single marketing edge it had through utter, complete corporate stupidity. Now they've become a Unix box after years of inability to get a revamped Mac OS out the door. Not exactly sterling credentials there. But yeah, Macs look cool and heck, Gates never managed to get Ridley Scott to do a Windows commercial, so Apple gets points for that.)

56 posted on 12/12/2001 3:41:33 AM PST by RogueIsland
[ Post Reply | Private Reply | To 1 | View Replies]

To: ikka
zing!
57 posted on 12/12/2001 3:43:58 AM PST by bwteim
[ Post Reply | Private Reply | To 32 | View Replies]

Anyone got an opinion of Black Ice for Networks? I'm in way over my head with this hacker crap. Is it too much to ask to do secure banking online?
58 posted on 12/12/2001 3:57:02 AM PST by Ragin1
[ Post Reply | Private Reply | To 57 | View Replies]

To: hogwaller
bummer.can't post with lynx.

Huh? Just for the heck of it, I just posted this with lynx.

Seems to work.

59 posted on 12/12/2001 4:20:36 AM PST by B Knotts
[ Post Reply | Private Reply | To 17 | View Replies]

To: alley cat
ROFL! :)
60 posted on 12/12/2001 4:24:51 AM PST by RadioAstronomer
[ Post Reply | Private Reply | To 53 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 261-269 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson