Posted on 12/11/2001 9:11:38 PM PST by toupsie
![]() |
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
Pimply-faced amateur script kiddies can blow things up. This is not a viable scheme. Folks are walking out of stores with boxes of dynamite and your average teenager in the Phillipines can light the fuses.
Here's the very least I think should happen: Out of the box, the browser and operating system have all doors closed and scripting, executable documents disabled. Granny gets a very secure and safe box that does very basic stuff.
From there, it should require technical knowledge to use the dangerous functions. And everyone who thinks they want to try it should be warned of the risk and notified of the proper procedure.
That's at the very very least.
Best internet program I have used to date.
firewall, bot detector, virus detector, spyware blocker, AND hardware firewall box! Whew!!
Belt AND suspenders, just to make extra sure pants don't fall down. It is an old joke, guess I am showing my age...
Probably true, but it also means that Mac virii won't run on Windows. Seems logical ...
Ha. Tried that, and threw it in the trash (bit bucket). I will have to buy a new PC before I will be able to run Linux and have functioning sound, modem, and a decent looking display. So much for Linux being cheap!! And, don't believe the hype about Linux never crashing. I've seen Linux lock up a machine as effectively as Windows ever could.
Linux runs on Intel processors and has for a long time, and if you do any sort of search on the web, you will find more Unix exploits for the script kiddies than you can shake a stick at. No operating system is hacker proof unless it is completely isolated from the outside world. Even Macs. The only reason Macs don't get hacked so much is that hackers generally hack servers, which are almost always either MS or Unix based. Apple has virtually no presence in the sever world (and yes, I was a Mac evangelist for years as I watched Apple squander every single marketing edge it had through utter, complete corporate stupidity. Now they've become a Unix box after years of inability to get a revamped Mac OS out the door. Not exactly sterling credentials there. But yeah, Macs look cool and heck, Gates never managed to get Ridley Scott to do a Windows commercial, so Apple gets points for that.)
Huh? Just for the heck of it, I just posted this with lynx.
Seems to work.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.