Posted on 12/11/2001 9:11:38 PM PST by toupsie
|
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST 
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
I'd say option 1, 'on purpose' (like a secret back door that the world found out).
That's the funniest line I've seen in the Apple/Windows war. I think I'll steal it.
The funniest part of it is - it has some foundation in truth. Graphic artists, interior designers, apparel designers - all overwhelmingly use Macs, because they have better software for these applications.
Use Linux.
Microsoft is famous for producing swiss cheese.
I have Linux machines behind a Linksys Cable/DSL router, using ip masquerading (aka Network Address Translation).
external requesters don't get past the router, the machines have ip addresses that can't be seen on the internet. The public ip address belongs to the router, not any of my computers so the external requesters cannot find my machines.
In the US you can get a 4 port Cable/DSL router for less than $100 and they are excellent insurance against intruders, even if you only have one machine.
Of course, routers don't protect against email attacks as your email program invites the malicious software in as attachments. The answer to this problem is to use the Linux operating system as the script kiddies that write the malicious attachments are taking advantage of "features" built into the Microsoft mail software and the holes in the Microsoft operating system.
As I said, Microsoft makes swiss cheese.
I will post my links and software selections this afternoon still. :)
Could have fooled me as often as Windows Users have to take in the rear end because of their operating system's poor security.
My linux firewall had over a year on it before I changed it out for another machine. I'm sitting next to a Sun server that was up over 550 days without a hiccup before we had to unplug it to move it. I pretty much like the reliability of all the *nixes.
/john
Here is what the Newsbytes article says:
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
But when you go to the web site that describes the bug, it says this:
A piece of HTML can be used to cause a normal download dialog to pop up. The dialog would prompt the user to choose whether he/she wants to "open this file from its current location" or "save this file to disk". The file name and extension may be anything the malicious website administrator (or a user having access there) wishes, e.g. README.TXT, index.html, or sample.wav. If the user chooses the first alternative, "open the file from its current location", an .EXE application is actually run without any further dialogs.
So, the article says that the attacker can "silently download and execute malicious programs" - that's not true. The web site it references says that IE will first pop up a dialog and ask you whether you want to open the download or save it to disk. It's not silent - it asks first.
If you are a fool, and choose to open the download it without examining what you downloaded first, you get bit.
The real bug is that it apparently displays a spoofed filename in the dialog. But it doesn't silently download anything as the article says - am I reading this wrong?
If you buy products from a vertical trust, you can expect low quality products.
I am proud that the rock-ribbed Republican State of Kansas of which I am a resident is still pursuing the break-up or at least severe legal restraint of Microsoft. I suggest that all lovers of the free market read the history of the trusts, and observe that Microsoft, like the trusts of the 19th century could not have obtained its dominant market position nor pursued it's vertical trust strategy without use of state power: gov't standardization, extreme applications of intellectual property law,...
For those who do not think MS is a trust, I suggest studying the Guggenheims' business strategy, not the Rockerfellers'. MS is a vertical trust like the Guggenheims' metals business, not a horizontal trust like Standard Oil.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.