Posted on 12/11/2001 9:11:38 PM PST by toupsie
|
Microsoft To Plug Devastating Browser Download Hole |
By Brian McWilliams, Newsbytes The patch for Internet Explorer (IE) is currently in testing and could be released soon, according to Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to Microsoft on Nov. 19 and recently tested the software fix at the company's request. The vulnerability affects IE for Windows versions 5, 5.5, and 6, said Pynnonen. Citing the severity of the flaw, he refused to release technical details about the method he found for bypassing the browser's system for securely handling downloaded files. A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch. By design, IE should warn users when they attempt to download and open an executable file. But as a result of the security flaw, a malicious Web site could "relatively easily and unnoticeably ... spread virii, install DDoS zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. Pynnonen revealed that the bug lies in IE's processing of Internet addresses and "header" information that tells the browser what type of file it is handling. The flaw is particularly dangerous because it can be exploited using ordinary Web page code, without help from JavaScript or other scripting programs, he said. Oy Online Solutions offered to demonstrate the flaw at a private Web site only if recipients of the demo signed an agreement not to disclose information about the exploit. Chris Wysopal, director of research and development for AtStake, a security consulting firm, characterized the IE download flaw as "a very serious problem" and potentially one of the most severe ever to affect the browser. However, to exploit the vulnerability, "attackers would probably need control of a Web server so that they could control the information sent in the HTTP header," Wysopal said. As a result, attacks could be traced to the malicious site. According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said. Until the patch is available from Microsoft, Pynnonen said concerned users can temporarily disable IE's ability to download files. To do so, users should select Internet Options from the Tools menu. Then select the Security tab and click on Custom Level. Scroll down to the listing for Downloads and disable file downloads. Pynnonen's initial advisory on the flaw did not describe the automatic downloading vulnerability and was concerned instead with the browser's failure to properly differentiate between file types. A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the more serious issues but was not published on Bugtraq by joint agreement between Pynnonen and the list's moderator, the security researcher said. Microsoft initially denied that the ability to "spoof" file types in IE represented a security vulnerability, but the company later changed its position, according to Pynnonen. Last month Microsoft patched a security flaw in IE's handling of browser cookie files after Pynnonen reported the vulnerability to the company. Pynnonen's original report on the IE download spoofing flaw is at http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng Microsoft security information site is at http://www.microsoft.com/technet/security/default.asp Reported by Newsbytes, http://www.newsbytes.com . 13:09 CST (20011211/WIRES ONLINE, LEGAL, PC/HOLE/PHOTO)
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST 
Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could allow an attacker to silently download and execute malicious programs on the computers of users who view a specially constructed Web page or e-mail message.
Reposted 13:33 CST
I don't believe all Mac users are gay, but the company has repeatedly promoted rainbow causes and has wormed its way into (mostly public) schools.
Microsoft, all its flaws, is the archetype for entrepreneurial capitalism. None of its wealth is derived from the activities of lobbiests, special favors from government, or inherited wealth.
Regardless of its relative quality, it exists for the simple reason that it has provided what the marketplace wants.
IMHO, Linux and FreeBSD both have their strong, and weak, points.
Linux has better multiprocessor support, and with the XFS patch, has access to a much better filesystem than UFS. RPM sucks compared to ports, but that's a distribution-related issue. Debian has deb, which is as good as ports, if not better. iptables absolutely rocks, giving Linux a very flexible stateful firewalling tool.
Plus, I'm a SysV kind of guy. I think I'm still biased against anything BSD-ish because of my experiences with SunOS 4.x.
http://www.salon.com/21st/feature/1998/01/cov_29feature.html
In 1997, Bill Gates contributed $35,000 in support of a Washington state ballot initiative supporting gun control. In 1993, he ponied up $80,000 to fight a conservative initiative seeking to roll back state taxes. And ever since 1994, the William H. Gates III Foundation, Bill's private philanthropic funnel, has been busy channeling millions to groups that specialize in "reproductive health and family planning."
I also open and modify Word documents, WordPerfect documents, Excell spread sheets, and run a web server with a SQL back end for a database. I also develop code for PalmOS devices on my linux box. Linux is useful for more than surfing the web.
/john
thank you, i just set it up on my system. very easy, 1 minute install and it works (you have to remember to go to the Program_Files/AnalogX/Script_Defender/ directory after installing it, to complete installation by launching the sdefend application and testing it with "test"
you can go here to download it, small program:
http://www.analogx.com/contents/download/system/sdefend.htm
Actually, that's more like what I would say about Windows. Windows is great if all you want to do with your computer is play games.
uh oh, geek warz, they've started on freerepublic! run! run code run! pleeeaaase!
I wonder how many of us Konqueror users there are on FR.
I really like Konqueror; it just gets better all the time.
It's bad enough when the geeks start making up words, but when the "journalists" start printing their silly improper slang as if it were correct, it drives me nuts.
Apple, from the beginning, has been a leftish company in every respect.
Both!!! Remember their motto, "Windows ain't done till Lotus don't run!" Programmers at Microsoft remind me of elitist, they think users out there are very dumb, can you blame them?? They also walk around their 'campus' proudly wearing barcodes on t-shirts with 'Microsoft Asset' emblazoned on them.
You are aware that Apple was pretty much forced to stop using the multicolored apple logos because they resembled a rainbow.
I want a girl friend who is a Mac user.
And this on a thread entitled: "Microsoft To Plug Devastating Browser Download Hole." There are at least five double-entendres there, starting with the company name being synonymous with the words 'small' and 'limp.'
Rhetorically speaking, they're in no position (ahem!) to be making cracks (ahem!) about other people's sex lives.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.