Posted on 06/05/2002 8:53:25 AM PDT by rit
REDMOND, Wash. (AP) -- A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says.
Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem, the Toronto Star reported Tuesday.
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
The problem concerns Gopher, an Internet protocol that predates the World Wide Web with pages like Web pages except that they are unable to store audio and video content.
Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers.
According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know.
"The program could, for example, delete information from the computer or collect information and send it out from the computer," Oy Online said in a release. "(It) could also install a so-called backdoor (program) that would enable the hostile attacker to access the computer later."
All versions of Internet Explorer are believed to be vulnerable, the Star reported.
Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."
And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
After being embarrassed on an almost regular basis by security flaws in its products -- including a debilitating problem found in its latest Windows XP operating system just days after its release -- Microsoft began a companywide training program on security issues earlier this year.
In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.
They also say that you are better off sending your kids to a MCSE course, rather than college.
Nitwits.
If there was a hypothetical buffer overflow in my code, I could fix it within an hour and if I had an exploit available I could release a verified fix within a day, tops.
D
Besides, let's get real for a moment - you install such open-source patches solely at your own risk. About all you can assume is that the patch-writer got it to compile and run on his system without obviously barfing right off the bat - if it was produce three hours after the bug was reported, you know it didn't undergo much (any) testing for safety and security. Wouldn't you prefer to know that a patch was going to fix more problems than it creates?
How much time is needed to locate the code that deals with Gopher protocol, disable it, and re-compile? If more than an hour, get some new programmers
I can see where this is going:
Microsoft's security flaws are an issue of national security! Anyone who divulges or discusses a MS security flaw, without authorization and outside of established channels, should be immediately arrested and held in solitary confinement - forever!
I would bet that this flaw is not limited to the stated problem software, requiring MS to further investigate to be certain a patch will cover other flaws.
Is my problem connected to the discovered MS flaw?
Perhaps not fair in terms of announcing the problem before MS can respond about a fix.
But this indicates some really poor QA test suites (if they even exist for gopher). It would seem they're not even looking for security holes at the protocol session layer level...these aren't obscure buffer overflows.
Well, okay, yes, there is that. But I'm proceeding from the assumption that they want to preserve that functionality, and not throw the baby out with the bathwater ;)
Speaking of audio content... I wish Netscape and Microsoft would issue an update that allows me to prevent embedded MIDI files on a Web page from automatically executing.
Those cheesy, tinny tunes drive me nuts.
*sniff*
It brings back such memories. Sigh. Ah, Nostalgia.
Look, you'll get no argument from me about the alleged competence (or lack thereof) from MS's programmers, but the reality is, you and I just don't know what the root cause of the problem is. And I'd bet good money that nether do the folks who first found the bug. To assume it's simple and superficial may be assuming too much.
Someone paranoid about breaking system functionality could easily look at the code that causes the exploit, examine the code that fixes it and determine just how serious it will be to apply it.
And you can tell at a glance how the new code will behave in all situations and contexts? Why do I suspect that when changes are written for something like glibc, where a bad patch could potentially break everything, they do a little bit of testing, rather than just shooting it out on a wing and a prayer?
I'm not arguing with the underlying premise here - that MS should produce patches, or face negative publicity. I just happen to think that something like 30 days is a more realistic minimum, especially given the size and institutional inertia of a company like MS. Give 'em 30 days, and then let the chips fall where they may, sez me...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.