New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[Golden Eagle]

Funny, isn't it...Talk about a laugh-riot...

So you think this stuff is funny, huh.

A comparison of Marxist Communism and the Open Source Software movement

(written by a communist)

A comparison of Marxist Communism and the Open Source Software ...

[Golden Eagle]

Here's something I else I found looking on that link. Linus Torvald's secret motto seems to be "Total World Domination".

http://search.yahoo.com/search?p=torvalds+%22total+world+domination%22&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=

That's it for me, taking off for the weekend. Hope everybody has a great one!

Gold Eagle Out.

[Prime Choice]

Here's something I else I found looking on that link. Linus Torvald's secret motto seems to be "Total World Domination".

Once again, proof that humor is lost on the dense.

Go peddle your tripe at SCO.

[Golden Eagle]

Like Linus Torvalds recommending to "hire a hit man and whack em" that time if they ever found stolen code in Linux? Like I said above, if that's humor to you, you guys sure have a sick sense of it.

Out.

[Prime Choice]

A comparison of Marxist Communism and the Open Source Software movement

You have no room to complain, Pinkboy. Your oh-so-hallowed Microsoft gave Red China the canonical "keys to the kingdom" by forking over its threat-to-national-security-if-seen-by-human-eyes source code.

Must be nice defending an outfit comprised of liars and traitors.

[Golden Eagle]

Must be nice defending an outfit comprised of liars and traitors.

At least I'm not one. Out.

[Sloth]

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon?

Six?

[Prime Choice]

Must be nice defending an outfit comprised of liars and traitors.

At least I'm not one.

By supporting them, you are one of them.

[bwteim]

You see, that's only because it's a popular widespread OS, not because there's anything inherently wrong with it.

Memo to self: must refrain from posting on OS War Threads... have been succesful for many months.... oh, what the hey...

To Aruanan:
ROTFL!

[Salo]

You are their errand boy.

Must be nice defending an outfit comprised of liars and traitors.

At least I'm not one. Out.

[zeugma]

Can you believe someone would actually recommend CDE?

Sure, there are plenty of people that buy American first. The fact you scoff at it is sickening.

You are so transparent it is funny to watch you twist. Here, you're seriously claiming that you'd actually recommend a window manager like CDE to someone when there are other products available and distributed by the same vendor (Sun in this case), that are vastly superior in order to satisfy your 'buy america' urge despite it being against what would be the best interests of your supposed 'clients'. Come to think of it, it sounds a lot like the rest of the garbage you are peddling with your microsoft song and dance. It's pitiful, really, that you would actually take money from people who are paying for your recommendation when you are doing nothing but pushing a political agenda under the guise of providing technical support assistance or advise.

This, more than anything else convinces me that you do not, in fact, have any clients of this kind other than friends that you are able to bullsh!t into believing that you have a clue at all of what you are talking about. Nope. I pegged you correctly after all. What nick do you go by while astroturfing DU?

[zeugma]

Yup. He's "Out" alright. Must be shift change. Where's B2K?

[antiRepublicrat]

"deserves"? That is clearly a post made in support of hackers over American businesses that do not conform to your way of reasoning.

I hear basically the same sentiment around here for people who don't do basic things to lock down their Windows systems. This just raises the bar from individual flaws to the whole OS.

[Bush2000]

You must be reading the wrong advisory, dude.

malware.com's home page is feeding 403's (forbidden) errors.

[cyn]

Interesting stats. Only 4% are MacIntosh users? I thought we were a smarter bunch than that ;o)

[Bush2000]

I tested the "exploit", using the samples provided on malware's webpage. Bzzzzzzzzzzt! Doesn't work. No files are delivered to C:\Windows\Temp. Nada. Zilch. Crapola.

[Nick Danger]

We interrupt this blatant sidetracking about linux and communism to remind our audience that the "devastating" hole in Internet Explorer still exists, even if Microsoft's public relations contractors would prefer that you talk about something else.

If you are a user of Internet Explorer, you should probably do something about that, like get Firebird or Mozilla or Opera.

Remember, the sooner you give in to godless communism and cut the pins out from under Microsoft, the sooner they'll have to stop sending people into Internet forums to sidetrack the threads that they don't like.

[js1138]

I would be a lot mor impressed if the alleged test actually did what is alleged. What we have here is a bit of code that inserts a null character in the URL string"

<a href="http://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test/" style="font: 8pt verdana, sans-serif;"> Click Here to Perform Test! </a>

Show me an example of this actually doing anything.

[js1138]

I am somewhat at a loss as to why this is considered such an unfixable problem. One line of code that terminated the URL string at the first null character would do the trick.

Besides, if you click on a link that downloads a file, you will be asked what to do with the file. That would be a clue that something is wrong.

[MarkL]

Erg, let's try this again. The ActiveX control does not know the absolute path to "C:\Documents and Settings\[USER]\Local Settings\Temp" because it lacks knowledge of who the "[USER]" is.

Are you sure about this? Can ActiveX access environment variables? If so, then it will know %USERPROFILE% or %USERNAME%, and be able to access the file.

Mark