Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Explorer hole could be devastating
Infoworld ^ | 01/28/04 | Kieren McCarthy

Posted on 01/28/2004 1:10:12 PM PST by Salo

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.


TOPICS: Business/Economy; Extended News; Technical
KEYWORDS: ie; lowqualitycrap; microsoft; ms; security; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 181-200201-220221-240241-250 next last
To: js1138
Show me an example of this actually doing anything.

OK.

See where it says "http://www.microsoft.com" in the URL bar? And yet, the browser is on Secunia's web site.

Suppose I am an Evil Nigerian, and I send you one of those fake emails that says you should Watch Out for the Novarg virus, and you should update Windows right now by clicking here.

You click, and sure enough, you go to a Microsoft page. It even says "http://www.microsoft.com" in the URL bar. And it's asking for your Passport ID and password.

But it isn't a Microsoft page. It's really www.evilnigerians.com.

You're so smart that you wouldn't be fooled by that, but there are probably 6x1023 people who would be fooled by that. And the Evil Nigerians would have their Passport ID's. Or their credit card number... these scammers are pretty clever. All they have to do is gin up a halfway-decent knockoff of a reputable web site, and then send out a millions spams tricking people into coming to disney.com or whatever to buy a stuffed Mickey Mouse for $1.50. Next thing you know, the Evil Nigerians will have 100,000 credit card numbers complete with name, address, and phone number.

As you know, there is an official Microsoft talking point on this feature. It is that this is not a flaw in a Microsoft product, because it doesn't do anything. And if it does do something, it is still not a flaw in a Microsoft product... it is stupid people being stupid. And if it is a flaw, it isn't Microsoft's fault; it's godless linux communists and their foreign precious bodily fluids. And if you try to defend yourself from this seemingly endless series of security holes in this totally flawless product by getting and using something else, then you personally are a godless communist and you probably rip off the music companies too and you pray to Richard Stallman and your father marched with Hitler.

In spite of which, game theory tells us that there is an advantage to be gained by being among the first to get and use something else. It is probably true that if Firebird (or whatever) someday achieves the 80% market share that IE has now, the Evil Nigerians will target Firebird. But right now they don't, and they probably won't for a few years at least. So there will be a few years of peace and quiet for those who got in on the Firebird trend first.

201 posted on 02/01/2004 1:59:27 AM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 198 | View Replies]

To: Nick Danger
Oh yeah, I almost forgot. I am an ordinary user with no ax to grind I got that there Firebird and it blowed up and killed my dog. What a piece of crap. And it's hard to use. Just to be safe everyone should buy and install Microsoft Windows.
202 posted on 02/01/2004 2:05:20 AM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 201 | View Replies]

To: Nick Danger
Suppose I am an Evil Nigerian, and I send you one of those fake emails that says you should Watch Out for the Novarg virus, and you should update Windows right now by clicking here.

I suggest you try this on yourself. Outlook Express will not link you to a spoofed address. In fact Outlook Express will not link to any address that isn't in Ascii (7 bit) format. I know this because my personal site has a tilde in the address, and I have to URLencode the address when I email it. The tilde is clearly visible as "%7e".

Now anyone who responds to an email in the way you described will probably also buy the Nigerian stocks anyway. How would such an ignoramous know the correct URL anyway? How many people even look at the URL?

203 posted on 02/01/2004 2:06:14 AM PST by js1138
[ Post Reply | Private Reply | To 201 | View Replies]

To: Golden Eagle
You anarchists prefer vigilante style justice, something "the mob" can control. Forget it, the only way to root out the criminals from crime detection and prevention is to give it to the government. One of the very few things we need them for.

But at the same time, it's up to the "common folk" to do what they can to make sure that they're not victims of crime...

While it's illegal for someone to steal a car, isn't it up to the owner of that car to be sure that it's locked, and that the keys aren't left in it?

In Kansas City, there were a rash of home burglaries, as well as a number of home invasions, all of which had one thing in common... In all cases, the garage door was left open. Wouldn't you say that it was incumbant on the home owner to be sure that the door wasn't left open?

While we do need LE to punnish criminals ASAP, it's up to us to try not to become victims. Remember, the police aren't there to keep you from becoming a victim. They're there to take a report over your dead body.

Mark

204 posted on 02/01/2004 2:08:44 AM PST by MarkL
[ Post Reply | Private Reply | To 71 | View Replies]

To: Nick Danger
Here's a nice URL. Tell me how an ordinary user is going to determine if this is a real site or a spoofed site, based on the URL.

http://www.pricegrabber.com/search_attrib.php?page_id=186&sortby=popular-&vendors%5B%5D=MST&lo_p=0&hi_p=0&form_keyword=&sortby=&ut=43641a1c11703e0a
205 posted on 02/01/2004 2:10:16 AM PST by js1138
[ Post Reply | Private Reply | To 202 | View Replies]

To: FLAMING DEATH
IE users who haven't tried it simply don't understand. I sure didn't, and to think I suffered with IE for years. It is way ahead of IE in configrability, security and ease of use.

Unfortunately, there are some situations where you really MUST use IE...

There are some portals that depend on IE to do what you need to do... For example, Netscape (or Konqueror) just doesn't work right with Novell's management portal, iManager, or for that matter, their remote management portal.

I believe that you also need to use IE for WindowsUpdate as well.

Mark

206 posted on 02/01/2004 2:14:17 AM PST by MarkL
[ Post Reply | Private Reply | To 100 | View Replies]

To: zeugma
Can you believe someone would actually recommend CDE? I shudder just thinking about it.

Hey, maybe we should go back to the "good old days" for everything! Retro is in right now, isn't it?

How about XEdit? Or even better, let's go back to keypunch! Think about how many jobs would be created in the "rubber band" sector!

Mark

207 posted on 02/01/2004 2:25:39 AM PST by MarkL
[ Post Reply | Private Reply | To 160 | View Replies]

To: js1138
Here's a nice URL.

Click here for Windows Update.

208 posted on 02/01/2004 2:50:45 AM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 205 | View Replies]

To: Nick Danger
But why would I trust a link that is labeled as microsoft, but clearly links to hail.he.net/~danger/iespoof.php? The real url is clearly displayed when you hover over your link.
209 posted on 02/01/2004 6:38:03 AM PST by js1138
[ Post Reply | Private Reply | To 208 | View Replies]

To: Nick Danger
I can see that this is a problem, but I don't see why it is unfixable.
210 posted on 02/01/2004 6:42:47 AM PST by js1138
[ Post Reply | Private Reply | To 208 | View Replies]

To: MarkL
Right. I've run into this situation too. Interestingly enough, as my mother has found, the MSN games site won't work with Mozilla, either. Wonder why? (wink, wink).

I installed an extension in Firebird that will allow me to right click on a link and have it open in Internet Explorer. I think I've only had to use it once or twice, though, in about a year of browsing with Firebird.

If it weren't for sites like those, I might consider actually deleting Internet Explorer altogether.
211 posted on 02/01/2004 8:22:37 AM PST by FLAMING DEATH (Why do I carry a .45? Because they don't make a .46!)
[ Post Reply | Private Reply | To 206 | View Replies]

To: js1138
why would I trust a link that is labeled as microsoft, but clearly links to hail.he.net/~danger/iespoof.php? The real url is clearly displayed when you hover over your link.

That's because I am not really the Nigerian Finance Minister. If I were really out to fool people, instead of merely demonstrating the exploit, I could have coded the link as a javascript button so you can't see where it goes.

212 posted on 02/01/2004 9:05:04 AM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 209 | View Replies]

To: js1138
It is fixable - there are many open-source examples of how to work around this bug. All MS has to do is copy the code from them. MS is licensed by SCO, who owns everything *nix - and all derivatives of everything *nix, so I am sure it would be peachy. :-)

I can see that this is a problem, but I don't see why it is unfixable.

213 posted on 02/01/2004 10:16:35 AM PST by Salo (You have the right to free speech - as long as you are not dumb enough to actually try it.)
[ Post Reply | Private Reply | To 210 | View Replies]

To: Bush2000
http://www.malware.com/

try again :)
214 posted on 02/01/2004 10:38:42 AM PST by adam_az (Be vewy vewy qwiet, I'm hunting weftists.)
[ Post Reply | Private Reply | To 194 | View Replies]

To: MarkL
Well, I confess to using 'vi' on a regular basis. I'd probably use Emacs if I'd ever learned it. Nothin wrong with older utilities if they still work for you and provide functionality that you don't find elsewhere. Heck, I used 'Brief' for more than 13 years! I had the origional install disks, and it was one of the first things I loaded up whenever I built a new PC. The main reason I keep these older editors around, is that there are certain things that they do with raw ASCII text that no ter program that I've found will do as easily. I eventually bought a copy of TextPad because it had a 'brief' mode of operation. There were still some things that I couldn't do in TextPad that were trivial in Brief because of the massive macro language that it came with.

That said, I don't see how anyone could actually recommend CDE. It is slow, a memory hog (all window managers seem to be memory hogs though), and was generally clunky and hard to work with. It is only barely superior to the ms-windows interface, but only because it supports multile desktops, and is exportable to remote systems (if you have massive bandwidth). The fact that the Buzzard won't even address the fact that it is garbage goes a long way towards discrediting anything he might have to say about technology in general, and user interfaces in particular.

215 posted on 02/01/2004 11:11:05 AM PST by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 207 | View Replies]

To: adam_az
try again :)

The exploit failed on my box. No files are present in C:\Windows\Temp.
216 posted on 02/01/2004 2:51:07 PM PST by Bush2000
[ Post Reply | Private Reply | To 214 | View Replies]

To: Nick Danger
OK, I tried your spoofed link with Firebird. The displayed URL is

http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm

I'm sorry, but how is an ordinary user supposed to know that this is a spoofed link? It's true that IE truncates the display at the null character, but the true URL is displayed on the status line. In either case the user has to have some knowledge and be paying close attention in order not to be fooled.

217 posted on 02/01/2004 8:29:41 PM PST by js1138
[ Post Reply | Private Reply | To 208 | View Replies]

To: adam_az; Bush2000; Nick Danger; rdb3
They fixed it, so the hole obviously exists.
218 posted on 02/02/2004 3:31:35 PM PST by Salo (You have the right to free speech - as long as you are not dumb enough to actually try it.)
[ Post Reply | Private Reply | To 214 | View Replies]

To: Bush2000; Nick Danger; rdb3; Salo
The exploit failed on my box. No files are present in C:\Windows\Temp.

http://malware.com/

1. Using the following this can be accomplished with the default installation of Windows 95 and 98 and Internet Explorer 5 browsers and accompanying mail/news clients

snip

Hence, this will only work on default OS installs.


After you "explain" why you either 1) lack reading comprehension skills or 2) purposefully ignored the instruction for getting the exploit to work, please get back to why you even bothered to mess with the CreateFile() API call and why you are so sure that there is really no exploit, even though MICROSOFT ISSUED A PATCH AND CALLED THE BUG "CRITICAL" which is the HIGHEST RISK LEVEL in Microsoft's categorization scheme.

Apparently you are even more of a shill for Microsoft than THEY are!

This one was even more fun than the one time you were convinced you were "right" and yet didn't know the difference between POP and SMTP protocols.

You are clearly living proof of your assertion that it doesn't take someone with great experience or knowlege to "administer" Windows OS's. You just need to be able to find your balls. (Mouse balls, that is.)
219 posted on 02/02/2004 3:58:02 PM PST by adam_az (Be vewy vewy qwiet, I'm hunting weftists.)
[ Post Reply | Private Reply | To 216 | View Replies]

To: zeugma
"The fact that the Buzzard won't even address the fact that it is garbage goes a long way towards discrediting anything he might have to say about technology in general, and user interfaces in particular."

You just nailed him and B2K's modus operandi to a tee.

Ah, tee(1), one of my more(1) or less(1) favorite commands. ;)

220 posted on 02/02/2004 4:00:59 PM PST by adam_az (Be vewy vewy qwiet, I'm hunting weftists.)
[ Post Reply | Private Reply | To 215 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 181-200201-220221-240241-250 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson