New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[jriemer]

Brave Sir Gates, your browser has a devastating security hole.

'Tis only a flesh wound.

[adam_az]

"While we do need LE to punnish criminals ASAP, it's up to us to try not to become victims. Remember, the police aren't there to keep you from becoming a victim. They're there to take a report over your dead body."

When exploit code becomes criminalized, only criminals will have exploit code.

Never mind that many poorly written web applications can be hacked with tools no more advanced than a web browser and text editor.

[Bush2000]

After you "explain" why you either 1) lack reading comprehension skills or 2) purposefully ignored the instruction for getting the exploit to work...

Slow down, Forrest, and read my original point in #17:

"Oh, puh-lease. This so-called "exploit" is hardly "devastating" or "unfixable". It doesn't work on Windows XP at all."

[Way2Serious]

It is probably true that if Firebird (or whatever) someday achieves the 80% market share that IE has now, the Evil Nigerians will target Firebird.

I'm using Firebird right now, and my URL window still said "microsoft.com" when I clicked to your faked hyperlink. What's up with that?

[adam_az]

Bush Zero-Thousand,

I can say one thing in your defense...

What you lack in consistency you make up for in entertainment value.

Microsoft calls it Critical, and you call it No Big Deal.

You are more blindly pro-MS than even MS!

[Nick Danger]

my URL window still said "microsoft.com" when I clicked to your faked hyperlink. What's up with that?

I think it has to do with the way you chose to abbreviate what was in the window when you composed your post to me.

[Way2Serious]

OK, I was too lazy to copy everything down, I figured you'd understand what I meant.

So, when I click on the following using my Firebird browser...

Click here for Windows Update

The URL window at the destination website reads as follows:

http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm

I'm trying to understand how this is strictly an IE flaw... honestly I am.

[Nick Danger]

I'm trying to understand how this is strictly an IE flaw

Let's try the time-honored technique of arranging these URLs one below the other, to see if we can discern any difference between them.

Firebird	http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm
IE	http://windowsupdate.microsoft.com

Firebird displays the URL that it was told to display. It was "redirected" by an HTTP header to bounce off the site at hail.he.net and go instead to "http://windowsupdate.microsoft.com%01@security.openwares.org". It is therefore doing what it was told to do, and correctly reporting what it was told to do.

Given the same redirection command, IE also does what it was told to do, but it does not tell the user what that was. Instead it tells the user that he is at windowsupdate.microsoft.com, which is not so.

It is probably true that there are people out there who cannot tell these URLs apart, but there are other people who would notice it, and who would smell a rat if they saw that funny-looking thing in the URL window. IE gives them no opportunity to exercise such caution, because it gives them no warning that anything is wrong.

This is how "idiot lights" in cars happened. There were people out there who had no idea that when the little needle on the oil pressure gauge went limp, the engine was minutes if not seconds away from blowing out. But it was not a flaw in the car that the person did not know this. But it would be a flaw if the gauge read normal when in fact the oil pressure was zero. That's what we have here.

Anyway, there's a patch out there for it now, so if people want to make this go away, they can.

[Way2Serious]

Given the same redirection command, IE also does what it was told to do, but it does not tell the user what that was.

OK. Now I understand your original answer. I apologize for my laziness in not trying the link via IE.

To tell the truth, I probably wouldn't normally look beyond the first three fields to check my online coordinates. But now I am forewarned.

Thank you.

[Bush2000]

Microsoft calls it Critical, and you call it No Big Deal.

Rrrrrrrright. If somebody were to tell you that a 'critical' bug exists in the Linux 2.2 kernel, you guys would laugh it off and suggest that they upgrade to the latest version. But somehow, when it's Microsoft, the fact that a hole exists in a 6- (Windows 98) or 9-year-old (Windows 95) version of Windows, you get your panties in a knot over it. Face it: This 'critical' vulnerability is of interest solely to geeks with no life other than to poke around in decrepit versions of Windows.

[Bush2000]

It is probably true that there are people out there who cannot tell these URLs apart

Yeah - the VAST MAJORITY OF PEOPLE wouldn't be able to tell the URLs apart.

This is how "idiot lights" in cars happened.

BS. An "idiot light" is an in-your-face, can't-mistake evidence that something is seriously wrong. In this case, the difference between the URL is so subtle that the VAST MAJORITY OF PEOPLE wouldn't even notice.

I don't know what's worse: Your backtracking on this issue (since you clowns were the ones who advocated Firebird in the first place -- LMFAO!) or your sophistry that Firebird is somehow "better" when it clearly exhibits the same behavior. Typical Nick Danger bigotry.

[adam_az]

"Rrrrrrrright. If somebody were to tell you that a 'critical' bug exists in the Linux 2.2 kernel, you guys would laugh it off and suggest that they upgrade to the latest version."

I'm not YOU GUYS, I'm me. I refuted your specific statements, and the best you can do in response is to refer to me as if I were a cardboard cutout, part of some amorphous group-think.

From what I've observed, your weak technical skills are only more inferior than your debate skills.

That crap might work on DUh, but it doesn't fly here.

[Bush2000]

OK. Now I understand your original answer. I apologize for my laziness in not trying the link via IE.

No need for apologies. Danger is trying his usual hit-and-run shell game. The fact of the matter is that his original point -- that IE is somehow unique with this flaw -- is a pile of stinking Linux leavings...

[A CA Guy]

So I'm safe running my 1200 baud modem on Windows 3.1 with explorer 2?

[Bush2000]

I'm not YOU GUYS, I'm me.

That's YOUR problem, Forrest.

I refuted your specific statements, and the best you can do in response is to refer to me as if I were a cardboard cutout, part of some amorphous group-think.

Uh, no you didn't, Black Knight. I pointed out that this exploit was vastly overblown because it doesn't even affect Windows XP.

From what I've observed, your weak technical skills are only more inferior than your debate skills.

Phew, lucky for me that your observations are filtered through a built-in ideological cesspool.

That crap might work on DUh, but it doesn't fly here.

Dude, come back when you understand how an ActiveX control even works. Then, we'll talk.

[Bush2000]

So I'm safe running my 1200 baud modem on Windows 3.1 with explorer 2?

No, at that speed, you may contemplate slitting your own wrists. Not safe at all... ;-p

[Sir Gawain]

I think the newest security patch fixes the issue. Haven't read the thread, so that might be a repeat.

[adam_az]

I pointed out that this exploit was vastly overblown because it doesn't even affect Windows XP.

What planet do you live on? Here on Earth, companies don't upgrade their desktop OS's as often as you seem to think. For example, I'm sitting here at work on a 2.4 GHZ p4.... running Windows 2000 workstation.

http://www.technewsworld.com/perl/story/32706.html

"Laura DiDio, a senior analyst at the Yankee Group, surveyed the market about six months ago, polling 1,100 firms worldwide. She found that most ran a mixed shop: 86 percent of her sample were still running Windows NT workstations, while 48 percent still had Windows 98 someplace. While Windows XP has been available since late 2001, IDC estimates there are 58 million copies of Windows 98 still installed worldwide, making up 20 percent of Windows licenses. Microsoft, which had planned to pull the plug on support for Windows 98 this month, has just extended it to 2006."

"In the Yankee Group sample, 57 percent used Windows 2000, said DiDio, and 72 percent used Windows XP, although less than 20 percent of those users said XP accounted for the bulk of their screens."

YOU thought that this was a not serious bug, MICROSOFT CALLS IT CRITICAL.

YOU think that if it doesn't affect Win XP, it's moot - but Windows 98 still represents 20% of Microsoft licenses still in use, and MS extended support for another two years.

To paraphrase Rob Zombie - you are MORE MICROSOFT THAN MICROSOFT. "Dude."

As for my having a "built in ideological cesspool," kinda funny accusation for a guy who has at home two windows systems, a Sun SPARC running Solaris 9, two OpenBSD systems, a FreeBSD box, and a Linux laptop... and a Windows XP system serves as my main workstation. The rest (except the laptop of course) are headless.

[Bush2000]

What planet do you live on? Here on Earth, companies don't upgrade their desktop OS's as often as you seem to think. For example, I'm sitting here at work on a 2.4 GHZ p4.... running Windows 2000 workstation.

Uh, Forrest, we're not talking about Win2000 (it's not affected). We're talking about Windows 95 and Windows 98 -- code that is between 6 and 9 years old, for chrissakes. Get a grip.

As for my having a "built in ideological cesspool," kinda funny accusation for a guy who has at home two windows systems, a Sun SPARC running Solaris 9, two OpenBSD systems, a FreeBSD box, and a Linux laptop... and a Windows XP system serves as my main workstation. The rest (except the laptop of course) are headless.

I could care less what you own. You've shown time and time again that that "ideological cesspool" is fed by Linux/open source/Mac/anti-M$ bigotry.

[adam_az]

"I could care less what you own. You've shown time and time again that that "ideological cesspool" is fed by Linux/open source/Mac/anti-M$ bigotry."


And you've shown time and again your technical ineptitude, your lack of reading comprehension skills, a willingness to reply selectively by constructing strawmen, and to lie when things haven't gone your way.

Oh, I left out 'a tendency to lump everyone who calls you on your Bravo Sierra into a nice little Anti-Microsoft Bigotry compartment, no matter their actual opinion.

I like some Microsoft products. I use their products. I own mutual funds that own Microsoft. I'd like to see them be a successful company. I'd also like for them to give up some of their more questionable business practices. (And I'd like Gate$ to stop being a limousine-leftist-gun-grabber-$ugardaddy!)

I'd also like for them to develop a better QA process that takes security seriously.... and that's coming from a guy who makes money because Microsoft products are insecure.