Another Serious MSIE Hole 731
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
The Demo (Score:5, Informative)
If I had a dollar (Score:5, Funny)
I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done,
It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.
Re:If I had a dollar (Score:5, Insightful)
If my in-laws computer needs some work, next time I am over there, I'll take a look at it, or try to help over the phone, it takes all of what, maybe 20 minutes.
My uncle owns a small business, if I can save him some money by making recommendations for him or giving him some free tech-support, great.
If you're nice to somebody, they are going to be nice to you, believe me, in the end, it's a wash.
Plus, life is too short to be an asshole all of the time.
-dave
Re:If I had a dollar (Score:5, Insightful)
Re:If I had a dollar (Score:3, Interesting)
The worst part is that all these people are getting their kit fixed through that one friend as a proxy, and since you didn't charge them (because you were just being nice, really drunk, trying
Re:If I had a dollar (Score:4, Funny)
Re:If I had a dollar (Score:3, Insightful)
Nevertheless I still like to help people with their computer problems, because that's what I love to do.
It's not about being an asshole all the time, but one has to know when to say "No", and when it's ok to spend some of your time to help others for free.
Re:If I had a dollar (Score:5, Interesting)
When enough people get to know you as the local computer guy, you'll get phone calls, visits, you name it. People will expect it to be free by default unless you set a price. Make it fair but worth your time.
Anyone on here bitching about 'feeling obligated' to provide 'free support', stop bitching. It's your own fault it's free. Charge a price. Believe it or not people are willing to pay their friends a reasonable fee, even if it's not cash. Tell them to rent a movie for you and bring it over, or bake a cake, or get a six pack of Guinness, whatever. I have a big box of Krispy Kreme sitting here from a friend of mine that needed spyware removed yesterday.
Once you get people trained to think that indeed, your time and expertise are worth something, you won't even have to make requests. People will open their wallets or bring you stuff automatically.
Don't let your passive-aggressive geek nature leave you with regrets or feeling used. Assert yourself.
Re:If I had a dollar (Score:5, Informative)
For example, when I find someone is prone to visiting lots of websites with "fun stuff" to download and play with (such as card-making programs and other crap like that) I find oodles of spyware and adware on their computer bogging it down. I explain to them that the sites they visit and the software they're downloading in installing this junk on their computer and that's why it's slow. Refraining from downloading these things will help prevent this in the future.
Additionally I give them:
- Spybot Search & Destroy [safer-networking.org]
- Mozilla Firebird [mozilla.org]
and make sure their AV software (which most have) is up-to-date.Finally, for the worst offenders, after giving them tips (writing them down even) and explaining it over and over again, I limit them to 5 - 10 fixes. After that, they cannot ask me for help unless it's a completely different problem (if I find it's the same old same old, I leave and tell them to fix it).
You can be nice, but you don't have to be a pushover. Developing a methodology for helping others simplifies the process and helps alleviate the frustration on a case-by-case basis.
As much as we all hate cliches sometimes they apply: Give a man a fish and he is not hungry for a day; teach a man to fish and he is not hungry for a lifetime
Re:If I had a dollar (Score:4, Insightful)
I'll spend 5-10 minutes trying to help someone who just randomly comes up and says 'Hey, I remember you from the help desk. I have this....' Or some friend of a friend. 'Hey, this is my buddy, his computer is...' But thats it. I hardly know the person, and I don't have time. Between my own computer issues and those I was dealing with at work, I want some time not devoted to dealing with how buggy people can make their systems.
If its a close friend, of course its not a problem. But apparently just because you don't get asked frequently, doesn't mean others don't. Don't let that stop you from making sweeping generalizations though.
Re:If I had a dollar (Score:3, Insightful)
Arguably, assholes are created not born. After the nth time explaining to the same people the same concepts (virus scanner, only download from download.com, etc) its time to face facts, accept the fact they will never learn, and tell them to leave you alone and buy a Mac for their next computer.
I don't mind doing small favors or explaining something, but I can only do this so many times. On top of it, once people know they can get a hold of y
It depends. (Score:3, Interesting)
I've done work for free for some people, and they're quite happy. They make me dinner or take me out for a few drinks or something.
I've also done work for free for some people, and they're never happy- to the point of hassling me every time they see me because they need help with some piece of software (that has extensive documentation, installed), they did something I told them not to do and broke something, or, in general, are too thickheaded to learn for themselves and want me to do th
Re:If I had a dollar (Score:3, Interesting)
Yeah... now tell me how I get the sysadmins in the computer lab at school to go to mozilla.org. "But, then we'd have to *support* it!" which would be oh-so-hard... it would cut into their smoke breaks something awful. (and they'd have less to clean up than with IE.)
These are the same folks that just "got rid of" profiles on all
Re:If I had a dollar (Score:3, Insightful)
End users always complain about this attitude without understanding the reasons behind it.
It isn't your one Mozilla installation they *really* care about. It is what allowing you to do it would mean: pretty soon people would be running IE, Netscape, Opera, AvantBrowser, and a whole host of other oddball web clients.
In a situation like that, when someone comes to you with a problem, it multiplies the number of possible reasons by so many
Re:If I had a dollar (Score:5, Funny)
You hit the nail on the head there brother. I'm so sick and tired of people that I barely know calling me when their computer breaks asking for help. It always turns into a friggin 2 - 6 hour event. You know the routine. Uninstalling all the crap that people have downloaded. "Hey, let's install this cool looking Bonzi Buddy thingy, what can it hurt?". The idiots should be shot. Removing spyware, removing the 80 virues that have found there way onto the system. "Hey look at this funny attachment, it's called 'Dont Open Me I'm a Fucking Virus and I'll Fuck Up Your Computer.exe' why don't I open it and see what happens. Maybe it's a funny joke or something."
I think I'm going to start telling people that I work for the post office and I'm currently taking court ordered anger management classes. That will shut them the fuck up real quick.
Re:If I had a dollar (Score:3, Insightful)
People who just want there computer to do what they want are simply consumers.
I hate to be like this, but it's "their", not "there". Once that is said I am doomed to make at least one spelling og grammatical error, but the three/their confusion is getting to my nerves. I'm sorry.
All most people want is:
a: web forms filled automatically and easy. every time after set up.
b: easy communication with other people
What do you base this on? My personal experience is quite different. Many of my friends a
Re:If I had a dollar (Score:5, Funny)
Here's one of the sections that I wrote more out of catharsis than actual informative intent. It certainly won't make the web, but it got my point across.
Re:If I had a dollar (Score:3, Interesting)
I'm going to have to pull a weekend at work soon installing a new version of our database client on every PC. I'm going to put Mozilla on all the machines at the same time. Won't make it the default or anything, but if anyone starts to have problems wit
Re:The Demo (Score:3, Insightful)
It's called Total Cost of Ownership, junior. This is what happens when you get 13 year old Linux elitists all together in web forum like this - a bunch of mis-informed kiddies thinking they know what's best.
Well, ge
Trolling the AC Troll... (Score:3, Funny)
In some incidences it truly is cheaper to run Windows vs *nix.
Yea... Windows is like the bubble boy of the computer world - the second it comes in contact with anything outside of a highly protected, closely monitored, totally sterilized area the shit hits the fan.. but as long as it stays in its bubble and no disks, network connections, or phone lines ever touch it... hey - TCO is great.
You ain't kiddin'! Hell, my company is, at this very minut
Re:Trolling the AC Troll... (Score:3, Funny)
Hell, my company is, at this very minute, looking for some MCSE-holding kissass morons to tell the upper management folks that we need to upgrade to Windows 2003 and XP. I never really understood why we need to hire kissass morons to come to the conclusion the management has already come to.
Those "kissass morons" are properly referred to as consultants.
Re:The Demo (Score:5, Insightful)
Re:The Demo (Score:5, Insightful)
And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?
It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.
Look at Apache (Score:4, Insightful)
Re:Look at Apache (Score:3, Insightful)
Re:where's the damage? (Score:4, Informative)
That is not the nature of the vulnerability. IE displays a dialog saying "You are downloading the file:" followed by the filename. That is where the spoofed filename is displayed. The danger is that, if you are expecting, for example, a PDF which you won't want to keep, you will just click "Open", expecting it to start Acrobat Reader. However, once the file is downloaded, its real filename is that of an executable, which runs merrily away, doing whatever it wishes.
It's got nothing to do with mime types.
Re:where's the damage? (Score:3, Informative)
In other words,... (Score:5, Funny)
Re:In other words,... (Score:3, Interesting)
Spam pretty nuch killed newsgroups, it is its way to doing the same thing for email.
Microsoft is on track to kill the internet because it cannot deliver a product that can look after your average user. The problem is that unlike newsgroups and email, the internet is a significant contributer to world economy.
It is near impossible to educate users on how to be carefull, either the products must be secure, or we take a giant step backwards as users
Hmmmm... (Score:5, Insightful)
Would you like some more pie, Bill?
Re:Hmmmm... (Score:5, Funny)
He was busy being "knighted" [zdnet.co.uk]
Re:Hmmmm... (Score:3, Funny)
So when he plays air guitar [imdb.com], will we magically be able to hear it?
very simple fix... (Score:5, Insightful)
DON'T use IE!
Not that simple (Score:5, Insightful)
Mozdev has some tips about completely disabling IE [mozdev.org], even in other applications.
Interesting LinuxWorld quote... (Score:3, Insightful)
"A web app that requires a single brand of browser is not a web app... it's a client/server app".
Re:Interesting LinuxWorld quote... (Score:3, Insightful)
the ultimate (Score:3, Interesting)
I think in the end, we need a new system.
In part, people are not perfect, they will make mistakes, and other people will exploit those mistakes.
What we need is centralized administration. A few smart guys with ssh fixing computers for everyone on a paying list of subscribers. I think it could work.
it is... (Score:3, Insightful)
Re:it is... (Score:3, Informative)
Re:it is... (Score:3, Informative)
this will show them (Score:5, Funny)
A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.
Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp
I wonder (Score:3, Funny)
Microsoft says: Don't click URLs anymore... (Score:5, Interesting)
Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb
Re:Microsoft says: Don't click URLs anymore... (Score:4, Insightful)
I can click attachments without fear in Mozilla, or pretty much any UNIX mailer. Attachments weren't broken until OutLook broke them.
Re:Microsoft says: Don't click URLs anymore... (Score:5, Insightful)
<http://www.lsp.steelpharm64v.com/host/index.asp?I D=019102309840v0h0293jf8o998239p8valiu23nf8qoa8329 nor87fahl9w8n4fl98q2l938nf97va0283p97thrl9q274g >
Yeah right.
HyperText Markup Language was created in part to *link* documents quickly (i.e. so the user doesn't have to type in the document location manually). If we're supposed to just give up hyperlinks, why not just kiss the World Wide Web goodbye?
Reminds me of the old joke (Score:4, Funny)
A: They don't, they just redefine darkness as the new standard.
Re:Microsoft says: Don't click URLs anymore... (Score:3, Funny)
Man I knew that fly-by-night patent law degree was worth it!
From the article (Score:5, Funny)
Doom worm currently reeking havoc across the globe.
So it's a smelly worm? Or are they trying to say that Windows stinks?
But, but, but Bill said... (Score:5, Funny)
[Editors note: replace 'tested' with 'tested and found wanting']
Simon.
No more dangerous than normal. (Score:5, Interesting)
This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.
A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."
If they ran the file, it sent me a message with their computer name, username and other details.
About 80% of the users ran it.
I lost all faith in the human race that day.
Re:No more dangerous than normal. (Score:3, Interesting)
This way, the user who was an idiot, must now call you and confess as much (even though you already knew). Additionally, you could take the information and collect it for presentation to your superiors suggesting that your organization is in dire need of some anti-virus education because clearly they are posing a threat to the operations of your company.
If you
Re:No more dangerous than normal. (Score:3, Insightful)
Because I certainly wouldn't.
grib.
Re:No more dangerous than normal. (Score:3, Interesting)
As a sidenote, such sociological experiments are very complex... They are bound by both time, target group, and context. I don't think you can, from
Re:No more dangerous than normal. (Score:3, Funny)
I asked the people who clicked the link why they had done such a thing.
I don't have a file with their exact quotes, but:
A couple of people thought it had to be something "funny" from the person whose address was on the message
Over half thought it was a real virus, and clicked it to see "What would happen" or "If it would work." Please note that this was only a couple weeks after "I Love You." infected half the computers on the network, and a company wide meeting about NOT opening attach
Re:No more dangerous than normal. (Score:3, Insightful)
What's the backup for, then?
not really anymore.. (Score:3, Interesting)
if you have a stock ie and you browse around with it you WILL GET infected with some spyware or another, sooner or later. this is how it has been for the past few years(!) so a new hole hardly changes anything(it has not been trustworthy enough for years to use on random urls from irc/forums/whatever, so another bug is unlikely to change anything).
I don't think MS cares anymore (Score:5, Insightful)
Re:I don't think MS cares anymore (Score:4, Funny)
It's called pride of 0wn3rship.
Ye gods... (Score:3, Insightful)
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Re:Ye gods... (Score:4, Insightful)
Re:Ye gods... (Score:3, Interesting)
Yeah, I didn't really buy it either (and I LIKE conspi
According to Bill, this is a good thing (Score:5, Informative)
Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
Re:According to Bill, this is a good thing (Score:3, Interesting)
Is that so virus writers won't have to wait days or weeks before releasing a new version?
Tim
one word about patches... (Score:3, Insightful)
Of course that'll solve all the problems! We patch a hole 1 hour after it's discovered (not like that ever happened) and then it takes three months (also overly optimistic estimate) for the average user to actually download a patch with the next service pack, if ever. The result? The end user is just as vulnerable as he has ever been. But we can now blame the end user for not patching their system in time, because the patch was available e
small detail, slightly OT (Score:4, Insightful)
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
Re:small detail, slightly OT (Score:4, Informative)
Re:small detail, slightly OT (Score:3, Informative)
The demo version sends and "executes" an HTML file, but the same channel could be used to send and execute an executable. They were just being careful to make their exploit demo safe to use.
Re:small detail, slightly OT (Score:5, Informative)
Okay, you have a file, called trojan.exe on the webserver. You make a link in the html to link to "trojan.exe". Then you configure the web-server to tell the web browser that the mime-type (a way to indentify the content of the file) of trojan.exe is "text/html". IE sees "text/html" and says "ahh! I know what to do! Open this!", thinking it's a webpage. IE then looks at the file and says "ahh! This file ends in .exe! I know how to open this!" and executes the file. The user is thusly infected ;)
Of course, there is no prompt: who wants to see a prompt every time they navigate to another page on the web? And who wants to see a prompt every time they double-click an executable file in Explorer?
Exploit (Score:5, Informative)
Mozilla Firebird (Score:4, Interesting)
Re:Mozilla Firebird (Score:3, Interesting)
Re:Mozilla Firebird (Score:3, Interesting)
It does look like a pdf file.
"something ending with the letters pdf. It must be a pdf file. Lets just run it."
Redundant headline (Score:5, Funny)
What's left: "MSIE Hole".
Still left: "MSIE"
As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:
Re:Redundant headline (Score:4, Funny)
Another? (Score:3, Insightful)
I claim the result of MS on the world to be 'devastating'.
There. The 'cut-to-the-chase' summation of where this thread should eventually go.
How many times to do we have to be reminded of the vulgarity that has seeped out of Redmund since the beginning?
hi/HELLO/Error/Status/The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
If you aren't (Score:3, Interesting)
Really, I'm genuinely interested in reasons IE users are still using IE. I just can't comprehend what you're thinking.
Suggestions? (Score:3, Interesting)
I don't understand it, I really don't. I've seen people complain about viruses, bugs, pop-ups, and ads, and yet when I suggest that they go with Mozilla, they don't want to switch. Why? "Because IE's there." Or "because Mozilla takes too long to load." "Using quickstart isn't worth it because IE starts when the system does, so why run two browsers at the same time?" But yet they'll complain about a 5 second load time for Mozilla, when they'll spend more time than that closing pop-ups and resetting their homepage from where someplace changed it. I've even come across the situations where people won't switch because Mozilla had a different print screen (even though I used an IE skin so the rest looked the same), and one didn't want to use it because when you opened a "new" window, you didn't get the old window in it. Even after I showed them the clone window extension (which is pretty close to the same functionality), he didn't switch. It's just frustrating.
It's sad, Microsoft has people so brainwashed that they'll complain until they're blue in the face that IE sucks, and yet they won't switch unless you put a gun to their head. So does anyone have any suggestions for just how to make them switch? (without actually putting a gun to their head)
Re:Suggestions? (Score:4, Insightful)
Convince the IT manager to let you demo Mozilla for them. Use the Windows skin, and whatever plugins you wish to make it as IE-like as possible.
Assuming you convince the manager, continue on with testing Mozilla for compatibility with every critical bit of software the company needs.
If that works, take the results of your exhaustive tests, add in a report on what problems you're solving by abandoning IE, and get the IT manager to sell it to the Director.
Now, once the Director makes it policy, you can force the rollout on the users.
This doesn't work with friends and family, of course, but I am involved in this very process right now at a client site where they are getting quite fed up with security advisories, but aren't ready to move from the Windows OS yet. If I win with Mozilla, I'm trying OpenOffice next.
Thank You Microsoft! (Score:3, Funny)
So, is this really unfixable? (Score:4, Insightful)
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
New Acronym: "A.S.S. Hole" (Score:5, Funny)
Work around for thos of us stuck with M$ IE... (Score:3, Informative)
Oh, it'll all blow over... (Score:5, Insightful)
Some major news org needs an article: (Score:3, Funny)
In response to flaws recently exposed in it's software Microsoft has suggested that customers stop using hyperlinks -- the core feature of the World Wide Web. The bugs, which were exposed in the last few weeks, allow scammers on the net to make their website links to look like a legitimate site (e.g. Microsoft, Ebay or Visa), where they can then ask for identifying information, card numbers and passwords, or cause you to launch executable programs that Internet Explorer describes as more innocuous types (e.g. PDFs).
Rather than immediately releasing a bug fix, Microsoft is now suggesting that users no longer click on web page hyper-links. Their suggested solution is that users manually type in any web address they want to visit in the menu bar.
.....
Other web browser providers (e.g. Mozilla) claim that their browsers are not susceptible to these bugs, and claim that users surfing the web with their browsers are not subject to these problems.
Factory Browser (Score:3, Insightful)
Original post by http-equiv to NT-BugTraq (Score:3, Informative)
Helevius
Re:But MS is "fixing" other issues... (Score:4, Insightful)
Re:But MS is "fixing" other issues... (Score:4, Funny)
The popularity of IE is about to drop sharply as the entire XXX-site-password-hacking community finds their reliable tricks no longer work.
Should knock MS's browser marketshare down 10-15% just from that alone.
Re:But MS is "fixing" other issues... (Score:3, Insightful)
Re: (Score:3, Insightful)
Re:Here it comes... (Score:5, Informative)
The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)
Re:Here it comes... (Score:3, Funny)
If he did, it wouldn't be Slashdot.
Re:Here it comes... (Score:3, Informative)
I'm the one who submitted the story that Timothy posted.
Microsoft damn well deserves some bashing. They didn't fix the phishing bug in their monthly patch set, and the phishing bug was reported very close to the beginning of that monthly cycle, and only 1 week after it was discovered, scammers started making heavy use of it in their attempts to defraud people of banking details. So Microsoft had 3 weeks to witness the phishing bug being abused in the wild, and still they
Re:Demo (Score:4, Interesting)
Theres a couple other inconsistencies - if you do use "Save as" the filename appears to be PDF, but the filetype pre-filter (which is set to the type of file that you're downloading) is "HTML files". Interestingly, in the "open or save" dialog, the file type is blank.
I'd just like to take this time to slap microsoft for adding yet another way of associating files with applications to piss us all off. We already had enough issues with contradicting file extensions and mime types.
Why does everyone always disparage ... (Score:3, Funny)
They can be quite good - especially when they pretend to be in a glass cage.
Re:Patches Don't matter if... (Score:3, Funny)
Re:wtf is an HTML executable? (Score:5, Informative)
Cool idea in the right hands, but here it's a disaster waiting to happen.
Re:Why oh Why... (Score:3, Interesting)
Even if your company won't let you install Mozilla, even if you need IE for some portion of your work assignments, there is really no reason why you can't do all of your normal web surfing with a web browser that functions prop
Re:No wonder (Score:3, Funny)
Re:Anti-MS mods are at it again (Score:3, Insightful)