New IE Holes Discovered 801
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Incident response times (Score:5, Insightful)
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...
it wouldn't change anything (Score:5, Insightful)
P.S. Is it news anymore that IE has holes?
It's hardly bad... (Score:5, Insightful)
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.
blablabla (Score:5, Insightful)
Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.
Dream world scenario:
1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible
Real World scenario 1:
1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses
Real World scenario 2:
1) Report it to the public (anonymously).
2) Company will fix it
holes found in IE (Score:1, Insightful)
good news would be like.. goatse.cx and tubgirl.com went down and trolls no longer could shove a hairy fat ass dick up my ass before i go to bed and rub one off.
Immediate full disclosure is best security practic (Score:5, Insightful)
The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.
double standards (Score:0, Insightful)
Interesting to see how people respond when its Microsoft that has been given no notice about an exploit.
I am getting sick and tired of the Apple fanboys, remember back when /. advocated use of free software? Oh for the good old days...
Public mailing list? (Score:5, Insightful)
Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.
If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?
haha (Score:4, Insightful)
At least he reported it to someone!!! (Score:3, Insightful)
Mozilla! (Score:2, Insightful)
I can understand complaining about being forced to use Windows. However, no one is "forced" to use Internet Explorer, even on Windows---Mozilla is a better alternative in Windows.
Most of my family and co-workers use Mozilla, and they haven't looked back.
Forced to use IE? (Score:5, Insightful)
Mozilla (or Phoenix) is a slick alternative with an almost zero learning curve to pick up the same level as IE. It also takes almost no time to learn features _that aren't in IE anyway_ that help you see the internet in a much more useful way (ad blocking etc).
No one is forced to use IE with very few exceptions:
People who have it mandated at work, but that's work's problem not yours - they could change too.
People on dialup who have a very slow net connection - but they probably have it on a dial up CD.
People who use it's integrated rendering engine for OE/HTML email - but you can change that easily too.
People who _must_ access IE only websites - but there are very few of these any more, and you can always use IE just for these to lower your exposure.
Microsoft Zelots who refuse to believe that Free software can be any good - but they deserve everything they get.
Sometimes it's all about timing (Score:5, Insightful)
What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.
Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.
We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.
Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq [securityfocus.com].
Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.
Unbelievable Arrogance (Score:1, Insightful)
I'd like to know who the editor thinks are "forcing" people to use Microsoft products.
Nobody put a gun to my head and ordered me to buy Windows XP. I believe I made a rational decision based on the price, quality, and usability that I chose Microsoft.
It's a pretty arrogant attitude around here that people who use Microsoft are just too dumb, or have been coerced by dark, nefarious forces. No wonder people don't take you geeks seriously.
Re:Incident response times (Score:3, Insightful)
And would the Mozilla and Konqueror communities fully regression test their changes against all of the various software it might affect.. no.
Re:I've been trying my best to switch people away (Score:4, Insightful)
I use Mozilla Firebird [mozilla.org], myself, and like you, I've tried to encourage my friends to switch. ;-)
Doesn't help much when I'm forced to use a university workstation (like today), but I find it's a better quality browser than IE. Renders faster, blocks pop-ups, and I find tabbed browsing to be pretty much invaluable.
Of course, the best thing about Firebird is, I can still watch Doctor Who: Scream of the Shalka [bbc.co.uk]
There are, of course, some times when you have to use IE (like Windows Update, though I guess I could always just download each update manually).
The big problem I've hit is that, even with all these MSIE vulnerabilities that come out on a near-weekly basis - not to mention annoying pop-ups and pop-unders, and other little security-related issues - I don't seem to have any success.
So what's your persuasive technique for getting people onto pre-1.0, non-MS, reliable-but-not-100%-complete software?
Re:Unbelievable Arrogance (Score:5, Insightful)
People at work who have to use Windows because it's work mandated.
Their's millions of those type of people...
Re:Incident response times (Score:5, Insightful)
I can understand Internet Explorer needing to be tested against the rest of Windows and its APIs but Mozilla is a stand-alone web browser - as long as the API isnt affected it ['full regression testing'] shouldnt matter too much IMO.
Re:Immediate full disclosure is best security prac (Score:5, Insightful)
Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.
Re:Incident response times (Score:2, Insightful)
But only their software in the newest release. Third party software and older releases (you have to upgrade, loser!) will break regularly with service packs. Because they have a great QA, I'm sure this isn't intentional.
Chicken before the egg (Score:2, Insightful)
Although in a perfect world, we would have companies auditing their own code and finding exploits in their own products, the fact remains that unless there is a perverable rocket aimed at their behind, nothing will be done.
The fact remains that we have an organisation here with over 40,000 employees, over $40billion dollars in cash and yet, they're making *really* stupid mistakes. I am sure most people could cut Microsoft some slack if they were a small business OR that these incidents were as rare as hens teeth, however, when it becomes "have you applied the daily patch", people lose their cool.
The unfortunate thing, however, is due to Microsofts huge marketing muscle, this approach by "exploit finders" doesn't work. Microsoft instead of taking on board the information and applogising, instead they spin the story as to make out that the person who finds the exploit is somehow linked to a grand anti-Microsoft conspiracy, and god forbid, call them a "terrorist" for "exposing" the unwashed masses to "harm".
Re:Forced? (Score:5, Insightful)
I know I am forced to use windows at work, even though either a Mac or any Unix Desktop would do.
I ditch IE whenever I can, but for example our HR Website and anything else RELIES on Windows, no way around it.
Re:er... (Score:3, Insightful)
Re:Forced? (Score:2, Insightful)
Your choice to use Windows was an illusion. Microsoft is a monopoly. It's as simple as that. When you went to buy a computer, and you walked into the little store, did you see a lot Macs, or a crap load of Windows PCs?
Just because their was another option doesn't mean Microsoft was any less of a monopoly. Consider what happened with AT&T and all the baby-bells. You didn't have to use a Phone, their were other forms of communication. Many people made a choice to use the Phone.
The problem is that you didn't choose to buy Windows. You choose to buy a computer, and had not choice buy to get Windows on it. It's only recently this is starting to change.
Re:I've been trying my best to switch people away (Score:3, Insightful)
I don't think intellectual dishonesty is the right way to get people to switch.
Re:it wouldn't change anything (Score:5, Insightful)
You may be right, but it still doesn't change anything. I think this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.
If you get a standard stupid automated copy/paste reply, report the holes.... but you SHOULD give the company some notice. As stated in the article, not giving the company any info just makes it bad for anyone having to use IE.
Is it news anymore that IE has holes?
Nope. Seriously, who here gives a crap about IE holes? Everyone here probably knows that using IE is about as secure as getting water in a fishingnet.
Re:Incident response times (Score:5, Insightful)
The whole premise behind FSF is that it is FREE, the user accepts some responsibility in the transaction, in this case by reporting bugs and helping to test beta versions before the code is released live. You seem to be saying that Microsoft has never released code that was not finished, 100% Quality Assured, no Security holes.....
If you believe so strongly in your statements, why do you post AC?
So I say Mod the Grandparent DOWN, MS whiners be damned!
Re:Incident response times (Score:5, Insightful)
Re:Incident response times (Score:3, Insightful)
But I have to upgrade a minor version (!) for free (!). I don't have to upgrade to apache-2. Even if I had to do this, I won't have to pay money to the apache foundation - so they have no interest in making me upgrade to a higher major version. That's a big difference in my opinion.
Re:Addendum (Score:5, Insightful)
Are you talking about internet companies or companies using IE for their intranet apps? If a company is using IE-specific functionality to offer services over the internet, they deserve to get bitten periodically. I have no sympathy for any company that provides a service to the "public" but forces them to use one specific browser.
On the other hand, it is quite common to use IE-specific functionality for intranet applications. That's not a problem, one assumes that the intranet server is safe. The solution is to continue to use IE for intranet (and remove all links to internet sites from intranet apps), but use a more secure product to access the internet.
Re:Incident response times (Score:0, Insightful)
No thanks.
I use a combination of environments - Windows, Solaris, AIX, HP-UX, z/OS, and even Linux. And you know what? Linux has the poorest quality, least tested, highest crashing software of any of those.
Are the others 100% perfect? Of course not - I've seen my share of blue screens, Oopses, and core dumps - but of all those environments, Linux is *the worst*.
No Notification (Score:3, Insightful)
There is no requirement to notify Microsoft, nor should there be. I want to know about this kind of stuff as soon as possible. In my opinion, it is not for Microsoft to determine when I know that my computer has a security problem.
Besides, this kind of thing should show if Microsoft's boasting about response time to security vulnerabilities is the truth or just plain old anti-open source FUD.
Re:It's hardly bad... (Score:5, Insightful)
Re:Incident response times (Score:5, Insightful)
"Forced to use Microsoft products" ? (Score:5, Insightful)
Even when you need to work on Windows, why should you be _forced_ to use Internet Exploder?
Mozilla is the first thing I always install on Windows.
There are organizations where people are indeed forced to use a fixed set of software. In this case, if there's a security hole, the responsability belongs to the sysadmin who forced people to use broken and out of date software.
Re:This has gone on long enough! (Score:3, Insightful)
Why do you come here then? There are other places where you can get your tech news you know. Slashdot has a rather vicious anti-Windows slant to it, and doesn't apologize for it. If that bothers you, go elsewhere. Personally, I love it here for the exact same reason you hate it. I'm surrounded by idiotic Microsoft apologists in real life, so this is one place I can be comfortable.
Re:it wouldn't change anything (Score:5, Insightful)
At the end, we did not bother. After a few more months, it was made public (not by my friend though). Nowadays, reporting MS bug becomes a dangerous maneouver... If MS is really serious about security and good quality software, they would put a contact on the front page and offer reward for anyone who spots a new major bug. Before then, I don't see why we need to be nice to MS.... They say they are capitalist. We should respect their value and don't do any free work for them...
Re:Forced? (Score:1, Insightful)
When I bought my PC over 3 years ago, I didn't buy Windows with it. Impossible right? No, not if you look outside Dell, HP, Gateway and big vendors. It's very possible not to buy Windows then, and it's just as easy now.
Just because you don't like that Dell packages Windows doesn't take away the fact that yes, people do choose Windows. It must be crushing to your Linux-loving heart, but average people do prefer it.
And let's not forget Macs, which a plentily available, for those who can shell out the extra cash for it.
Slashbots- get over it. We use Windows because we want to. You people are living in a separate reality if you continue to believe otherwise.
Re:Incident response times (Score:5, Insightful)
Re:What I don't understand... (Score:3, Insightful)
Truly. Makes one wonder if there are internal memos in M$ that warn of the possible mayhem in IE and are swept under the rug like the Explorer chassis problems in Ford motor...
Oh, and for bonus points, both products are "Explorers" ;)
Microsoft makes money on their software... (Score:3, Insightful)
If they want us to test their stuff then they should pay us to do it; rather than charging us for the privelege of testing their stuff.
Re:It's hardly bad... (Score:2, Insightful)
If you don't re-test your product before releasing [even with the smallest change] then you poorly understand the software engineering principles that would have been taught to you in a decent higher education school.
Most stable products have test scripts at the very least [like perl or even bzip2 for that matter!] that run as a natural part of the build process.
You can't just change a line, rebuild and send it out and then not expect to see many "oopses" in your future.
Tom
Re:Forced? (Score:1, Insightful)
Its all about netrep (Score:5, Insightful)
Truth. But here's the problem. Microsoft's reputation for responsiveness (that is, not!) and collegiality (that is, not!) in these situations is awful. Nor does Microsoft treat those who report such problems with any degree of warmth. Having established its Chinese wall as it has, Microsoft has lost its standing to whine about non-collegiality of the world it has created.
This is the entire point about open systems, or at least openness about security -- it leverages what happens out there. Frankly, I feel more secure knowing what are the leaks, whether they are addressed or not, than I do knowing there are secret leaks out there for someone to exploit without my knowledge.
If Microsoft had a reputation: (i) for assuring that a report of a leak would be responsibly handled and escalated promptly and without agonizing pain on the part of the reporter -- who is doing Microsoft a favor; and (ii) for responsibly, promptly and professionally addressing the problem, I would feel much more sympathetic.
The problem is that they don't. Maybe they will change as they said they would. But until they do, I'd rather hear the news in time to know for what I have to watch out than to have it buried while others who have discovered the leak exploit it.
Here's the thing, it is highly unlikely that any leak that is discovered by me was discovered only by me. Others, less responsible than I, will disover a leak, find the exploit, and either keep it in their "bag of tricks," trade it or what have you. In any case, if I find it, the exploit is likely out there in someone else's hands. I'd rather know the problem than wait for the solution.
Yes, the kiddies are more likely to play if it is readily "out there." But guys, that happens anyway, one way or the other. Beside, Microsoft seems far more responsive to public leaks than private ones -- maybe this kind of report is more likely to assure that the bug will be repaired than otherwise.
And you spend much less time on hold . . .
Re:No Exploit, eh? (Score:3, Insightful)
The statement "There aren't any attacks on IE yet" doesn't mean there are no exploits, just that no one is using exploits (attacking).
Re:And, if not... (Score:2, Insightful)
Re:It's hardly bad... (Score:3, Insightful)
Problem with Microsoft fixes is that they sometimes break other things. That's what the parent was complaining about. A patch should not only not break any other software, but it shouldn't be possible to break other software. "Real programmers don't need to regression test the whole world for a simple bug". He's not talking about dumping testing, just commenting that the fact Microsoft patches break things points to a rather bad API.
Of course, saying Microsoft products have a bad API is rather like commenting that the sky is blue. They make money off their bad APIs. The more obscure their code and document formats are, the more difficult they are to clone. Microsoft doesn't want to be surplanted in the same way they surplanted Lotus 1 2 3 with Excel.
Re:Incident response times (Score:5, Insightful)
Microsoft has released service packs that kill peoples applications, so much so that they have had to remove the service pack and put in a differnt one to patch the broken patch. Even Microsoft can't check the way everything works with everything.
The big differnce is that with open software, you can patch it yourself, or hire somebody to patch it for you. With MS, you can't patch it, and unless it effects enough people, you can't get MS to patch it either.
Re:Incident response times (Score:5, Insightful)
This gets back to the terms sproketboy used: no "commingling" in a "properly written application".
I won't go into a 10-page lecture on software engineering. But just because an application is depended on by any others doesn't mean they're comingled, or improperly written. A good component app will have a limited number of interfaces to the rest of the system (on the order of 10-200, and hopefully towards the low side).
Testing the program's correctness on those interfaces gives you a high trust that it'll work correctly in the larger system.
Microsoft(tm) IE(r) isn't like that. It doesn't have defined interfaces to the rest of the system. Its not an application which runs on the OS kernel and talks with other apps. It's source code is intermixed with much of the rest of the Windows OS. Testing every interface isn't enough to show that a new version is working right... you'd have to go through every line of code and see how it might possibly perturb Windows itself.
Compared to component-interface testing, that's a prohitably lengthy task; a combinatorical explosion of places to check.
no Kate working no editors
Again, Kate is one component, and testing that component's agreement with each of its public interfaces should be enough to verify there are no critical bugs. That only works if the components are well-separated enough. But separation leads to slowness, and Microsoft wants to be fast.
Re:No Exploit, eh? (Score:5, Insightful)
Bug? (Score:3, Insightful)
Which, to the end user, is the exact same thing.
What gets to me (Score:4, Insightful)
The part about this story that gets to me is that a single person finds 7 (!) holes/exploits by himself. Makes one wonder just how many things are left open simply because no one has looked at them yet. Scary.
Re:Incident response times (Score:1, Insightful)
Re:ROFL!!! (Score:3, Insightful)
My point anyway is that the parent says MS has to regress the whole damn kaboodle for a couple of bugs so it's not their fault if it takes time. I challenge that: if they had done a half decent job there'd be no reason to check the whole OS for a couple of broken private methods in a web browser component class. that they should do that is a design failure... they might as well have written the whole thing in one big statically linked C executable.
Re:Incident response times (Score:5, Insightful)
This is also something to watch out for when developers try to mimic the Microsoft Windows system while making Linux more and more user friendly.
IMHO
LoB
Re:Incident response times (Score:3, Insightful)
Re:it wouldn't change anything (Score:2, Insightful)
I think that's much too simple an explanation, for at least two reasons.
First, the source code is available for Mozilla. I would think it easier to find security holes by reading the source code than by randomly sending input to a binary. (Of course, I know how to read code and I've never tried to exploit a binary.)
Second, Apache, for example, is used far more often than IIS and it has far fewer exploits.
The argument that popularity is the primary determinant of exploitage seems to ignore the possibility that some software is more secure than other software. That's a big elephant to ignore.
Re:Incident response times (Score:5, Insightful)
Code reuse is code reuse, whether it is Windows, Unix, or any other OS/app. Modern programmers are taught to do code reuse, and saing "This is not the design methodology used in the *nix world" is plain stupid.
When gzip security hole was discovered, it hit hundreds of Unix applications, because they reused the code from this library. Is the "design methodology" any different?
The gzip bug demonstrated that it sometimes can even be worse on *nix, due to source code coping instead of shared libs, so that the bug had to be fixed in multiple places.
By the way, Netscape was / Mozilla is actively trying to make itself a platform for writing applications using its XPCOM/XUL and other technologies. It is not very successful so far, but when it will, its bugs and patches will hit lots of independent applications, just like bugs/patches in IE do now.
To be fair (Score:4, Insightful)
forced? (Score:2, Insightful)
If people is concerned about security, they should change. If administrators are concerned about security, they should (at least) advice their users to change. I don't think we should blame that researcher for his discovery. I think users should be aware of this things.
Running Down The Veulnerabilities (Score:4, Insightful)
My Classification: Minor
This isn't all that serious. The major threat is that a hacker could get your cache directory. The downloaded web page runs as part of the "internet" zone, meaning that there is no privelage elevation (IE has a zone system to give different pages different privelages).
"LocalZoneInCache"
Moderate/Severe
This is more serious. It allows an attacker to modify files on the system or worse. Note that this *is not* the same as a root exploit, but it could be as damaging as running an executable. Note that the user *does* have to choose "open" in the download dialog, but they are not warned about the security risks and may not consider them as the file extention is ".htm".
"MHTML Redirection Leads to Downloading EXE and Executing - Remote Compromise(requiring MYCOMPUTER zone)"
Moderate
This is somewhat less severe. It allows an attacker to download and execute an executable, but only if the user has already downloaded the page, saved it to disk, and executed it. The user might assume (incorrectly) that the file is safe.
"MHTML Redirection leads to local file parsing in INTERNET zone"
Severe (If an issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to parse the contents of a local file. They would need the absolute path. This could be used to discover potentially private information.
"HijackClickV2 - Adding a Link to Favoriate List(requiring clicking a link)"
Minor
This would allow an attacker to add their site to favorites. The user would have to click a link and would have to release their mouse button over the favorites list (which is placed under their cursor after clicking the link).
"execdror6"
Severe (if issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to run an executable on the user's system. The user would have to click "open" on an HTML file download. Security warnings would not be displayed.
"BackToFramedJpu - Cross-zone scripting(requiring a subframe in victim page)"
Moderate
This could allow an attacker to execute code in another security zone. It could potentially be used to execute code in the "my computer" zone if the attacker knows the location of a local page with frames.
I'll comment on the rest later.
Code reuse is code reuse (Score:3, Insightful)
Hmmm who modded this troll up as Interesting, ok I'll pretend this is not a troll, and answer, what M$ has done with bimbo's and IE is not just code reuse, they have not just used some of the same libraries again, they have tightly coupled, them together, so that they cannot easily be separated, parts of windows code was put into the IE libraries, were it doesn't belong in order to legitamise their claim that the two are so called integrated, butchered would be a better term, this is why all of a sudden installing IE even without the "IE desktop", changed your system libraries. In addition inorder to further the same goals or out of shear incompetence, M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff, so all that had to happen with gzip was they fixed the library, then if another project was staticly linked to the library it would have had to be relinked to the new library, but as the majority of code is dynamically these days, most programs would only need you to update the dynamic library on your system, and whala, all programs using the library are fixed next time you run them.
Re:Code reuse is code reuse (Score:5, Insightful)
And you don't know anything about gzip vulnerability and instead generalize your ideas of how it should be to how it is actually done.
Lots of applications were using customized version of gzip, e.g. Linux kernel used a trimmed down version of gzip. They could not be simply recompiled with new library - the bug had to be fixed in every copy of the source code - yet, it was code reuse via copy/paste as much as it could possibly be. Too little applications used shared library, so even those application that used standard gzip had to be rebuild with new static library.
And if *nix world moves to using shared libraries more, it will face the same problem Microsoft has - a single security fix in a single shared library can potentially break any of hundred applications that use this library, and all these applications has to be tested with patched version. Which is still better than patching hundred applications independently.