Open Source Firm Releases Patch for IE Bug [UPDATED] 544
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
Comment removed (Score:5, Insightful)
well done (Score:4, Insightful)
help plx k thx (Score:0, Insightful)
i dont know what to do. my pee pee felt good in her hooha but how do i not make a mess? and why am i going to burn in hellfire for forever and ever and ever, amen?. jeses knows i didnt try to be a bad filthy little boy and make a mess and deserve a whupping, right? please help me because she said my soldjer needs to get warm again. i think that is true but i dont want to be a filthy evil little boy and have hellfire.
I already got the patch (Score:2, Insightful)
And this matters why? (Score:5, Insightful)
the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.
so this patch is pointless
(cool that it can be done though)
Seriously. (Score:0, Insightful)
How? (Score:5, Insightful)
By violating the EULA by disassembling IE?
Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
Can we really trust this patch? (Score:4, Insightful)
A third party releasing a patch to a browser. How safe is this?
Yes the source code is there, but how do we know the executable doesn't have crap in there?
Even if everything is clean now, how about the next patch from another source?
(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)
Re:Seriously. (Score:5, Insightful)
Will this violate the EULA? (Score:4, Insightful)
Use Mozilla Firebird (Score:1, Insightful)
Use Mozilla Firebird
Re:Acceptance? (Score:5, Insightful)
My US$0.02, unadjusted for inflation of course.
bad idea (Score:1, Insightful)
people voluntarily patching M$ products will lessen the pressure on M$ to write code with fewer bugs in the first place. Also without knowing the source code, reverse engineering the program and writing patches is risky at best: who knows what this patch might break after extensive testing.
Also: when (and if) M$ actually releases a *real* patch for the problem, how will that work with this open source patch?
Microsoft. Where did you want to go yesterday? (Score:3, Insightful)
I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.
Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.
I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.
Re:And this matters why? (Score:5, Insightful)
(cool that it can be done though)
Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.
ps. Are you related to Noel Coward? Send my regards.
Re:Seriously. (Score:5, Insightful)
--Atlantix
Comment removed (Score:3, Insightful)
FWIW... (Score:4, Insightful)
Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM
It's up to you to decide whether you trust them or not.
Re:Can we really trust this patch? (Score:4, Insightful)
--Atlantix
Comment removed (Score:5, Insightful)
Are you an accountant? (Score:3, Insightful)
Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.
Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we would have ever recovered from the great depression . .
Hope my reality wasn't too harsh for your bubble.
Proxy: Better Solution? (Score:2, Insightful)
It would be more efficient, safer, and simpler (no need to do any patching) to implement a similar solution using a proxy like Privoxy. The proxy (installed on your local machine or LAN) would then be used to intercept the badly-formated URL, and replace it with its own locally generated warning page (again, similar to Privoxy).
I think Privoxy is OSS. Maybe someone could whip something up.
I wouldn't call this a patch... (Score:5, Insightful)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...
It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
Re:No Trusted Computing logo on patch? (Score:2, Insightful)
Re:How were they able to make such a patch... (Score:1, Insightful)
I don't know why you're worried, Google is already tracking everywhere you go.
The time problem has nothing to do with the patch (Score:5, Insightful)
Re:And this matters why? (Score:3, Insightful)
the "patch" simply redirects all URLS to the organization's own server, where they attempt to verify that they are authentic.
This is spyware, and you got fooled into cheering for it!
Crappy Patch (Score:2, Insightful)
Re:How were they able to make such a patch... (Score:3, Insightful)
While I dont think any reverse engineering took place here, I dont think it would be illegal.
EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an example), yet the copyright laws of the country (Canada, in my case) specifically permit me one backup copy, then I am allowed: 1 backup copy
Some types reverse engineering are prohibited. Like hacking copy protection (as it's covered by the lovely DMCA). But there are efforts to reverse engineer other MS products, like the MSWord format or NTFS and I dont think those are coming under fire. (MS might try to obfuscate or change the formats rapidly, but the very process of RE is not illegal)
IANALBISLTPOOT (I am not a lawyer but I'd sure like to play one on TV!)
Re:And this matters why? (Score:3, Insightful)
Wrap your self up in the "OpenSource" flag, add a dash of bashing MS and instant approval form mindless hordes. Get your code installed and leave OpenSource with a black mark.
Re:I already got the patch (Score:2, Insightful)
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Re:Do Not Use It-It's Got a Huge Vulnerability Its (Score:5, Insightful)
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
Even if IE wasn't entangled in the OS, there's still a shitload of testing to do. Also, MS TRIES to make sure that their patches don't break 3rd party apps. How many other companies do you know that do that? I'm not saying they always succeed at that, but they try, since it is in their own best interest. They don't need the whole world thinking their patch sucks because it broke some spyware/hotbar/whatever else IE add-in.
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Yes, any one with an axe to grind with MS can spend the majority of their adult life testing MS software in order to break it and find flaws. In fact, many security companies make their living doing this. However, MS is a business. A business that likes money. As everyone knows, time is money, and if MS thinks it has put enough time into testing, it will release the patch, perhaps a bit prematurely. It happens. Hell, for all we know, MS may wait for someone else to find the bugs so that they don't waste time and money on it! It's unlikely, but it would be smart business. Also, if you are suggesting that software testing would catch all the problems, you'd be mistaken. Who is to say the software checking the software doesn't have a few bits loose? Adding to that, it is impossible (in hardware, software, or otherwise) to predict every interaction code will have due to all of the 3rd party apps out there.
Re:The time problem has nothing to do with the pat (Score:2, Insightful)
-Steve
Re:Deee-licious (Score:1, Insightful)
Dangerous (Score:3, Insightful)
FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!
These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.
-- Naive C programming will get you everywhere, it appears, even if you don't have a clue.
And if it were MS code (Score:4, Insightful)
Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).
Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all
Re:This doesn't actually fix the problem (Score:2, Insightful)
We all know about Djikstra and "Goto considered harmful". But do you know about Linus?
See the kerneltrap article [kerneltrap.org] for more detail on that. Since I program mostly in using exceptions, I haven't really formed an opinion on this yet.
cheers,
AdHoc
Re:How about this one .... (Score:5, Insightful)
Re:Microsoft. Where did you want to go yesterday? (Score:3, Insightful)
Re:Hey, morons (Score:4, Insightful)
The patch is open source. I don't even know if you are right in your statement but if you are, then download the source [openwares.org] and change the way it works! Or live in fear...
Re:Holy FuckBalls (Score:3, Insightful)
Uh... you may want to try and understand the code first, particular this conditional statement:
Only if that condition is matched -- the string contains bytes having the integer values 1, 2, or 218 -- do you get redirected to their server. Nice troll attempt though.
Re:Holy FuckBalls (Score:1, Insightful)
Why do they NEED to know which sites are trying to scam? Are they planning to go shut them all down?
They also make no direct reference on their main page that they are redirecting all invalid URLs to their own page. There is ALSO no proof that in a few weeks all those error codes will redirect the users to an ad served page/MSIE future bug trojan downloader site. Of course this is 99.9999% not the case. But it makes you wonder, do all of you REALLY trust a site you've never heard of to fix MSIE bugs?
Patch the patch ... (Score:3, Insightful)
IETrap.cpp [pobox.com]
Diffs [pobox.com]
So I've patched their patch, and violated their license agreement after they violated the Microsoft EULA. That makes me feel so recursive.
Re:And this matters why? (Score:4, Insightful)
Use MyIE2 0.9.11 (Score:3, Insightful)
Actually this is a patch (Score:3, Insightful)
I am against words getting a new meaning just because computers are involved. YES I am anal. Some of us need to be.
As for how this is done? Same way as all the IE plugins. All those bars you see and popup blockers? Same thing.
Stacks (Score:3, Insightful)
But I was wondering... buffer overflows are a problem because we have a descending stack - ie. as you add stuff, the stack pointer moves backwards through memory - so the return address and other data is always located just in front of any local data.
What is the reasoning behind the use of a descending stack? Is this a legacy from a hardware or software decision? Is there anything we would lose by having an ascending stack, which would make overflow exploits a lot more difficult? Anyone know?
Re:How were they able to make such a patch... (Score:2, Insightful)
Criminy, just can't please some people.