Open Source Firm Releases Patch for IE Bug [UPDATED]

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

Comment removed

[account_deleted]

Comment removed based on user account deletion

well done

[b4rB3li7h]

trust OS people to fix what M$ can't find profit for!

help plx k thx

[Anonymous Coward]

i am confused about what i shuld do. my mommy touched my pee-pee and made my soldjer stand at atenshun. she was proud of my soldjer but then she said it is cold out and he should be warm so she put my pee pee in her hooha. that was warm and nice but then something happened and my soldjer got real slick and wet and made a mess all over my mommys hooha. she called me a dirty little boy and gave me a slap on the face and a whupping with a switch.

i dont know what to do. my pee pee felt good in her hooha but how do i not make a mess? and why am i going to burn in hellfire for forever and ever and ever, amen?. jeses knows i didnt try to be a bad filthy little boy and make a mess and deserve a whupping, right? please help me because she said my soldjer needs to get warm again. i think that is true but i dont want to be a filthy evil little boy and have hellfire.

I already got the patch

[Anonymous Coward]

It's called Mozilla/Firebird.

And this matters why?

[Anonymous Coward]

So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.

the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.

so this patch is pointless
(cool that it can be done though)

Seriously.

[Chess_the_cat]

Why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

How?

[blair1q]

How do you patch closed source code?

By violating the EULA by disassembling IE?

Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...

Can we really trust this patch?

[GoofyBoy]

A third party releasing a patch to a browser. How safe is this?

Yes the source code is there, but how do we know the executable doesn't have crap in there?

Even if everything is clean now, how about the next patch from another source?

(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)

Re:Seriously.

[56uSquareWave]

Ahem you cant see the source code of IE but you trust that? okay then

Will this violate the EULA?

[jaxdahl]

Does applying a third party patch violate the EULA for IE?

Use Mozilla Firebird

[Tuqui]

A Better solution:
Use Mozilla Firebird

Re:Acceptance?

[DavesWorld334]

Pretty sure this makes Microsoft look really inept. I mean, if the largest and richest software company in the world can't patch their own products before a group of volunteer coders can figure out a fix ... seems to me that makes M$ look like fools.

My US$0.02, unadjusted for inflation of course.

bad idea

[ghettoreb]

this is good in the short run, but bad in the long run

people voluntarily patching M$ products will lessen the pressure on M$ to write code with fewer bugs in the first place. Also without knowing the source code, reverse engineering the program and writing patches is risky at best: who knows what this patch might break after extensive testing.

Also: when (and if) M$ actually releases a *real* patch for the problem, how will that work with this open source patch?

Microsoft. Where did you want to go yesterday?

[rice_burners_suck]

Heh, count on the open source community to do Microsoft's job. What else do you expect?

I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.

Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.

I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.

Re:And this matters why?

[s20451]

so this patch is pointless
(cool that it can be done though)

Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.

ps. Are you related to Noel Coward? Send my regards.

Re:Seriously.

[Atlantix]

Sounds like you're in a no-win situation. You won't install a patch without the MS seal of approval but the patch (allegedly) repairs a known flaw in a product that HAD the MS seal of approval. So that begs the question: What is the value of the MS seal of approval if they're wrong? You'll never be able to install anything!!!

--Atlantix

Comment removed

[account_deleted]

Comment removed based on user account deletion

FWIW...

[NickFitz]

this is the whois record for that domain from whois.networksolutions.com:

Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM

It's up to you to decide whether you trust them or not.

Re:Can we really trust this patch?

[Atlantix]

Good questions. It's hard (maybe impossible) to know that an open source patch to a closed source product doesn't break something else. On the bright side, you can know the executable doesn't have extra crap. The point of releasing the source code is so anyone can compile it and verify it actually produces the executable.

--Atlantix

Comment removed

[account_deleted]

Comment removed based on user account deletion

Are you an accountant?

[Idou]

I guess you don't invest in any stock then . . .

Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.

Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we would have ever recovered from the great depression . . .

Hope my reality wasn't too harsh for your bubble.

Proxy: Better Solution?

[molafson]

This patch apparently intercepts the badly-formated URL and then forwards you to patch maker's website.

It would be more efficient, safer, and simpler (no need to do any patching) to implement a similar solution using a proxy like Privoxy. The proxy (installed on your local machine or LAN) would then be used to intercept the badly-formated URL, and replace it with its own locally generated warning page (again, similar to Privoxy).

I think Privoxy is OSS. Maybe someone could whip something up.

I wouldn't call this a patch...

[goranb]

Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...

It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...

Re:No Trusted Computing logo on patch?

[wangotango]

Words cannot express how much I wouldn't apply this patch.

Re:How were they able to make such a patch...

[Anonymous Coward]

"I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?"

I don't know why you're worried, Google is already tracking everywhere you go.

The time problem has nothing to do with the patch

[SonicBurst]

The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible. They test EXTENSIVELY and even so you still get the occasional patch that interacts with other software and ways you can't predict and breaks something. It happens. Any code monkey could hack out a patch, but I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would. That's where the time is, so quit bitching about how long it takes to release a patch. Now, the time it takes to ACKNOWLEDGE a bug is a different story....

Re:And this matters why?

[rnd()]

dear zealot:

the "patch" simply redirects all URLS to the organization's own server, where they attempt to verify that they are authentic.

This is spyware, and you got fooled into cheering for it!

Crappy Patch

[Nasarius]

The concept is great, but as others have already mentioned, the implementation is godawful. It submits every URL to a CGI script on their website then redirects you based on whether or not the URL is valid. This is incredibly bad, because: 1) Who are these people? Can you trust them? How about when you type in a FTP/HTTP URL that has your username and password in it? 2) What happens when their server goes down? Your web browser doesn't work? Again...nice idea, but wow. You really couldn't think of any better way to do it? Go get Opera, or Mozilla if you want a free browser.

Re:How were they able to make such a patch...

[meanfriend]

Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

While I dont think any reverse engineering took place here, I dont think it would be illegal.

EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an example), yet the copyright laws of the country (Canada, in my case) specifically permit me one backup copy, then I am allowed: 1 backup copy

Some types reverse engineering are prohibited. Like hacking copy protection (as it's covered by the lovely DMCA). But there are efforts to reverse engineer other MS products, like the MSWord format or NTFS and I dont think those are coming under fire. (MS might try to obfuscate or change the formats rapidly, but the very process of RE is not illegal)

IANALBISLTPOOT (I am not a lawyer but I'd sure like to play one on TV!)

Re:And this matters why?

[GoofyBoy]

If it is spyware, the its a great piece of social engineering.

Wrap your self up in the "OpenSource" flag, add a dash of bashing MS and instant approval form mindless hordes. Get your code installed and leave OpenSource with a black mark.

Re:I already got the patch

[damiam]

Firebird's partial vulnerability means nothing. An attacker can't spoof the location bar in any way. The only thing they can do is quasi-spoof the status bar (a junk character is shown, which ought to tip someone off). That's easy to do using Javascript in any browser. This "vulnerability" only affects people who surf with Javascript off, blindly trust their status bars, and never glance at their location bars.

Re:The time problem has nothing to do with the pat

[Minna Kirai]

The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible.

If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.

I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would

Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)

Re:Do Not Use It-It's Got a Huge Vulnerability Its

[DmitriA]

Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...

Re:The time problem has nothing to do with the pat

[AntiOrganic]

If your software is so tangled in intertwined components that a patch for an issue this simple would conceivably break something elsewhere on your system, then your terrible product design is the concern, not the QA.

Re:The time problem has nothing to do with the pat

[SonicBurst]

If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive

Even if IE wasn't entangled in the OS, there's still a shitload of testing to do. Also, MS TRIES to make sure that their patches don't break 3rd party apps. How many other companies do you know that do that? I'm not saying they always succeed at that, but they try, since it is in their own best interest. They don't need the whole world thinking their patch sucks because it broke some spyware/hotbar/whatever else IE add-in.

Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)

Yes, any one with an axe to grind with MS can spend the majority of their adult life testing MS software in order to break it and find flaws. In fact, many security companies make their living doing this. However, MS is a business. A business that likes money. As everyone knows, time is money, and if MS thinks it has put enough time into testing, it will release the patch, perhaps a bit prematurely. It happens. Hell, for all we know, MS may wait for someone else to find the bugs so that they don't waste time and money on it! It's unlikely, but it would be smart business. Also, if you are suggesting that software testing would catch all the problems, you'd be mistaken. Who is to say the software checking the software doesn't have a few bits loose? Adding to that, it is impossible (in hardware, software, or otherwise) to predict every interaction code will have due to all of the 3rd party apps out there.

Re:The time problem has nothing to do with the pat

[LnxAddct]

Umm...I don't know if you've ever done any patching, but usually you can tell by the broken code and the new code what areas to generally look at for incompatibilities. Most calls made shouldn't really be changed and the original code should be left untouched as much as possible. If so much of the code is a problem that you literally have to test the whole system, oh well thats sloppy coding and its their fault. On Debian, security patches are as much of the original code as possible and the rules on what can be changed in the code are fairly strict. Despite this, security patches are always released promptly and people can have the assurance that their systems will remain stable and won't be broken. MS doesn't really have an excuse. Hell, if they opened the code I'd do the patching for them. Just my 2 cents.
-Steve

Re:Deee-licious

[Anonymous Coward]

I always thought it was a better choice for someone "FED UP with Windoz bugs" to use something else. If we ever want Linux to significantly cut into the MS dominance on the desktop, wouldn't it be prudent NOT to improve MS products? Not only did the firm open themselves up to some DMCA litigation, but they also played a little part in perpetuating the MS monopoly.

Dangerous

[SkewlD00d]

This patch uses strcpy()/strcat() and 256 char buffers instead of dynamic buffers and strncpy()/strncat() in IETray.cpp.

FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!

These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.

-- Naive C programming will get you everywhere, it appears, even if you don't have a clue.

And if it were MS code

[phorm]

Then nobody would have noticed the stack vulnerability, unless you had either a machine vulnerable to the original exploit, or a machine vulnerable to a new exploit as per being patched

Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).

Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all :-)

Re:This doesn't actually fix the problem

[Adhoc]

This thing is ripe with bad code (it's sprinked with gotos for error handling)

We all know about Djikstra and "Goto considered harmful". But do you know about Linus?

I think goto's are fine, and they are often more readable than large
amounts of indentation. That's _especially_ true if the code flow isn't
actually naturally indented (in this case it is, so I don't think using
goto is in any way _clearer_ than not, but in general goto's can be quite
good for readability).

See the kerneltrap article [kerneltrap.org] for more detail on that. Since I program mostly in using exceptions, I haven't really formed an opinion on this yet.

cheers,
AdHoc

Re:How about this one ....

[jujitsustab]

Why would Microsoft use this code in their patch ? This patch code is based upon readily available IE com interfaces which allow addon IE programs to interact with browser operations. In fact, this patch simply checks the url for the vulnerability every time you navigate to the page. If the vulnerability is found it instead naviagtes to: http://www.openwares.org/cgi-bin/exploit.cgi?A&amp ;B where A is the spoofed url and B is the actual url. Microsoft would fix this vulnerability in the actual IE code, not in a bolted on module like this.

Re:Microsoft. Where did you want to go yesterday?

[Keeper]

I wouldn't be cheering for the "open source community" just yet, considering the "patch" has an exploitable buffer overflow...

Re:Hey, morons

[KarmaPolice]

You do realize this patch phones home, don't you? Slashdot just advertised a piece of spyware. It phones home to validate every URL. Read the website.

The patch is open source. I don't even know if you are right in your statement but if you are, then download the source [openwares.org] and change the way it works! Or live in fear...

Re:Holy FuckBalls

[nacturation]

Uh... you may want to try and understand the code first, particular this conditional statement:

if (NULL != strstr(dest,"\2") || NULL != strstr(dest,"\1") || NULL != strstr(dest,"\218"))

Only if that condition is matched -- the string contains bytes having the integer values 1, 2, or 218 -- do you get redirected to their server. Nice troll attempt though.

Re:Holy FuckBalls

[Anonymous Coward]

Referring any sites to their servers IMO is a privacy violation. What if Microsoft did this? You'd be all over them.
Why do they NEED to know which sites are trying to scam? Are they planning to go shut them all down?
They also make no direct reference on their main page that they are redirecting all invalid URLs to their own page. There is ALSO no proof that in a few weeks all those error codes will redirect the users to an ad served page/MSIE future bug trojan downloader site. Of course this is 99.9999% not the case. But it makes you wonder, do all of you REALLY trust a site you've never heard of to fix MSIE bugs?

Patch the patch ...

[Ninja Programmer]

Well that's hardly in the spirit! I have a proposed fix for this "patch" that you can find here:

IETrap.cpp [pobox.com]

Diffs [pobox.com]

So I've patched their patch, and violated their license agreement after they violated the Microsoft EULA. That makes me feel so recursive.

Re:And this matters why?

[jrumney]

You'd think that Slashdot readers would read the source before installing something claiming to be a security fix from a previously unknown outfit:

// Terms of Agreement:

//
// By using this source code, you agree to the
// following terms:
//
// 1) You may use the source code, resource
// files for educational purposes only.
// 2) You MAY NOT redistribute this source code
// without written permission. Failure to do
// so is a violation of copyright laws.
// 3) The author of this code may have retained
// certain "additional copyright rights".
// If so, this is indicated in the author's
// description.
//

Yet another example of someone paying lip service to "open source". Do you trust them with the information they are collecting on who is gullible enough to click on links to scams by other parties? Who is to say they aren't running their own scams and allowing them through exploit.cgi while blocking the competition?

Use MyIE2 0.9.11

[SuckItTrebek]

You should use MyIE2 instead, http://www.myie2.com Fixed "IE URL Spoofing Vulnerability" problem. You also get the following: Tabbed Browsing Interface Mouse Gestures Super Drag&Drop Privacy Protection AD Hunter Google Bar Support External Utility Bar Skinning What else could you ask for?

Actually this is a patch

[SmallFurryCreature]

Pointed this out before but this is a patch. Word you are looking for is a fix. Patch is temporary. Like patching a wound until it can heal. Patching your clothing until it can either be properly repaired or replaced. Patching a punctured tire so that you can put some air back in and get home where sooner or later you will have to get it repaired properly.

I am against words getting a new meaning just because computers are involved. YES I am anal. Some of us need to be.

As for how this is done? Same way as all the IE plugins. All those bars you see and popup blockers? Same thing.

Stacks

[Scorchio]

Yep, better string handling. Always good.

But I was wondering... buffer overflows are a problem because we have a descending stack - ie. as you add stuff, the stack pointer moves backwards through memory - so the return address and other data is always located just in front of any local data.

What is the reasoning behind the use of a descending stack? Is this a legacy from a hardware or software decision? Is there anything we would lose by having an ascending stack, which would make overflow exploits a lot more difficult? Anyone know?

Re:How were they able to make such a patch...

[protoshoggoth]

Well ya know what? To everyone who is bothered about the naughty redirect and feels that it's part of some evil plan: please change the code however you like and recompile it for your own use. I mean, there it is, the source, just sitting there...it's OPEN. Cease this carping and caviling, revel in the open-ness of the source.

Criminy, just can't please some people.