Open Source Firm Releases Patch for IE Bug [UPDATED] 544
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
... huh? (Score:2, Interesting)
Acceptance? (Score:2, Interesting)
Unfortunately, with this being an unofficial release, I don't see many people likely to utilize this until it is released by Microsoft. In the meantime, I am enjoying reading this in Mozilla :)
How were they able to make such a patch... (Score:5, Interesting)
Good to know... (Score:4, Interesting)
Ummm (Score:1, Interesting)
This looks like a horrible way to "fix" the problem.
This doesn't actually fix the problem (Score:5, Interesting)
The overpresence of "strcpy" is a bit unsettling, too.
While it's a nice step, it's no replacement for an official Microsoft patch.
Re:How were they able to make such a patch... (Score:5, Interesting)
Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.
Also, patching a binary - that requires *very* detailed knowledge of the binary itself, not? You cant just diff two binaries, and apply patches like that, can you? Run into adressing problems, not? I've never really studied the end result of my code beyond a little gdb'ing.
This will go far (Score:4, Interesting)
I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"
If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.
It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.
ESR's right in his article "How to Become a Hacker" [catb.org]
Q: Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Re:This doesn't actually fix the problem (Score:1, Interesting)
Inept and free! (Score:5, Interesting)
If people are doing open source IE patches, would somebody please fix this sucker [google.com]? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!
The means may be good, but the principle is wrong. (Score:2, Interesting)
Just another example of taking the high road (Score:3, Interesting)
Re:How were they able to make such a patch... (Score:5, Interesting)
I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?
Wait for Microsoft to come out with a better fix that properly addresses this issue.
using the API (Score:5, Interesting)
Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).
If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
Re:Just another example of taking the high road (Score:3, Interesting)
Re:How about this one .... (Score:5, Interesting)
Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.
Opera (Score:4, Interesting)
Over hyped. (Score:5, Interesting)
Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.
I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.
The sum: This may have a greater negative impact in the long run then the good one it was intended to have.
Re:Acceptance? (Score:4, Interesting)
MSIE, on the other hand, fails completly.
In fact, on some versions of mozilla you even can spot a control char in the status line, too. But real spoofing depends on the address line.
heise (German) [heise.de]
As a test:
http://www.mozilla.org%00@www.heisec.de [heisec.de]
is shown as http://www.heisec.de in mozilla, while msie puts http://www.mozilla.org into the address line.
Next on the list .... (Score:2, Interesting)
Re:... huh? (Score:5, Interesting)
Re:Inept and free! (Score:2, Interesting)
And yes, I know about the various bits of Javascript and CSS that allow IE to show them, but it shouldn't have to be done in the first place. And none of them completely work.
Re:... huh? (Score:4, Interesting)
They have thousands of programmers, let them move their butts and do their fucking job. More holes in IE, easier to convince people to switch to Mozilla.
FoxPro was patched sans source ... (Score:3, Interesting)
Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if the processor was extremely fast, the value would be set to -1, and FoxPro would promptly crash. Worked fine for years until some of the new processors came out.
Anyway, Microsoft stalled on fixing this timing issue bug, so some smart fellow tweaked the exe file to fix it. Yeah, not even assembler, we're talking hex. Pretty damn cool.
That's why OSS is more secure... (Score:3, Interesting)
There's a saying for this: crap built upon crap.
There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]
Seems like a combination of the lousy design of the Windows components coupled with using C. Long, long time since I've worried about destroy and the like, what with the availability of better languages like Java, etc. Granted once buffer overflows are a thing of the past, there will be new holes, but at least we will be moving forward.
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Good catch. So one security flaw fixed, opening up another flaw - a little embarrasing, except MSFT did the same thing a few weeks ago in their flurry of untested patches. But it does show the inherent advantage of open source in that *anyone* can review the code, and fix it, without resorting to messy hacks such as this.
Re:RTFC (Score:4, Interesting)
Re:Hey, morons (Score:5, Interesting)
In
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.
Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)
A feature (RFC) not a bug (Score:2, Interesting)
Is the "@-spoof" really a spoof? According to RFC2396 [rfc-editor.org], section 3.2.2 "Server-based Naming Authority", this is a feature of the URI and not a bug or a spoof.
Certainly it can be made to fool even an enlightened user, but isn't it wrong to cripple a browser's ability to adhere to the "Uniform Resource Identifiers (URI): Generic Syntax" RFC -- and even more so with spyware ;)
Browsing the "test page" [openwares.org] at Openwares with my Konqueror gives me the spoof page. Good. That just means that Konqueror is RFC2396-compliant (but should i patch anyway? ;).
I first came across this "bug" about two years ago when i was forwarded an "authentic" page from Microsoft Support: Q209354 - HOWTO [weblogs.com] (mirror). It took me a while to realize that nobody at M$ was going to be fired for this type of creativity.
See The Reg for an article [theregister.co.uk] for some coverage -- although the host hwnd.net is off the net, so you can't really try to get spoofed.
Re:Acceptance? (Score:3, Interesting)
HUMILIATION!
I figured what Microsoft was thinking was more like one the one that came with one of the newer point releases:
HOLY SHIT!
(It happens when you get gibbed when you are really close to capturing the flag. I about fell out of my chair the first time my machine spouted out "HOLY SHIT!" when playing Q3. I had the volume way up, too.)
Humiliation probably set in a little later...
Third party patch...oh dear (Score:3, Interesting)
On a related topic, did anyone else notice that chrome-free popups are to be terminated in XP SP2 (announced yesterday)? They're a great technique for the site spoofers since you can have the whole shebang - genuine looking URL *and* a nice little SSL padlock. Simply use a screenshot of a real online bank as the background and stick your own HTML form on top to capture the login details. JavaScript aficionados can even make the address bar and toolbar work like the real thing, if they see fit. Thankfully the Russian mafia aren't that sophisticated...yet.
Very Dangerous Patch (Score:2, Interesting)
In german:
http://www.heise.de/newsticker/data/dab-19.12.03-
Actually the have also a test for those who already patched their systems with this:
[heise.de]
http://www.heise.de/security/dienste/browserche
So do not use this patch!
Re:Hey, morons (Score:3, Interesting)
That said, I'm not real impressed with this "patch" - theres alot of use of c-style string work in a C++ file, which is silly, and more than that it's not even safe use of c-strings - the file concatenation of the URL together involves just using strcat() (not even strncat()) without any sort of length or sanity checking on the buffer.
Mozilla? (Score:1, Interesting)