IE Flaw Gives Hackers Access To User Files 259
snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."
CVE-2010-0255 (Score:2, Informative)
Re:c:\Windows\System32\ (Score:4, Informative)
Except as far as I can tell from the advisory, the files are read only.
Re:Flawed (Score:2, Informative)
> Has yet to decide whether to repair it?
No, has yet to decide whether to repair it now or wait until Patch Tuesday.
There are plenty of legitimate reasons to criticise Microsoft (like leaving things unpatched until Patch Tuesday) but misinterpreting their statements doesn't help anybody.
Re:Modifying hosts.txt (Score:3, Informative)
Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.
Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to the juicy stuff. And that's just not all that practical in a remote attack scenario. Most of the truly known paths just don't contain a lot of common filenames that are unique and contain important data.
Still, Protected mode in Vista and above protects you, and the bulletin shows a workaround for Windows XP (set the file:// protocol so it can't run ActiveX even locally).
And there's always a better browser, which would be defined pretty much as anything without ActiveX. But that's a given.
Re:Holy Flashback, Batman?! (Score:3, Informative)
"Protected mode" is a marketing term meaning IE takes advantage of Vista's new permissions model. It means it's a low-privilege process and has most of its file system access effectively jailed or redirected.
Long-winded article here [microsoft.com], but I'm guessing the hack doesn't work in "Protected Mode" because the browser itself doesn't have much file system access.
Re:Steam (Score:2, Informative)
Well to be fair, they are somewhat correct. While I don't like the clunky browsing withing steam or the in-game overlay, switching over to other engine would be a lot of work and testing to Valve and could create even more problems to users. And that's all while the browser component is a side thing.
For example IE and it's embedded component is supported on all versions of Windows. If Steam were to integrate their own browsing engine, they would have to make sure it works for 100% of users and they would have to maintain it. IE works in all situations as long as it already works for the user (which is pretty much every case) and the component gets updated along when user updates IE.
While I myself care a lot about standards, I don't see why an average gamer would do so. It already works well enough and is stable, so there's little to gain over the amount of added work it would put on Valve. I'm not even sure if any browser engine including Webkit can draw on DirectX surface anyway - they would have to the draw window contents to bitmap -> transfer to texture -> draw on DX surface anyway.
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:3, Informative)
Sure. But then we're probably talking about home computers. I don't ever use IE for personal work. If I have to use it for work, it's on a company computer.
Re:This is bad. (Score:4, Informative)
When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.
You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:4, Informative)
Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all
It won't? What the hell have I been doing for the last 6 months?! I must be delusional.
Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.
Re:Steam (Score:3, Informative)
>Nobody ships with all of the W3C published recommendations. That's just stupid. You can't hit a moving target like that.
No no no no... red herring... you've been misled.
A browser does NOT need to support all W3C recommendations.
This is true for all browsers, even for IE.
What all browsers are EXPECTED to do is - "if" they support a recommendation - that they do what the recommendation SPECIFIES.
In other words, you choose to a CSS attribute CORRECT.. or do it NOT AT ALL. IE would randomly do something *undefined* instead of nothing.
Web developers literally spent YEARS reverse-engineering the exact behavior of Microsoft's undocumented standard. Had Microsoft not done anything at all with certain elements, the behavior would be quickly understood.
I'll give you an example: IE 6 and 7 would recognize many attributes for CSS padding and margins. IE would certainly do something with these attributes... but what they did was the OPPOSITE of the specs in some cases. Not only that, but the inheritance rules were not consistent. You literally had to write 2X the CSS code if you wanted your web-standards code to work on IE6.
This worked well for Microsoft - they essentially killed all progress on the web for a DECADE. Companies who locked themselves into IE6-based intranets did not care because there was no FireFox and no basis for Microsoft to put out new browser technology. MS wanted people to give up on HTML and just write everything in .NET. This is a holdover from the Microsoft "Blackbird" project, which seriously wanted to replace web HTML with compiled binary Microsoft-patented markup. Bill Gate's emails in the trial said he didn't want their bugs fixed if they were only causing problems in non-Microsoft browsers.
When a browser does not support an effect, you can easily workaround it. For example, if I couldn't assign a yellow background to an link, I could easily change course and wrap the A in a DIV and assign the style there instead. But what if the link color ceased to be yellow whenever that DIV was positioned with absolute instead of relative? What if the link disappeared whenever the DIV was inside a BODY tag which had a CSS background attribute?
It's the *random* nature of MSIE bugs (and the arrogance of not fixing them) that made web developers the most vocal critics of Microsoft.
if FireFox versions have issues with following the standard wrong, that gets fixed but it also is published what versions had that bug. So it's easy to design around without self-doubting your markup and CSS. You still can't go to the Microsoft website and get a solid definition of their CSS Box Model bugs.
So, what percentage of W3 that gets implemented is not ever an issue; it's the quality and the truthfulness of the implementation.
Re:c:\Windows\System32\ (Score:2, Informative)
C:\windows\system32\config\sam
Read-only access is all you need...
And I'm sure that'd work real well:
C:\WINDOWS\system32>echo %USERNAME%
administrator
C:\WINDOWS\system32>c:\cygwin\bin\head config\sam /usr/bin/head: cannot open `config\\sam' for reading: Device or resource busy
C:\WINDOWS\system32>type config\sam
The process cannot access the file because it is being used by another process.
Comment removed (Score:3, Informative)
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:3, Informative)
Irrelevant for this issue, as it appears to affect all versions of IE with Win 2000, XP, and Server 2003 affected. From TFA:
"The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said."
Unless someone is running Vista, or Win 7, they are at risk.
Re:Flawed (Score:4, Informative)
Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.
In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.
The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.
XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).
Comment removed (Score:3, Informative)