Open Source Firm Releases Patch for IE Bug [UPDATED] 544
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
Comment removed (Score:5, Insightful)
In other news... (Score:5, Funny)
In other news...
Today Micro$oft contributed code to the Linux kernel, and announced plans to help iron out differences between Mozilla and MSIE :-)
In Other Other News... (Score:4, Funny)
Shrewd investors continue to laugh at the SCO Group's activities and have the following comments:
"The funniest thing I've seen since the Paris Hilton tapes!" - MSN
"A gut buster worthy of John Belushi - but SCO does more drugs" - Timothy Leary
SCO also announced that Caldera Linux licences still outpace all other SCO products - excluding lawsuits - by a 2:1 margin. Darl announced that they expect to make that 3 to 1 by next summer before they are purchased outright by IBM for $1.50 and a can of Red Bull.
Re:Hey, morons (Score:5, Interesting)
In
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.
Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)
Re:Hey, morons (Score:4, Insightful)
The patch is open source. I don't even know if you are right in your statement but if you are, then download the source [openwares.org] and change the way it works! Or live in fear...
well done (Score:4, Insightful)
No Trusted Computing logo on patch? (Score:5, Funny)
Re:No Trusted Computing logo on patch? (Score:5, Funny)
Re:No Trusted Computing logo on patch? (Score:5, Funny)
Of course it isn't a trojan. It's a legitimate security update which gets run on your system and makes IE invulnerable to that particular spoof attack. Why, openwares.org even has a definition on their site of what a trojan is:
Trick unsuspecting users into downloading harmful viruses
by disguising them as legitimate security updates.
So you see, this is nothing more than a legitimate security upd... wait a second!!
Re:No Trusted Computing logo on patch? (Score:3, Funny)
No, not so much. (Score:5, Informative)
The only URLs that get sent to their servers are the ones that it's filtering out, ones that would normally exploit the bug. At the other end (granted, at least for now) is an IE-lookalike error message saying that the exploit was caught.
The first line before all that stuff involving redirection through their servers:
if (NULL != strstr(dest,"\2") || NULL != strstr(dest,"\1") || NULL != strstr(dest,"\218"))
It only matches URLs containing %01, %02, or %8F, which doesn't really "fix" the problem, but it's at least a workaround.
How were they able to make such a patch... (Score:5, Interesting)
Re:How were they able to make such a patch... (Score:5, Interesting)
Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.
Also, patching a binary - that requires *very* detailed knowledge of the binary itself, not? You cant just diff two binaries, and apply patches like that, can you? Run into adressing problems, not? I've never really studied the end result of my code beyond a little gdb'ing.
Re:How were they able to make such a patch... (Score:5, Informative)
Off-hand- I'd probably stick a debugger on it, viewing the code at assembler level, and trace the carriage return in from the OS; or something like that. I mean the OS has to call or return to IE when the carriage return is hit; there can't be that many places in the code where it is waiting for input- stick a breakpoint on all of them, and whichever one gets hit after you click on the carriage return is starting to process the code. Run it multiple times with different input and pretty soon you should start to see the patterns.
It's not especially easy, but it's doable, I've done stuff like that before. It's easier if you have the source code, but it's just slower if you don't.
Re: isnt reverse engineering against the EULA? (Score:3, Funny)
Re:How were they able to make such a patch... (Score:5, Interesting)
I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?
Wait for Microsoft to come out with a better fix that properly addresses this issue.
Re:How were they able to make such a patch... (Score:5, Informative)
See http://www.openwares.org/cgi-bin/exploit.cgi?slash dot.org&www.goatse.cx [openwares.org] for instance.
It might log the addresses attempting to spoof webpages, but I'm all for that. And at least this explains clearly that a spoof was attempted through this exploit. I think it's better than just correcting the string, which would access a spoofed webpage anyways, even if showing the right address at the top... which of course would not work as well but many would still fall for it no matter, especially since it probably would look like http://www.paypal.com@paypal.something.net/ which would seem legitimate to the casual looker.
Re:How were they able to make such a patch... (Score:5, Informative)
If you ask me, maybe they want to have a record of which evil Paypal clone-sites are taking advantage of the exploit so they can tell the cops. Maybe they want to make it easy to tell the users that "MS has issued an update for this problem, please download it!", but of course maybe they want to display ads on that error page (Heh I would do the same).
But no, URLs that are okay are not being sent to that site.
Re:How were they able to make such a patch... (Score:5, Funny)
Don't bother. I'm so 31337 that I just hacked that 127.0.0.1 loser... In a minute someone should be noticing their root file system missing.... Heheheh
Hmmmm.... That's funny.... Where'd my MP3's go......
Re:How were they able to make such a patch... (Score:3, Insightful)
While I dont think any reverse engineering took place here, I dont think it would be illegal.
EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an examp
Re:How were they able to make such a patch... (Score:5, Informative)
So this is not so much a patch as a 'workaround'. It doesn't fix anything, it just intercepts those URLs and warns you about it.
FoxPro was patched sans source ... (Score:3, Interesting)
Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if t
using the API (Score:5, Interesting)
Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).
If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
Re:How were they able to make such a patch... (Score:3, Informative)
Funny stuff, it's mostly a band-aid solution IMO, but a nice slap in the face for MS.
New MS Security Fix (Score:5, Funny)
Good to know... (Score:4, Interesting)
You don't know, apparently. (Score:3, Informative)
Wrong. Try actually reading the source, and you'll see that's not what it is at all. I don't even use IE, so my reading through the source was very quick, yet I was even able to pick up on how it actually works.
And this matters why? (Score:5, Insightful)
the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.
so this patch is pointless
(cool that it can be done though)
Re:And this matters why? (Score:5, Insightful)
(cool that it can be done though)
Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.
ps. Are you related to Noel Coward? Send my regards.
Re:And this matters why? (Score:5, Funny)
Re:And this matters why? (Score:3, Insightful)
the "patch" simply redirects all URLS to the organization's own server, where they attempt to verify that they are authentic.
This is spyware, and you got fooled into cheering for it!
Re:And this matters why? (Score:3, Insightful)
Wrap your self up in the "OpenSource" flag, add a dash of bashing MS and instant approval form mindless hordes. Get your code installed and leave OpenSource with a black mark.
Re:And this matters why? (Score:4, Insightful)
What the "patch" really does.... (Score:5, Funny)
Direct Link to patch (Score:5, Informative)
http://www.openwares.org/downloads/IEpatch.EXE
Crikey, mate. (Score:3, Funny)
That's not a link! This is a link:
http://www.openwares.org/downloads/IEpatch.EXE [openwares.org]
P.S. I haven't actually tried the executable out, I just added the clickable goodness. I also couldn't pass up the chance to make a Crocodile Dundee joke.
Re:Direct Link to patch (Score:5, Informative)
Anyway, I've tested IE by running through some windows updates and going to a few exploit test sites. Everything has behaved as it should.
By the way, one of the joys of this patch is that when you browse to a site attempting the exploit, you get one of those nice IE error pages, formatted in the traditional way. Except, instead of seeing Microsoft branding all over it, the Openware patch is referenced. I don't know... having this little bit of OSS within IE warms my heart. And just in time for the holidays!
This doesn't actually fix the problem (Score:5, Interesting)
The overpresence of "strcpy" is a bit unsettling, too.
While it's a nice step, it's no replacement for an official Microsoft patch.
Re:This doesn't actually fix the problem (Score:4, Funny)
It's no replacement for... nothing, in other words?
Microsoft hasn't even said they're *going* to patch this yet, you may be waiting an awful long time.
Re:This doesn't actually fix the problem (Score:5, Informative)
Notice the parts in bold. Is it not apparent that 'surl' can easily be overflowed if strlen(sFake) + strlen(sTrue) + strlen("http://www.openwares.org/cgi-bin/exploit.
Avoiding buffer overflows in C (Score:3, Informative)
At least this simple type with C-style strings (char*) and fixed-size buffers.
Here's the rule:
Instead of using any of
strcat()
strcpy()
sprintf()
gets()
you use
strncat()
strncpy()
snprintf()
fgets()
The second set of functions all take a length parameter which is the maximum number of bytes that the function will copy. You don't have to worry about your source not being null-terminated, or being unusually long, because the function will not copy more bytes than you say it can.
Re:Avoiding buffer overflows in C (Score:5, Informative)
If you want to really reduce buffer overflow problems I suggest you visit the following two web pages:
The Better String Library [sf.net]
and
Getting user Input [pobox.com]
I personally guarantee that buffer overflows in your code will dramatically decrease if you use the ideas spoken of and the source code on those pages.
Re:This doesn't actually fix the problem (Score:3, Informative)
How? (Score:5, Insightful)
By violating the EULA by disassembling IE?
Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
Can we really trust this patch? (Score:4, Insightful)
A third party releasing a patch to a browser. How safe is this?
Yes the source code is there, but how do we know the executable doesn't have crap in there?
Even if everything is clean now, how about the next patch from another source?
(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)
Re:Can we really trust this patch? (Score:4, Insightful)
--Atlantix
Re:Can we really trust this patch? (Score:5, Funny)
You know, the same could be asked of Internet Explorer.
Will this violate the EULA? (Score:4, Insightful)
No thanks (Score:5, Funny)
OMG!!! (Score:5, Funny)
Someone start knitting a sweater for Satan...
Mmf. (Score:5, Informative)
Internet Explorer URL Spoofing Security Patch
Developed by Opensoft Corporation, Vanuatu
Contact: opensoft@openwares.org
Opensoft Corporation, Vanuatu
Copyright 2003 All rights reserved.
Terms of Agreement:
By using this source code, you agree to the
following terms:
1) You may use the source code, resource
files for educational purposes only.
2) You MAY NOT redistribute this source code
without written permission. Failure to do
so is a violation of copyright laws.
3) The author of this code may have retained
certain "additional copyright rights".
If so, this is indicated in the author's
description.
Microsoft. Where did you want to go yesterday? (Score:3, Insightful)
I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.
Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.
I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.
Re:Microsoft. Where did you want to go yesterday? (Score:3, Insightful)
This will go far (Score:4, Interesting)
I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"
If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.
It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.
ESR's right in his article "How to Become a Hacker" [catb.org]
Q: Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Comment removed (Score:3, Insightful)
Comment removed (Score:5, Insightful)
did anyone else feel it... (Score:4, Funny)
Re:did anyone else feel it... (Score:5, Funny)
Yes, of course! The subpoena will mention them by name.
FWIW... (Score:4, Insightful)
Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM
It's up to you to decide whether you trust them or not.
Free IE patch and fix. (Score:5, Funny)
Just another example of taking the high road (Score:3, Interesting)
Re:Just another example of taking the high road (Score:3, Interesting)
I wouldn't call this a patch... (Score:5, Insightful)
If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...
It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
Memory leak (Score:4, Informative)
This "patch" leaks memory - and other bad stuff (Score:5, Informative)
1. Leaks 256 bytes on every URL navigation
2. Leaks 512 additional bytes if it finds an exploit URL
3. Creates a string with the \1 char in it on every call, but does nothing with it
4. Will overwrite stuff on the stack if the URL has the exploit and is very close to 256 chars in length.
It's a good thing these guys aren't on the real IE dev team.
Do Not Use It-It's Got a Huge Vulnerability Itself (Score:5, Informative)
On top of that, it's buggy. It has a memory leak in its BeforeNavigatorEvent() IE callback function which gets triggered before a loading of each new page. There they allocate a string of 256 bytes, but never even bother to clean it up!
I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component and this DLL may not be unloaded even with the closing of IE. But I may wrong that point...
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Basically, they use WideCharToMultiByte() to convert the unicode URL string to that allocated 256-byte ASCII character array. They tell the function the size of their array, but if the URL string exceed 256 characters in length, it will not overwrite that buffer and cause an immediate buffer overflow. Instead it will fail and tell you to increase your buffer. Well, guess what? They don't check for that failure condition (and, incidentally, it may fail for many other reasons during the Unicode->ASCII conversion) and happily proceed to use it in a strcpy() later on, overwriting another 256-byte character array which is now located on the stack. A nasty buffer overflow just waiting to be exploited...
So to summarize, they took a relatively minor problem (URL spoofing) and made it a hundred times worse with their 'solution'. Great job, guys!
Offending code:
Re:Do Not Use It-It's Got a Huge Vulnerability Its (Score:5, Informative)
Re:Do Not Use It-It's Got a Huge Vulnerability Its (Score:5, Insightful)
Re:Do Not Use It-It's Got a Huge Vulnerability Its (Score:5, Funny)
And if it were MS code (Score:4, Insightful)
Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).
Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all
That's why OSS is more secure... (Score:3, Interesting)
There's a saying for this: crap built upon crap.
There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]
Seems like a combination of the lousy design of the Windows components coupled with us
Opera (Score:4, Interesting)
Over hyped. (Score:5, Interesting)
Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.
I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.
The sum: This may have a greater negative impact in the long run then the good one it was intended to have.
Dangerous (Score:3, Insightful)
FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!
These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.
-- Naive C programming will get you everywhere, it appears, even if you don't have a clue.
Re:Acceptance? (Score:5, Funny)
To quote the wise sages of the Quake 3 voiceover...
HUMILIATION!
Re:Acceptance? (Score:5, Insightful)
My US$0.02, unadjusted for inflation of course.
Inept and free! (Score:5, Interesting)
If people are doing open source IE patches, would somebody please fix this sucker [google.com]? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!
Re:Inept and free! (Score:5, Funny)
Re:Inept and free! (Score:3, Informative)
The time problem has nothing to do with the patch (Score:5, Insightful)
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's softwar
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
Even if IE wasn't entangled in the OS, there's still a shitload of testing to do. Also, MS TRIES to make sure that their patches don't break 3rd party apps. How many other companies do you know that do that? I'm not saying they always succeed at that, but they try, since it is in their own best interest. They don't need the whole world thinking their patc
Re:The time problem has nothing to do with the pat (Score:4, Informative)
Bullshit ! MS only tests for apps that have parent companies they get along with (also known has, they haven't tried to start a monopoly in that market yet.). As a matter of fact they were convicted in court of releasing patches that BROKE third party functionality on PURPOSE.
Who ever modded you as insightful was an ass.
Re:The time problem has nothing to do with the pat (Score:3, Insightful)
Re:Acceptance? (Score:4, Interesting)
MSIE, on the other hand, fails completly.
In fact, on some versions of mozilla you even can spot a control char in the status line, too. But real spoofing depends on the address line.
heise (German) [heise.de]
As a test:
http://www.mozilla.org%00@www.heisec.de [heisec.de]
is shown as http://www.heisec.de in mozilla, while msie puts http://www.mozilla.org into the address line.
Re:Seriously. (Score:5, Insightful)
Re:Seriously. (Score:5, Insightful)
--Atlantix
Are you an accountant? (Score:3, Insightful)
Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.
Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we wo
Re:Seriously. (Score:3, Informative)
1. *dest is not verified to be non-NULL.
2. *dest does not appear to be freed, resulting in a 256 byte memory leak per URL.
3. URLs greater than 255 characters in size might have problems sin
Re:Seriously. (Score:3, Informative)
Here's the first anonymous duplicate posting. [slashdot.org]
And here's the other anonymous duplicate posting! [slashdot.org]
Re:... huh? (Score:5, Funny)
How about this one .... (Score:4, Funny)
Re:How about this one .... (Score:5, Interesting)
Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.
Re:How about this one .... (Score:5, Insightful)
RTFC (Score:5, Informative)
By using this source code, you agree to the following terms: 1) You may use the source code, resource files for educational purposes only. 2) You MAY NOT redistribute this source code without written permission. Failure to do so is a violation of copyright laws. 3) The author of this code may have retained certain "additional copyright rights". If so, this is indicated in the author's description.
since i doubt there'd be anything educational about IE source code...and by the way, i don't think this qualifies as an open source license.
Re:RTFC (Score:4, Interesting)
Re:... huh? (Score:5, Funny)
If this patch gets the press coverage that it deserves, maybe people will learn to take Microsoft's claims of better security response rates than those open-source folk, with a grain of salt.
Or maybe Microsoft will actually start working harder to keep their software secure in a timely manner?
</fingers_crossed>Re:... huh? (Score:5, Interesting)
Re:... huh? (Score:4, Interesting)
They have thousands of programmers, let them move their butts and do their fucking job. More holes in IE, easier to convince people to switch to Mozilla.
Re:I already got the patch (Score:3, Informative)