December 11, 2001
8:43 PM   Subscribe

What's sad is that this is what I've come to expect from Microsoft. But, remember, closed source is more secure... (snicker)
posted by hadashi at 9:31 PM on December 11, 2001

An exclamation mark is missing in the first sentence of this article.

Oy Online Solutions Ltd's security experts have found a flaw in Microsoft Internet Explorer that allows a malicious website to spoof file extensions in the download dialog to make an executable program file look like a text, image, audio, or any other file.

Shouldn't it be...?

Oy! Online Solutions Ltd's security experts have found a flaw in Microsoft Internet Explorer...
posted by Zurishaddai at 10:33 PM on December 11, 2001

Is it safer to use Opera, then?

Or should I just download a copy of Lynx?
posted by brownpau at 10:37 PM on December 11, 2001

Before you blame Microsoft for the bug, remember: "information anarchy" is to be blamed for any exploits. NOT, in fact, Microsoft.

</sarcasm>

original article
posted by mkn at 10:42 PM on December 11, 2001

I scanned through mkn's "information anarchy" link and I got a mental image of the kind of speaker who turns his palms upwards at key moments to win your trust.
posted by Catch at 11:50 PM on December 11, 2001

*turns palms upwards*
posted by stavrosthewonderchicken at 1:27 AM on December 12, 2001

I haven't tried this, but I get the impression that all that's needed to "exploit" this is to alter the mime type file (in Apache, or whatever the equivalent is in the MS server) so that an executable type is associated with a file extension that isn't normally considered dangerous.

For example, if your html docs end in .html then you could leave that as text/html but rename deleteAllFiles.exe to bunniesEatingPancakes.htm and associate the .htm extension with application/x-win32-executable (or whatever).

Does anyone else think that's what they're talking about? If so, it seems silly to not say so explicitly - this is hardly deep magic.
posted by andrew cooke at 2:22 AM on December 12, 2001

[Microsoft] doesn't currently consider this is a vulnerability; they say that the trust decision should be based on the file source and not type.

Translation: this bug's too hard to fix.
posted by dlewis at 4:17 AM on December 12, 2001

Is that a Yiddish Web site?
posted by ParisParamus at 4:30 AM on December 12, 2001

If you have a dialog box that asks you "Open or Save?" and you don't know where it came from... first choice would be save, or simply cancel.

I really don't think this is so much a flaw as it is the way web browsers are constructed, and everyone expects Microsoft to babysit them on the web because they wrote the web browser.
posted by benjh at 4:44 AM on December 12, 2001

everyone expects Microsoft to babysit them on the web because they wrote the web browser.

No, I just expect my browser to download the file type it tells me it is downloading. Of course it's a flaw.
posted by Markb at 5:08 AM on December 12, 2001

A PHP exploit has been published on Bugtraq more than a week ago that demonstrates the vulnerability:

1. Copy the real windows calc.exe from a windows system to the html root dir.

2. Copy the readme.txt file below to the same html root dir.

3. go to the url http://yourserver/readme.txt

You will see the same behavior mentioned in the previous alert.

FILE <readme.txt> BEGIN ----
<?php 
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=calc.exe");
readfile("calc.exe");
?>
FILE <readme.txt> END ----

It's unclear whether all IE versions from 5.0 are vulnerable, but it's definitely something that you should patch (or avoid by using another browser).

What's sad is that this is what I've come to expect from Microsoft. But, remember, closed source is more secure... (snicker)

Have you ever tried to secure a Linux box? It's better than Microsoft, but not to the point where open source advocates deserve to be so smug.
posted by rcade at 5:45 AM on December 12, 2001

Does anyone else think that's what they're talking about? If so, it seems silly to not say so explicitly - this is hardly deep magic.

I'm pretty sure that's what the newest html email virus I've been getting has been doing. Just opening it gives me the dialog box to save or run this with no filename. Maybe they're related.

Have you ever tried to secure a Linux box?

Have you ever tried to secure an IIS box? Download MS's whitepaper on the subject its at least 15 pages. We're not talking about servers here anyway, this is a client problem. I think we can agree that it takes effort and knowledge to secure any server, but MS should be releasing patches for their clients and the 'roll-your-own' crowd can't do anything about it because of closed source.

I'm not advocating open or closed but its very shoddy work on MS's part to refuse to produce a patch. Now we wait for the next nimda to exploit this, publicly embarrass MS again and get the patch in 24 hours. In the meantime every hacker and their brother is trying to identify and reproduce this bug for their own purposes.
posted by skallas at 7:00 PM on December 12, 2001