Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)

From: sponge (yosponge_at_yahoo.com)
Date: 06/10/03 

Date: 10 Jun 2003 10:46:44 -0700

On 10 Jun 2003 04:08:02 GMT, "dkg_ctc" <dontknowguilt@hotmail.com>
wrote:

>yosponge@yahoo.com (sponge) wrote in
>news:8d76ec03.0306091435.3a799742@posting.google.com:
>
>*snip*
>>>>>"According to Kaspersky Labs statistics, over 85% of virus
>>>>>incidences in 2002 were caused by malicious programs such as
>>>>>'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer
>>>>>vulnerability, which was discovered over two years ago, and
>>>>>thus users have had plenty of time to install the patch and
>>>>>protect themselves against any similar virus appearing in the
>>>>>future."
>>>>>
>>>>>This suggests that the advisory is referring to two separate
>>>>>bugs-- one that has been known, and patched, for two years,
>>>>>and one that is relatively new.
>>>>
>>>> Then why after two years is there still not sufficient bounds
>>>> checking on IE's handling of IFRAMES, which allowed these
>>>> exploits to occur?
>>>
>>>This isn't an exploit regarding IFRAMEs. It's an "exploit" that
>>>exists by opening a ZIP archive, and then opening a file in the
>>>archive.
>>
>> I was responding to a citation you posted. If you didn't want
>> people responding to it, don't post it.
>
>And what do you use to support your claim that there is "still not
>sufficient bounds checking on IE's handling of IFRAMES"? A couple
>"vulnerabilities" which make no mention of IFRAMEs?

The flaw you cited. Also, the flaw I posted a few weeks back in which
opening more than such-and-such number of IFRAMES For your
edification, I will repost:

Path: authen.yellow.readfreenews.net!green.readfreenews.net!news.readfreenews.net!cox.net!news-xfer.cox.net!newshub.sdsu.edu!headwall.stanford.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: yosponge@yahoo.com (sponge)
Newsgroups: alt.privacy.spyware,comp.security.firewalls
Subject: VULN - Extremely critical Internet Explorer flaw
Date: 22 May 2003 23:29:40 -0700
Organization: http://groups.google.com/
Lines: 6
Message-ID: <8d76ec03.0305222229.47f2748b@posting.google.com>
NNTP-Posting-Host: 24.225.208.14
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1053671380 31281 127.0.0.1 (23 May 2003
06:29:40 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 23 May 2003 06:29:40 GMT
Xref: authen.yellow.readfreenews.net comp.security.firewalls:174781
alt.privacy.spyware:16571

Another reason not to use Internet Explorer -- fairly newly-discovered
hole allows automatic download and execution of code, regardless of
browser security settings. There are others that can do this too but
this is yet another technique.

http://www.kb.cert.org/vuls/id/251788

It's worth pointing out that, while this particular issue was patched
(and I think this is what you were getting at) many other issues were
not.

>> More to the point, Microsoft has had ample warning, but did not
>> patch the affected versions.
>
>Ok, and what do you use to support your claim that they've had
>ample warning? You're claiming all these things, but aren't
>backing up a single one of them with anything other than the pages
>you listed (which leave much to be desired fact-wise)--and even
>the article doesn't say that Microsoft has had ample warning.
>
>> Which, incidentally, are only one version old -- legacy
>> software, perhaps, but we're not talking about ancient history
>> here. It is well within expectations for MS to patch such a
>> recent version of IE.
>
>And what information do you have which supports your belief that
>they won't? Once again, you're making claims with nothing to back
>them up.

History. What makes you assume that they will, naivete?
This much is known about Microsoft: 1. they do not always patch holes
in IE; 2. when they do, it is often as a part of a forced "upgrade",
which may introduce new issues.

>>>>>> There is no way to "lock down" the browser; the only
>>>>>> possible way to secure yourself from this is to discontinue
>>>>>> using Internet Explorer entirely.
>>>>>
>>>>>Or install IE6, which as reported by your own links is
>>>>>unaffected.
>>>>
>>>> A large percentage of people still use pre-6 versions.
>>>
>>>Which says nothing regarding the fact that "the only possible
>>>way to secure yourself from thsi is to discontinue using
>>>Internet Explorer entirely" was completely inaccurate.
>>
>> No, actually it's entirely accurate.
>
>No it's not. How can you say that "the only possible way to
>secure yourself from this is to discontinue using Internet
>Explorer entirely" when there are ways to secure against this,
>specifically by upgrading to IE6, or following the advice that
>others have posted here? In fact, anyone who claims that that
>there's no way to secure against would appear very uninformed of
>the issue at hand, as there have been numerous ways to secure
>against this listed.

Once again, there is apparently no fix for users of existing software,
specifically, version 5. Forcing users to make a major upgrade in
order to be safe from design flaws is foolish, extremely dangerous,
and smacks of malice and coercion. It's the stuff good lawsuits are
made of. What better way to force users to abide by some new EULA or
DRM scheme than to build in fundamental flaws, which can only be fixed
by upgrading, and thus accepting an increasingly questionable
agreement...
More importantly, as stated in my last post, there is no rational
reason why a significant security flaw should not have been fixed in
such a relatively new version of a product.
To apply your line of reasoning to the real world, it would be similar
to requiring auto owners to buy a new car to prevent accidents due to
a dangerously steering system that should have been recalled.

>> The point is that IE is too unsafe to use in any form.
>
>"And I'll prove it by listing 'exploits' which not only require
>user intervention to work, but which don't effect the last two
>versions (IE6 and IE6SP1) of the browsers!"

Kinda like "drive-by" downloads, right?

>> Not only was that the point of the this thread, but a point
>> brought up in posts of mine (and others) too numerous to
>> mention.
>
>Didn't you just get through saying that "The point was to point
>out flaws with some commentary"? Now you're saying that's not the
>point, and that the point is completely different.

The point was that IE is too unsafe to be reasonably used, and that
it's flaws can affect other applications as well. That was the point.
That's pretty much been the point of the upteen IE-related posts I've
made in the last several years.

>
>>>*snip*
>>>>>> On a related note, yet another flaw has been discovered in
>>>>>> Internet Explorer that allows remote code execution.
>>>>>> According to Microsoft's security update, this affects even
>>>>>> those who DO NOT use Internet Explorer as their browser
>>>>>> (read: everybody.)
>>>>>
>>>>>Yes, because there are numerous programs that use IE to
>>>>>render. If you read the security bulletin, the vulnerabilities
>>>>>have to do with "not properly determining an object type
>>>>>returned from a web server" and "not implementing an
>>>>>appropriate block on a file download dialog box". So
>>>>>basically, both these flaws only come into affect when you
>>>>>visit a remote site, or receive a malicious HTML e-mail that
>>>>>is rendered by IE.
>>>>
>>>> Sure, but that's the problem. Were a webmaster inclined to
>>>> exploit these flaws, he could. Also, we all know that Outlook
>>>> express (and other email clients like Eudora) use IE to render
>>>> pages, recipients of malicious messages are susceptible too.
>>>
>>>Yes...and? That's why Microsoft said it effects people who
>>>don't user Internet Explorer as their browser, and that's why
>>>there's a patch out for it. Are you actually pointing to the
>>>fact that there's a security patch out for insecurity? That's
>>>just the way software works.
>>
>> The point is that IE and it's poor coding can affect other
>> applications. That's one of the prime reasons I recommend
>> against it, and also why I have recommended both in newsgroups
>> and on my site that IE be locked down even if users plan on
>> using other browsers. I HAVE pointed out that Microsoft has a
>> tendency to not simply patch, but add "features" (Read: security
>> holes, potential exploits, etc.) in patches and upgrades. Since
>> ungrading to IE6 is the only way of fixing some flaws in IE, you
>> are dealing with the introduction of a new set of problems.
>
>And certainly you have numbers to prove this, right? You
>know...the number of patches for IE5 versus IE6? Things like
>that? Because no offense, but so far you seem to be pulling facts
>from your ass.

I haven't counted. If you can, go right ahead -- I have a life, you
know. But the FACT is that MS frequently does not patch problems, and
when they do, their "patch" requires an upgrade. Again, if your logic
-- and Microsoft's -- were applied to other products, you can see a
whole lot more death and destruction. And that's part of the reason
why the Internet is the jungle it is.

>> That's not "patching".
>
>Not in your book, anyways.

Not in most people's. Using a definition of "patch" that dates back at
least a far as Apple days (when I first saw one), a patch is a small
piece of code designed to fix a specific problem or set of them, not a
major freakin' 18 megabyte monstrosity.

You see, most flaws are caused by a few lines of code, maybe a couple
of dozen of bytes of machine language that wasn't written right or was
lacking something. Due to the idiosyncratic nature of Windows
programming, this can entail revising one or a few DLLs or executables
entirely. Fine. But not 18 megabytes! Show me an 18 meg DLL!

Try and imagine if MS required a full upgrade each time ANY flaw came
out! Then you'll see the total lack of logic in your reasoning.

The point is that upgrading an entire browser type to fix a few bytes
of misbehaving code is completely without logic.

>> In fact, one could credibly argue that Microsoft deliberately
>> did not patch prior versions of IE in order to force users to
>> upgrade to the most current version.
>
>By all means, feel free to argue that. I'm not a big fan of the
>conspiracy theories, though, nor do I think that Microsoft has any
>obligation to release patches for IE5, considering there has been
>IE5.01, 5.5 and 6.0 (and numerous service packs in between).

If software products were treated by the same liability standards as
conventional, physical products, you bet they would be obligated!
Software liability law, however, is just in its infancy...it should be
interesting to see what happens in the next few years.

Microsot, however, can fairly be held to a higher standard that Joe
Smith's Software. Even if we were to put the issue of the potential
introduction of new problems -- which you still haven't addressed --
we can see that it's an unreasonable tack for Microsoft to take.
Patching by upgrading may be acceptable for relatively small
applications; I did that with one of my sniffers recently. Of course,
you're talking about a few exectuables, a few DLLs - 2 megs in all,
not 18. Moreover, unlike the makers of free or $20 applications,
Microsoft has the resources to do things the right way. Windows is not
written by one or two guys operating out of their basement; they have
thousands of programmers, billions of dollars, and price their
products in the hundreds or thousands of dollars. We're not talking
about shareware here.

>>>>>> At least there's a patch for this. However, IE still cannot
>>>>>> be safely used.
>>>>>
>>>>>Not that I disagree, but you didn't do a very good job of
>>>>>making your case in this post.
>>>>
>>>> The point was to point out flaws with some commentary.
>>>
>>>Seems to me that your point was, "You can't use IE safely", and
>>>I think that's probably what any sane reader would have seen as
>>>the point, considering you actually went so far as to repeat
>>>that point. You referred to an "exploit" which requires you to
>>>download a ZIP file, open the ZIP file, and run an HTML file in
>>>the context of the local zone, and a patch which fixes security
>>>holes, as evidence that Internet Explorer can't be used safely.
>>
>> The point WAS that you can't use IE safely, and I referred to
>> two exploits: one was patched, one was not after how long.
>
>You tell me. How long? When was it first reported to Microsoft?
>When was it first publicly reported? It's kind of hard to claim
>that something is insecure when you don't even know if the
>vulnerability has been reported to Microsoft, isn't it?

Let's see. The second item in my post was reported about mid-May
(still a long time!). The first trojan was reported around the same
time. IFRAME exploits go back as far as 1999.

BTW, upon further review, I found more info to prove you are wrong in
your "IE6 is immune" logic:
http://www.securityfocus.com/archive/82/244242

>>>> The present flaws -- never mind the hundred or so on file at
>>>> SecurityFocus -- state that case well.
>>>
>>>I agree, but you didn't use those to state your case. You used
>>>two--IMO--NON-issues to state your case, and that's what I'm
>>>taking issue with. Now if you'd used the Pivx site which lists
>>>unpatched security holes in IE, then you would have made a
>>>better case. As it is, you listed a "vulnerability" which
>>>requires user interaction, and a security patch.
>>
>> I actually had a better link to browser-specific flaws
>> (including some in Opera), although I cannot find it.
>
>http://www.pivx.com/larholm/unpatched/ ?

Nope, much better, with some good POC. I'll find it eventually --
somewhere in 3 megs of bookmarks.

>> Nonetheless, I cited two recent and highly valid flaws.
>
>Highly valid to you...to me, they are non-issues which may--or may
>not--have been reported to Microsoft, and which require either
>out-of-date browsers (sorry, but you aren't going to convince me
>that Microsoft should still be releasing patches for a browser
>which has been out since 1999 when they've released IE 5.01,
>5.01SP1, 5.01SP2, 5.01SP3, 5.5, 5.5 SP1, 5.5SP2, 6.0, and 6.0SP1
>since that time) or user intervention. "Yeah, just download this
>zip and view the HTML document!! No, really, it's safe!!" Sorry,
>but that's not a security vulnerability.

It it is easy enough to convince a user to download a ZIP -- people do
every day, and unzip it via WinZIP or WINRAR using browser's built-in
open feature, which may not even require user intervention. Morever,
it *seems* easy enough for a redirect to take care of viewing the
document. That's hardly a process that needs lots of user
intervention.

>> And I followed up with recent BugTraq-documented flaws. Sounds
>> like you're sore that I'm not representing Pivx,
>
>That's not it at all. What I'm "sore" at is that people like you
>would rather use non-issues and vulnerabilities in defunct
>software to make a point, when there are plenty of VALID unpatched
>security holes out there. Hell, you don't even have to link to
>Pivx...in fact, the majority of the time, they don't even discover
>the vulnerabilities, they just have an archive of the ones which
>are unpatched.

Hardly defunct. Here's a little news for ya -- in RealLife land, not
everybody jumps on the newest Microsoft product the day it comes out.
Not everybody jumps when Microsoft says so. Not everybody even knows
to.

A browser version one-off is hardly old -- especially since MS is
still supporting legacy OS' like 98 (well, somewhat). And, responsible
manufacturers likewise support legacy products. Just because you don't
like the version makes it less true. There are still older versions of
IE 5 out. Yes, it's true! And, thanks to this "Microsoft Mentality",
they -- and, potentially, businesses and other innocent users --
because they chose not to address the issue by a proper patch, but by
forcing people to upgrade. And, once again, also risking the
introduction of a new set of problems.
Incidentally, in RealWorld-land, most people upgrade only when forced
to, either by a system crash which requires the installation of a
fresh OS, or when buying a new computer. So, in practical terms, your
"solution" to fixing problems is to force people to lay down anywhere
from $150 for XP to $2000 for a new computer.
Yes, I'm well aware that IE 6 can be downloaded for free. But, out
there, in the real world, most people don't voluntarily upgrade. Even
if they knew that they should, most don't know HOW to go about doing
it. Most don't know WHY they should. And most are scared that an
upgrade will screw up their system. In the real world, upgrading is
not nearly as simply and clear-cut a solution as you want to believe
it is.

And, if you'd done any corporate work, you'd know that upgrading even
a smallish-medium enterprise is a nightmare.
Patching does not have to be the nightmare that upgrading is. For one
thing, patches are typically small...UNLIKE AN 18 MEGABYTE BROWSER
UPGRADE! For home users -- the least likely to willingly patch or
upgrade -- a typical, 500k patch translates to about a three-minute
download...UNLIKE AN 18 MEGABYTE BROWSER UPGRADE which is about eight
hours. For enterprises, let's look at a smallish-medium enterprise
with 500 computers. 500*500k=25 megabytes total bandwidth with less
than a minute download on each system simultaneously. Even "upgrading"
all systems automatically, let's look at AN 18 MEGABYTE DOWNLOAD:
500*18mb = 900mb in bandwidth consumed. FYI, many businesses pay by
bandwidth consumed on top of fixed costs for a DSL/T1/T3/etc. For a
single patch.
You see, the problem here -- and the core point of what you seem to be
arguing in all these posts--- is that upgrading a whole 18 MEGABYTE
BROWSER is a better solution than simply providing a dinky little 500k
patch. So, what if that logic were applied to all security fixes in
IE: use 36 times the bandwidth and 36 times the amount of time to fix
every bug in IE.

And, on top of everything else, you still haven't addressed another
major flaw in your reasoning that I have brought up of the course of
several posts: an entire "upgrade" brings a new set of potential
problems due to the introduction or expansion of features.

>> But BugTraq is considered one of the preeminent tracking houses
>> in the security industry, and lists a litany of IE flaws as well
>> as other most other known security risks and flaws in every kind
>> of software.
>
>You're absolutely right, they are. But you didn't throw out the
>Security Focus links at first; you waited until someone challenged
>you on the issues (or lack thereof) that you originally brought up.
>If you'd simply used ACTUAL issues, like those listed at Security
>Focuse, from the get-go, then I wouldn't have thought twice. As it
>is, I saw you using flawed information to come to a correct
>conclusion; whether it's a correct conclusion or not, it's still
>flawed information that brought you there, and THAT'S why I
>commented.

Must I post a dozen links with each post? I've posted here numerous
times on various IE problems. I've thrown out more links here and
there than I can remember. I did not care to go into a Best 'o' Sponge
diatribe because I've covered that ground before and I'm largely
preaching to the choir anyway. That's why there was so little
commentary in the first place; I do not need to go into nauseating
detail yet again why IE is so bad. You challenged me and I responded
to your challenge with those links. I do not need to sound like a
broken record. So, if every post of mine must be some highly-detailed,
500-line posting -- well, I'm not going to do it. I'm loquacious
enough as it is. The folks in the groups to which I'm posting know
what's going on, and they don't always need me to run down every itty
bitty detail over and over. I like to do that when covering something
fairly new, but most of the folks here already know the score and I do
not need to post a dozen links with each post to make my point.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

Relevant Pages

  • Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)
    ... More to the point, Microsoft has had ample warning, but did not patch ... >> exploit these flaws, he could. ... >there's a security patch out for insecurity? ...
    (alt.computer.security)
  • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
    ... code-independent workarounds (i.e., other than patches) are so poor, ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft to release a patch out of cycle for "critical flaws". ...
    (Full-Disclosure)
  • Re: URL-Spoofing vulnerability
    ... And altough phishing will happen to one ... >flaw would be fooled by other flaws that cause similar ... do you think they install new Microsoft ... Neither this exploit or a patch to fix it is going ...
    (microsoft.public.security)
  • Re: ZA or XP firewall?
    ... >Sure upgrade to 98SE. ... XP exposed to hackers, Microsoft says ... Microsoft issued a patch that it says will fix the problem. ...
    (comp.security.firewalls)
  • Microsoft Patch Tuesday Has Critical Side
    ... Microsoft has urged users to patch their systems as quickly as ... which offers more advanced security technology in its Service Pack 2. ... One of the reported flaws affects the Microsoft Color Management ...
    (comp.dcom.telecom)