Another M$ IE security hole discovered.

[RudeDawg]

It must be Wednesday, already. [img]graemlins/evillaughter2.gif[/img]

OK, this one isn't too bad.
Associated Press - Security Flaw Found in Explorer

Here's the intro:

Quote:

A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says. Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem, the Toronto Star reported Tuesday. A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers. The problem concerns Gopher, an Internet protocol that predates the World Wide Web with pages like Web pages except that they are unable to store audio and video content. Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers. According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know. "The program could, for example, delete information from the computer or collect information and send it out from the computer," Oy Online said in a release. "(It) could also install a so-called backdoor (program) that would enable the hostile attacker to access the computer later." All versions of Internet Explorer are believed to be vulnerable, the Star reported.

Here's the part that get's me:

Quote:

Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information." And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

You see? It's not M$'s fault. It's the reporting security companies. They put you at risk by exposing the problem. [img]graemlins/evillaughter2.gif[/img]

New M$ tagline: "Where do you want to gopher today?"

Gopher is outdated (I only found 3 working gopher servers when I searched. Well, i found 25, but only 3 returned data.), but the problem is any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.

A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.

None of this has anything to do with the number gopher servers left on the Internet.

Now, the obligatory gopher file.

[Sazerac]

Micro$uck once again shows it's unflappable ability to address the absolute wrong thing with the wrong words. [img]tongue.gif[/img]

You know what they say: "The sun will burn out in 5 billion years...which means they'll have to release patches for Windows in the dark."

Gopher...man, what a concept. I remember that WAAAAAY back when I was first studying Internet back in 1994. Gopher, and Telnet, and Archie, and Veronica, and WAIS. Blaugh...what antediluvian systems.

"A MIME is a terrible thing to WAIS." [img]graemlins/laugh2.gif[/img]

Ok, enough bad geek puns. Back to reality. [img]smile.gif[/img]

-Sazerac

[RudeDawg]

Listen to the gopher file! [img]graemlins/crying.gif[/img] It took me forever to find it!

Quote:

Originally posted by Sazerac: Blaugh...what antediluvian systems. "A MIME is a terrible thing to WAIS." [img]graemlins/laugh2.gif[/img] Ok, enough bad geek puns. Back to reality. [img]smile.gif[/img] -Sazerac

Hey!

You leave my Auntie out of this!

Boy do I remember those days..before AOL was even born [img]smile.gif[/img] Altho there was PC link and Apple Link which would eventually combine and become AOL...I feel old. [img]graemlins/thewave.gif[/img] I did listen to the gopher link [img]smile.gif[/img] hehe reminds me of the SNL skit, "All things Scottish"

[ 06-05-2002, 04:17 PM: Message edited by: MagiK ]

[khazadman]

bill murray made that movie great.