IE Bug Lets Fake Sites Look Real

Eugenia Loli 2003-12-11 Internet Explorer 68 Comments

Microsoft on Tuesday said it was looking into reports of a potential bug in its Web browser that could help malicious hackers design convincing Web site spoofs. On other browser news, Opera 7.23 for Linux was released.

About The Author

Eugenia Loli

Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.

Follow me on Twitter @EugeniaLoli

68 Comments

2003-12-11 3:22 am

Anonymous
Mozilla Firebird displays it correctly

http://www.microsoft.com%[email protected]/security/ex01/vun…
2003-12-11 3:39 am

Anonymous
Great quote from the article:

“Microsoft faulted security mavens for publicizing the flaw, implying that they hadn’t given Microsoft sufficient time to craft a patch.”

I guess that letting users know that they are vulnerable is a bad thing. True that MS is not spreading the word because it could attract more attention however a new exploit gains attention no matter what. Its all on point of view.

O’ I forgot to mention that Microsoft is keeping track of publicly announcing that they have a better security record (patch distribution) than other operating systems. I guess by not announcing it, could be construed as fixing the scores. Makes them look a little more favorable if they announce a vulnerability and a patch on the same day. So users are hung out to dry for the sake of bragging rights.
2003-12-11 3:40 am

Anonymous
damn i love firebird
2003-12-11 4:03 am

Anonymous
I guess that letting users know that they are vulnerable is a bad thing.

Well, yeah .. because it also alerts the crackers and script kiddies as well, which is not a good thing.

IMHO, the right thing to do would be to let MS know first, and give them at least a couple of weeks to come up with something and if you get no response, then release it to the public.

Personally, I don’t know what these people have to gain by simply releasing this info to the public … to let all of us Windows users know that we’re using an insecure operating system? Well, no shit, Sherlock! As if we didn’t know that already.
2003-12-11 4:18 am

Anonymous
MS is known for sitting on bugs until everyone knows about it and whines.

This is just making the bug get fixed quicker.

And you think the real crackers don’t know about this already? The real evil guys won’t wait 2 weeks.
2003-12-11 4:20 am

Anonymous
Thanks for your insight. I had not considered this viewpoint that is repeated over and over by folks like yourself.
2003-12-11 4:21 am

Anonymous
IE 6.0 in WinXP Pro showed the URL as http://zapthedingbat.com/security/ex01/vun2.htm and Firebird 0.7 displayed the entire URL in the address bar (http://www.microsoft.com%[email protected]/security/ex01/vun…).
2003-12-11 4:24 am

Anonymous
I do love opera, which does display a warning for the fake site. Seems like firebird will soon pass be just as good.
2003-12-11 4:36 am

Anonymous
Everyone is going to the wrong link. Go to:

http://zapthedingbat.com/security/ex01/vun1.htm

To test the vunerabilty. The BUG exist with IE 6 (Win XP).
2003-12-11 4:49 am

Anonymous
I fired up Slimbrowser which uses IE 6 to render web sites and it picked up the error like Opera does.
2003-12-11 4:54 am

Anonymous
I fired up Slimbrowser which uses IE 6 to render web sites and it picked up the error like Opera does.

Did you go to: http://zapthedingbat.com/security/ex01/vun1.htm

and not:

http://zapthedingbat.com/security/ex01/vun2.htm
2003-12-11 5:01 am

Anonymous
No need to be profane. Their are two view points to consider.

1) Advise people

2) Don’t advise the people.

1) If you advise the people the can take appropriate actions to protect themselves. However some little script kiddies are getting their feet wet with a new (easy) exploit.

2) By not advising the public, users are going to be left in the cold not knowing whats going on until their is a patch. What about the company that spends millions on MS products and not know their there networks aren’t secure.

The hard core hackers aren’t going to wait for MS to put a patch out. I rather be aware then be kept in the dark about potential issues.

If an exploit is out then its out. The newbie hackers pose a problem but the ones with experience pose a threat. Is it better to know or not to know. I prefer to know.
2003-12-11 5:04 am

Anonymous
http://www.microsoft.com%[email protected]/security/ex01/vun…

shows up in my IE6 on Xp as

http://zapthedingbat.com/security/ex01/vun2.htm

Didn’t apply the November patch though.

Only coward couldn’t face the real world challenges and hide behind a half baked alternatives.
2003-12-11 5:10 am

Anonymous
People – you are not reading the warning stated at:

http://zapthedingbat.com/security/ex01/vun1.htm

By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the “@” character.

Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.

You must click the form button to see the expliot !!!
2003-12-11 5:14 am

Anonymous
Did that and the web page tells me

Location in address bar should be http://zapthedingbat.com/security/ex01/vun2.htm in its address bar

2003-12-11 5:16 am

Anonymous
Don’t give up food just because you could be choked

2003-12-11 5:17 am

Anonymous
<p>

Vulnerability<br/>

There is a flaw in the way that Internet Explorer displays URLs in the address bar.<br/>

By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.

</p>

<p>

Exploit<br/>

By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the “@” character.<br/>

Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.

</p>

<br/>

<button onclick=”location.href=unescape(‘http://www.microsoft.com%[email protected]‘);” style=”font: 8pt verdana, sans-serif;”>

Test Exploit

</button>

2003-12-11 5:18 am

Anonymous
One of my friend told me that some pr0n sites are already using that exploit to get more hits. I guess they didn’t wait two weeks.

2003-12-11 5:25 am

Anonymous
How ? The bug only might cause improper display in address bar, which would not happen before a link is clicked

2003-12-11 6:08 am

Anonymous
>>>I guess that letting users know that they are vulnerable is a bad thing.

Yeah, much better idea to instruct hackers how to exploit the inability of users to protect against the flaw /SARCASM

2003-12-11 6:46 am

Anonymous
If you have enabled the above (its default for most IE installations) in the Advanced tab of IE settings, then the vulnerability appears. If left unchecked, it shows the full thing. Thats probably why some people have been able to see it, while others havent.

2003-12-11 7:43 am

Anonymous
Yep, it works in IE6 SP1 on linux (wine), and it works whether or not I have freindly error pages displayed.

2003-12-11 9:35 am

Anonymous
Shows in XP (latest patches) whether thats enabled or not. As stated previously you have to go via the form button on the firstpage, and not just paste the vun2 link into your browser.

2003-12-11 10:11 am

Anonymous
To all IE users who are voluntary using IE, I have a simple question:

Why do you still use IE?

2003-12-11 11:16 am

Anonymous
worst than those users who still are using IE voluntary, are those who use it in linux (wine) (yes Intagible, i mean you )

2003-12-11 12:03 pm

Anonymous
Got several junk e-mails about need to refresh my PayPal account setting, with link to paypal settings page.

No PayPaul account here, and i do know these tricks, but visited link for curiosity.

Hehe, “unfortunately” i’m using Mozilla…so i even didn’t understand why to use so strange URL:)

2003-12-11 12:38 pm

Anonymous
element wrote:

>To all IE users who are voluntary using IE, I have a

>simple question:

>Why do you still use IE?

I have a simple answer:

Because I want to.

Kram II

2003-12-11 1:02 pm

Anonymous
>To all IE users who are voluntary using IE, I have a

>simple question:

>Why do you still use IE?

I have a simple answer:

Because I want to.

And seriously speaking? I’m also very interesting to know what people like in this application.

Is it just because you haven’t really tried (for more than an hour) some alternatives? Is it because IE offers something that you can’t get in alternatives? Is it by inertia? Because IE launch faster? Because your online banking service restricts its use to Win/IE only?

Thank you.

2003-12-11 1:21 pm

Anonymous
1) If you advise the people the can take appropriate actions to protect themselves. However some little script kiddies are getting their feet wet with a new (easy) exploit.

2) By not advising the public, users are going to be left in the cold not knowing whats going on until their is a patch. What about the company that spends millions on MS products and not know their there networks aren’t secure.

I think there should be a balance. If they tell off straight away, before Microsoft’s developers have time to find out the problem, would be bad for home users. Especially so because home users don’t go to Slashdot, OSNews, or heck, even CNet, and wouldn’t know that important sites, like banks, could be spoofed.

On the other hand, if developers tell Microsoft, they drag their feet, some half year later they finally put out a patch. So here’s what I think the solution is: Call Microsoft, threaten them if in 1-3 months they don’t get a patch out, they are telling the public. That way, Microsoft has enough time to patch, yet it won’t drag its feet.

As for hardcore hackers, there no use doing anything if you are afraid of them. Regardless, if they know a vunerablity, they would create some kind of worm, virus, or something of that sort (or in this case, a spoof site). But most of the time, it is script kiddies that are the problem. And they use vunerablities known, and use user ignorance and naivity to cause havoc.

2003-12-11 1:39 pm

Anonymous
“Mozilla Firebird displays it correctly

http://www.microsoft.com%[email protected]/security/ex01/vun….. ”

No problem with IE 6.0

2003-12-11 1:51 pm

Anonymous
Hey WorknMan, I dunno if this has already been addressed but I’m just quickly skimming around here on OSNews before firing up Morrowind for a while and noticed your comment stating that “Personally, I don’t know what these people have to gain by simply releasing this info to the public … to let all of us Windows users know that we’re using an insecure operating system.”

Basically, you’re misunderstanding the reason that these security issues are, should, and will continue to be made public first and foremost. The simple reason being that it simply makes no sense to act like security through obscurity works, at all. If that were the case, Windows would be one of the most secure platforms ever. This is not meant to be a railing, this is a simple statement of fact. Software providers have an obligation (Or at least any good provider should) to notify their users of things to be on the lookout for. You do realize that what you’re saying is users should be unaware that there are known (They will be found, public announcements is not how crackers always get their information) vulnerabilities, exploits, and holes in the software they use. This is dangerous because it leads to the “bad guys” getting away with basically robbing these people when they have no idea what’s going on behind the scenes on a webpage.

I hope this point of clarification shows at least some of the reasoning behind public security/vulnerability announcements.

2003-12-11 1:53 pm

Anonymous
On the other hand, if developers tell Microsoft, they drag their feet, some half year later they finally put out a patch. So here’s what I think the solution is: Call Microsoft, threaten them if in 1-3 months they don’t get a patch out, they are telling the public. That way, Microsoft has enough time to patch, yet it won’t drag its feet.

Yeah, I’d say give MS (or any company for that matter) at least a little time before releasing.

As for hardcore hackers, if they don’t know about the exploit, then there is nothing to exploit. If they arleady do know about it though, then might as well go ahead and tell the public, but if they DON’T know, I’d say the odds of them finding out in between the time you alert MS and the time either MS comes out with a patch or you alert the public is slim.

As for IE, I only use it on the 0.5% of sites that don’t work correctly with either Firebird or Opera.

2003-12-11 1:57 pm

Anonymous
No it doesn’t. You are using the wrong link. Mozilla will show the correct address. I’m using IE 6 on XP (to test only) and it shows http://www.microsoft.com in the address bar. Show friendly urls has no effect. Take a deep breath, read the article, click the correct link, then click the form button.

2003-12-11 2:01 pm

Anonymous
I hope this point of clarification shows at least some of the reasoning behind public security/vulnerability announcements.

Personally, I think it’s BS. Since 95% of people will never read these security bulletins (since 98% of people don’t even know about them), instead of protecting users, you’re basically writing a HowTo for crackers to exploit the security flaw.

Look, I”m not saying “Hide the exploit and don’t tell anyone” .. I’m just saying give the company (whether it be MS or whoever) time to act before you go and tell the entire cracking community how the exploit works.

Yes, I know the company has an obligation, and simply by saying that, you prove my point that these people are just trying to ‘teach us a lesson’ about security. By making the exploit known before giving the company a chance to patch it you’re not really protecting the majority of people .. but instead, putting them at risk.

2003-12-11 2:01 pm

Anonymous
You guys should stop clicking so fast and read first!!!

IE6 is unprotected. I did a small test-page (I hope Paypal doesn’t sue me for that) to show the failure to a colleague here who also “couldn’t get it”:

Check at http://www20.brinkster.com/rodviking/

2003-12-11 2:03 pm

Anonymous
I meant “Since 95% of people will never read these security bulletins (since 95% of people don’t even know about them) …”

2003-12-11 3:21 pm

Anonymous
On OS X …

In safari, the form button does nothing.

In IE, the form button redirects you to: http://www.microsoft.com%[email protected]/security/ex01/vun…

2003-12-11 3:45 pm

Anonymous
My IE has script disabled, except a few trusted sites.

So the button would not work.

2003-12-11 4:13 pm

Anonymous
Good point. BTW I removed the “demo site” ‘cos I received a couple of annoying emails a few minutes later..

2003-12-11 4:26 pm

Anonymous
Even if it’s only 5% of the Windows-using population that read these security bulletins, that’s well over the entire userbase of Apple/Linux products (I myself prefer and use Gentoo Linux to Windows, so don’t misconstrue that), and a very, very large number of people. Personally, you don’t seem to realize that most people don’t frequent the security bulletin places themselves, but rather news outlets such as but not limited to OSNews and Slashdot. The people that do realize there is a vulnerability such as this one, more likely than not will want it fixed. Now even if there is no patch right now, in the meantime, people can take proper precautionary steps to ensure that they don’t fall victim to this exploit.

I like to think of computer security like the infamous Arms Race. If the good guys, namely security experts who post these notices, don’t find out about these problems and draw attention to them, then the problem will stay underground where it will be quite easy for any script kiddie and cracker with access to an IRC or Usenet network to find out about it. The fact of the matter is that people don’t just decide to use these bugs/issues in software on a whim most of the time, they set out to do it beforehand. A security announcement isn’t going to harm anyone and it only gives Microsoft that much more incentive to fix the problem.

Microsoft likes to talk big on security lately, boasting of 24-48 hour times to bugs being swashed, and calling to attention the amounts of bug reports for free/open source software, but when it comes down to it, nothing’s changed. Microsoft needs to take security seriously and start fixing problems as they’re discovered as opposed to threating people and/or discouraging free help to solidify their product line.

2003-12-11 4:31 pm

Anonymous
“as opposed to threating people” should read “as opposed to threatening people” and yes, I realize that Microsoft has not done that in this particular situation, but have before.

And as for my reply, I just wanted to let rodviking know that I truly am sorry he had to deal with overzealous users who wish to become the Internet Police.

2003-12-11 4:57 pm

Anonymous
O.K, heres the skiny. This bug effects Internet Explorer, and to a lesser extent it also effects Mozilla

Not only that, but the attacker does not need to rely on any Javascript running on the victims machine. The ASCII 0x01 character can be encoded directly into a URL and placed on a page as a normal HREF link. The ASCII 0x01 exploit only effects Internet Explorer.

The ASCII 0x00 (NUL) character can also be used in conjunction with this exploit to hide the true URL which is displayed in the status bar of the browser. If the attacker inserts %00 after the ASCII 0x01 character in the faked URL, the string which is displayed will be truncated. This effects both Internet Explorer and Mozilla With Mozilla the status bar will display the truncated URL, but clicking on the URL will cause the entire URL to be displayed in the location bar.

This bug is extremely simple to exploit. I have created a page which contains a link to “Google”, but in fact directs to a (Quickly copied) Google page on the same machine. The link says it is Google, the location bar says it is Google and the page displayed is identical to Google. It ain’t Google, though. I was going to post the URL, but it seems the last person to try that here started getting threatening email (You sad people, you) so I’m not prepared to do that. However I posted a HowTo on Slashdot; read it at http://slashdot.org/comments.pl?sid=88884&cid=7690401

2003-12-11 5:04 pm

Anonymous
IE6 xp sp1: “www.microsoft.com”

Opera 7.20: “http://www.microsoft.com@zapthedingbat.com/security/ex01/vun2.htm” after I got a warning message.

FireBird: “http://www.microsoft.com%[email protected]/security/ex01/vun… with no warning message

2003-12-11 5:10 pm

Anonymous
I decided to put my “demo page” back (just removed my email from it this time). Now all the script-kiddies might know how to play with this bug anyway, so it makes no difference. At least these demo pages can be used to convince people to be more careful.

And unfortunately one doesn’t need to be so “sophisticated” to fool a distracted user, they just need a slightly mispelled domain name or a “clone site” for that.

2003-12-11 6:09 pm

Anonymous
“On OS X …

In safari, the form button does nothing.

In IE, the form button redirects you to: ” rel=”nofollow”>http://www.microsoft.com%[email protected]/security/ex01/vun…

Well I guess that answers my question. Apparently this bug is strictly an IE on Windows issue.

2003-12-11 6:23 pm

Anonymous
The exploit does affect IE 6.0 folks. If you claim it doesn’t affect you it is because you are doing something wrong. There has not been a patch released for it, it is going to affect everyone with Windows and Internet Explorer 6. Windows XP is irrelevant.

Click this link [url=http://www.microsoft.com@www.yahoo.com/]Microsoft.com[/url]. If OSNews’ parser allows it, it should say “www.microsoft.com” in your address bar, while actually sending you to http://www.yahoo.com.

2003-12-11 6:36 pm

Anonymous
I wonder what the big deal is. Did Microsoft expose yet another back door in their softare?

The fixed version of IE, in Red Flag Windows, seems to work fine.

And I can surf wireless without Uncle Scam recording my data, too.

Thank Mao for Red Flag Windows and Red Flag Secure WiFi.

2003-12-11 6:45 pm

Anonymous
Even if it’s only 5% of the Windows-using population that read these security bulletins, that’s well over the entire userbase of Apple/Linux products (I myself prefer and use Gentoo Linux to Windows, so don’t misconstrue that), and a very, very large number of people. Personally, you don’t seem to realize that most people don’t frequent the security bulletin places themselves, but rather news outlets such as but not limited to OSNews and Slashdot.

Most of the Windows-using public doesn’t even go to OSNews or Slashdot, so how is this protecting them?

Consider the following senario:

You are a ‘security expert’ (whatever the hell that means) who just found a new vunderability. Since you just found it, I think it’s safe to assume that crackers don’t know about it yet. And if they do, that just goes to show that security experts should spend more time on IRC.

Anyway, if the crackers already know about it, then yes … release it publically immediately. But, assuming this vunerablity IS fresh and nobody knows about it yet, then you have two options:

1. Submit the vunerability to Microsoft – and give them whatever is considered to be the appropriate time to release a patch. If, after that time passes and MS hasn’t even responded, then release it publically and say “Here’s the vunderability, and MS isn’t doing a think about it.” Afterall, if the company isn’t doing anything to fix it, then let those who will hear fend for themselves. Afterall, better to have 5% protected then nobody at all.

2. You could release it publically immediately without even giving MS a chance to react. At this point, about 5% of the Windows-using public is going to find out about it, along with MS and the crackers. Now, it becomes a race to see what happens first: whether MS patches the vunerability first or the crackers exploit it first.

If the latter happens and the hole is exploited before it is patched, you’ve got maybe 5% of Windows users protected while the other 95% are not. So, assuming this is a big one at tons of people get hacked, then the person/persons who released the info without even giving MS a head start on the patching process are certainly partially to blame.

Either of the above senarios could result in 95% of people getting hacked, but at least with the first option, MS is going to find out about it before the crackers do. I don’t see any good reason for option #2.

I find your argument to hold little weight .. the 5% of people that actualy know where to look for these bulletins are probably computer savvy enough to run firewalls and such, so they probably wouldn’t be affected regardless. My contention is that if you’re so worried about protecting people, you’re probably going to do MORE damage by releasing the info pre-maturely than if you had simply did the right thing and let MS know about it first, instead of giving the info to both MS and the crackers at the same time.

2003-12-11 7:10 pm

Anonymous
I only use it when something needs it.

2003-12-11 7:30 pm

Anonymous
I only use it when something needs it.

For example, when Mozilla and Opera are choking

2003-12-11 7:33 pm

Anonymous
This is not right response. “Let’s tread carefully around the script kiddies.” That’s what people seem to be saying. The fact that these ‘script kiddies’ make it look so easy to hack servers, deface websites, write worms that shut down computers all across the country and may have caused the East Coast blackout. Is it really that easy to do that even children do it, even children in Minnesota (Parsons)? Is it really so hard to make an OS/website secure from novices? IT people consider themselves professionals, right? Hmmm…

2003-12-11 7:40 pm

Anonymous
“To all IE users who are voluntary using IE, I have a

simple question:

Why do you still use IE?”

Because Microsoft with its closed source truly makes the best software beyond a shadow of a doubt. Ultra secure and always reliable. No breakdowns, crashes or nothin’.

Okay, MS, can I have my ten dollars now?

2003-12-11 7:40 pm

Anonymous
First off, there are a lot more people out there who give a hoot about their computer enough and casually visit sites like OSNews and Slashdot and others like them than you guesstimate. But anyways, I’d rather that people are notified and a patch released ASAP, and public revealing of a security hole is, most of the time, a surefire way of getting a patch much faster. You’re putting direct pressure on the vendor to take the issue seriously, and not drag their feet and get it done when they feel like it. After all, we’re talking about a vulnerability here that puts people’s financial lives at stake. It’s something that should be fixed, and Windows users should be notified by Microsoft (Wouldn’t it be neat if, like most other providers of software, they had a page where they announce patches/updates/products. I mean a dedicated page) some way or another. Is it dangerous to distribute the information? I suppose that for some people it may be, but it’s also a great heads-up for people that care about the issue.

My line of reasoning is, of course, based on the assumption that the company truly cares for the users, and the users are truly caring of their own safety. It’s getting easier and easier these days for people to hear about the latest security issues with Windows and other Microsoft products, because stories are making it into such mainstream news outlets like ZDNet, CNet, CNN, and more. And this vulnerability is just as serious, if not more serious, than the MSBlaster virus, imho, because it puts normal people on the line. I don’t understand why any respectable news organization would not choose to cover this story, due to it’s potential impact.

Oh, and by the way, security expert is not just some fancy-schmancy word that you apply to yourself when you feel like it, and it’s a real business. I don’t really feel like giving information on an occupation, so please, try not to be so disrespectful when the security experts are the people that analyze applications and programs for a living to find any potential flaw, major or minor. They’re basically crackers that aren’t into the whole chaos and ruining other people’s computers thing. Then again, they do get paid for it more often than not.

2003-12-11 7:43 pm

Anonymous
Of course security expert is a title, and not a word. I need to practice my proof-reading.

2003-12-11 8:06 pm

Anonymous
Um yes it’s a javascript / IE vuln as i see it. By clicking directly on the link it’s just another URL. It’s not hard to see how this could be used to direct an email victim to a site, then direct them again to what looks like the real site. The question is whether you can use a redirect and it will still work.

I tried it on IE and Windows 98 and it works. Changed it to microsoft.com in the address bar, and osnews.com actually viewed. Works 100 percent. I assume it works on IE6 also, but i will have to try it. Most of these new IE exploits are not addressed by the SP’s or cumulatives AFAIK. But again, try it for urself, rather than depending on them to show you. I also tried some of the Guninski stuff and it remains unpatched, including hta’s posing as txt’s. http://www.guninski.com i think it is. Interesting stuff.

2003-12-11 8:09 pm

Anonymous
I tried the hta exploit. The file appears as a txt within a zip file. I changed it to download a fake trojan. Again it works 100 percent.

There is also the javascript spoof exploit which remains unpatched, and is next to impossible to patch anyway. There’s also the recent IE6 exploit which includes arbitrary command execution, a serious issue. I don’t know it’s patched yet. Lots of good stuff to add to my site as demos.

2003-12-11 8:10 pm

Anonymous
You’re putting direct pressure on the vendor to take the issue seriously, and not drag their feet and get it done when they feel like it.

No, I’m saying let them know and tell them “You have x number of days to come up with something or we’re going to release it to the public.” Whether or not that kicks them into gear, at least they know that they have a time limit and can’t sit on it forever, plus they have a heads up on the situation instead of getting blindsided by it.

I don’t really care about the title of security experts .. as far as I’m concerned, I don’t appreciate these handing the bad guys a pamphlet that tells them how to break into my computer simply because they either want their name up in the lights or they are dissatisfied at the speed at which MS has handled patching in the past. Either that, or else they’re just alternative OS junkies who simply can’t understand why everybody and their grandmother is using Linux by now.

The whole thing about protecting the users is nothing but a crock of shit, because most of the average users won’t even see the security bulletins and will be completely caught off guard by a vunerability, so stop pretending that giving step-by-step instructions to crackers on how to reak havoc on my PC is for my own good.

2003-12-11 9:17 pm

Anonymous
You’re bringing a few of topics into the light that have no relevance (Linux, security experts themselves) to this discussion, really. The fact of the matter is that either way, Microsoft is notified of the issue. And either way, they’ve got the exact same amount of time to fix the patch.

Anyways, you obviously don’t care about those people that are actually interested in being notified about these vulnerabilities. Sorry, but the web isn’t a “For the good of the whole” type thing for most subjects, and information will get out either way. Who’s to say a person working either for the security agency or the vendor with problematic software won’t leak any information? With the public notification method, at least the playing field is even, every time, and there are no exceptions.

2003-12-11 9:35 pm

Anonymous
The fact of the matter is that either way, Microsoft is notified of the issue. And either way, they’ve got the exact same amount of time to fix the patch.

True, but the crackers don’t have the same amount of time to find an exploit if MS finds out about it first.

Sorry, but the web isn’t a “For the good of the whole” type thing for most subjects, and information will get out either way.

So by saying this, you admit that releasing this info to the public instead of first releasing it to MS (and waiting awhile before releasing to the public) is not for the good of the whole? So what then was the original purpose for doing so? I thought that you had the “good of the whole” in mind?

If I ever find a hole like this and it just happens to be for Linux, how about I hand it over personally to the cracking community, along with your IP address, just so you can see how it feels to be on the other end

2003-12-11 10:28 pm

Anonymous
Some of the comments seem to concentrate on what is the right thing to do for Microsoft. Should Microsoft have some lead time to fix problems or not? Microsoft is not the user who is going to get his/her data damamged.

Well, what about the users? Should they be aware that web sites they are traveling to have been hijacked? Should users be aware that there are holes crackers could do major harm to the user’s data?

If, as a user, you found out there were problems with the browser you were using, would you be more careful about how you used the browser? Would you switch to another browser until the first browser was fixed?

I think giving the user a chance to modify their habits according the the level of trouble is something to think about. It is like not opening attachements. The users that still continues to open attachements even though they know there is a risk of damamging files or spreading worms should not whine when bad things happen. But a user left in the dark can not change his/her habits until it is too late.

An informed user has the chance to change his/her habits. The information should be delivered to the user in a timely manner. Especially if there will be a delay for the fix arrives.

2003-12-11 10:35 pm

Anonymous
my IE6 on Win2k displays http://www.microsoft.com on the site. I also have all the patches updated on my system. There is nothing special about IE besides the fact that other websites cater around its non-standard design.

http://www.mozilla.org

Do yourself a favor.

2003-12-11 11:01 pm

Anonymous
well…i know it seems quite a silly vulnerability, but, as it has been already told here, it has already been used in order to try to get people’s credit card numbers. (i too recived a fake paypal email stating that i had to confirm my paypal account, which besides i never had, entering informations on a web page whose link was included in the mail).

the fact is that it affects IE 5 too (tried it today) and microsoft should patch it TOMORROW, it’s their fault.

(i really wish Mozilla gains popularity: i could stop worrying about ie’s poor implementation of standards when working with CSS)

2003-12-11 11:42 pm

Anonymous
An informed user has the chance to change his/her habits. The information should be delivered to the user in a timely manner. Especially if there will be a delay for the fix arrives.

But it is not delievered to the user in a timely manner .. it is delievered to a security forum where the users who need to see it never will. The only people who read these bulletins are the ones who already know enough about security not to hacked in the first place. (In this case, don’t use IE.)

But for the most part, this kind of info never makes it to ‘mainstream’ media unless it is something like the Blaster worm, in which case the warning usually shows up a week too late. Hell, I’ve even subscribed so some virus bulletins by email and never get alerted until 2-3 days after it’s in the wild.

My point is, by releasing this info, you’re helping nobody except for people that don’t need to be helped and the crackers who are going to exploit the hole to nail people that will never hear about any of these vunerabilities even if they are released immediately.

2003-12-12 12:28 am

Anonymous
By all means, be my guest. Not to turn this into some kind of pissing contest, but you’d be hard pressed to get my Gentoo Linux system compromised since I keep it synched daily with the testing branch, and have a firewall in place that has been quite solid thus far.

But you misunderstand what I say when I’m talking about this whole issue. I’m not implying that it’s necessarily better for everyone, but that it’s better to have information be free and accessible for those that desire the knowledge. I like to know if my system has a vulnerability, and I like to know how to avoid it if I need to. Fact of the matter is that unless you really care about it in the first place and work to prevent it, your system is going to be compromised, sooner or later, probably without your knowing about it. These bulletins being publicly announced do not change a thing in the big picture, they only assist in keeping those who wish to keep their systems secure just that, secure. The proof is in the pudding when it’s quite easy to see how many people have to deal with viruses and DoS attacks on a weekly or even daily basis these days. Furthermore, I still don’t understand how this would be a huge problem if Microsoft lived up to what it’s been talking lately and actually provided patches in a timely manner. 24-48 hours, how many people would’ve been affected since the vulnerability was announced? Christ, it’s not like it would require a humongus service pack or anything. The best thing Microsoft could do is simply abandon Internet Explorer, it’s giving them security headaches out the yin-yang because they simply didn’t design it with security in mind. Start over from scratch or create a project using something like Mozilla as a basis.

Anyways, I’ve got to get some rest.

2003-12-12 12:31 am

Anonymous
Oh, and by the way, Darius, you still need to realize that news outlets are beginning to take viruses and vulnerabilities in the world’s most widely used OS quite seriously these days, and there are stories galore about exploits in mainstream media. These notices are not confined to whatever forum they were posted to.

2003-12-12 2:36 am

Anonymous
I’ve just added it to my homepage logo. To cool. Ha.

cya

2003-12-12 3:35 am

Anonymous
Notifying the users in a timely manner is the company’s duty. Not OSNews or CNN, but those media outlets can help. The company thinks that by telling users there are vulnerabilities in their software that it will hurt their reputation. Possibly so. But the user should be given a chance to make changes to protect themselves.

I see a few types of criminals. One type already knows about the vulnerability. The second type is smart enough to find the vulnerability quickly without being guided by an announcement. The last type is the one that needs an announcement to learn about the vulnerability.

By making an announcement, the third type will finally know what the other two types know as well as the users will finally know. I do not see the advantage of leaving the users in the dark so that companies can save their reputations. Also the companies are playing game of ‘how long does it take for the third criminal type to learn of the vulnerability from the other two criminal types?’

If an innocent finds the vulnerability first, then there are three choices. Keep the information to himself, tell the company, and/or tell the world. Keeping it too himself may be the best choice of the three. Telling the company will have the affect of letting the third criminal type and users know at the same time when the company issues a patch. Telling the world helps users protect themselves but the company and criminals are somewhat on the same level. Can the company issue a patch before the third type of criminal finds a way to take advantage of the vulnerability is the main question.

The first two types of criminals will probably not make an announcement of a vulnerability. It does not benefit them to do so. The user should side with caution and assume these two types of criminals already know about the vulnerability. But if the user does not know about the vulnerability, then they are at the mercy of these two types of criminals.

2003-12-12 6:14 am

Anonymous
The age old question of non vs full disclosure. Curiously some crackers favor non-disclosure cause it works in their favor. I personally would give the vendor a couple of weeks notice before going public. A couple of scenarios:

1. Researcher discovers exploit and reports to vendor and never divulges on a mailing list. This takes away one of the main reasons for research, in that you need recognition of ur accomplishments. These guys get jobs based on their prior work. Secondly, the vendor is sometimes lax about patches in this case. I know of several instances where a vulnerability went known, but unpatched, for extended periods of time. Eventually it went “public” and was patched.

2. Researcher discovers exploit, notifies vendor, waits x days, notifies bugtraq. In this case, sometimes details are omitted from the mailing list post, but crackers fill in the details themselves. This was the case with rpc dcom and others.

3. Researcher discovers exploit and keeps it quiet. This is perhaps the worse scenario, as crackers will often discover the exploit themselves, or it will get leaked somehow. In (supposedly) rare cases, the crackers discover it before the researchers, in what is known as a zero day or unpublished exploit. There are several examples of exploits and tools that existed in the wild before they went public. It’s even theorized that a few researchers are getting (and taking credit for) their exploits from honeypots. Be elite with perl and tcpdump 😀

So full disclosure sometimes helps some of the lesser skilled bad guys, sometimes non-disclosure works in favour of the more skilled attackers.