http://www.cert.org/advisories/CA-2001-06.html
Microsoft Internet Explorer has a vulnerability triggered when
parsing MIME parts in a document that allows a malicious agent
to execute arbitrary code. Any user or program that uses
vulnerable versions of Internet Explorer to render HTML in a
document (for example, when browsing a filesystem, reading email
or news messages, or visiting a web page), should immediately
upgrade to a non-vulnerable version of Internet Explorer.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Forwarded-by: Lenny Foner
From: david mankins
This is a delightful rant.
The back-story:
- Some version of Microsoft Internet Explorer has a security
hole that basically permits an email message to run an
arbitrary bit of code when the message is read.
- Having been told of the problem, Microsoft released a patch
to fix it. Six weeks later.
- Many, many people have gotten the patch, but it fails to do
anything in a lot of cases.
- In some of those cases, it tells you that everything is now
hunky-dory....
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: Tue, 3 Apr 2001 22:30:21 -0400
From: Jamie McCarthy
Subject: [IRR] The nightmare
cp@panix.com (Charles Platt) writes:
> Have not upgraded from what to what?
Well, that's the problem. It's almost like Microsoft wants its users
to be vulnerable. According to Wired, MS took six weeks to release the
patch after being advised of the security hole. (Six weeks!)
Instead of releasing a single patch that would work on all versions of
MSIE, they released two, thus immediately doubling the complexity of
the upgrade process.
Not only will the wrong patch not work, but even the right patch will
fail if you have already upgraded your MSIE _too_far_. Microsoft's
instructions are essentially to _uninstall_ your copy of MSIE,
_downgrade_ (but how do you download the older version if you removed
MSIE? oops), and then apply the proper _upgrade_ patch. Wow.
The icing on the cake, the just _unbelievable_ thing, is that if you
try the right patch and your system has been upgraded to the wrong
thing, you will be told that you're safe when you're not. Boggle. Of
all the security things you want never, ever to do. And this is after
_six_weeks_ of preparation by the Microsoft team.
I don't think the importance of this security hole can be overstated.
This should be front-page news on every newspaper and the lead story on
your 11 o'clock TV news. This allows an attacker to take over your
computer by sending you an email. No attachments, no double-clicking,
no visiting websites. You read the email and suddenly your computer
does not belong to you any more, it belongs to someone else. If you're
lucky it belongs to some shadowy cabal from Turkmenistan or Taiwan. If
you're unlucky, your IP number has been publicly posted and your machine
belongs to ANYONE WHO WANTS IT.
The nightmare, the just utter nightmare, is that some punk kid will
write the next Melissa or ILOVEYOU worm -- we're overdue now, people
have already forgotten Anna Kornikova's legacy -- and it spreads around
the world just as quickly as any of its predecessors. Except, instead
of just being annoying and clogging mail servers, this worm has a
payload: it opens a telnet backdoor in your system, maybe replaces a
few binaries with workalike trojans, and then posts your IP number to
alt.u.r.hacked.
And then it proceeds to find the last 100 people who have emailed you,
and it emails them, "Re:" that last mail, with itself as an attachment.
Those 100 people will just think you forgot to type in an email message,
but now they're infected too. Oh, and it finds 100 random recent .doc
files on your hard drive and uploads their content to FreeNet (maybe
looking for key words like "secret" or "love"). But you won't even know
anything's wrong until you hear it from CNN.
Suddenly the entire world -- the entire freaking stupid Petri-dish
Microsoft-suckling silly ignorant world -- belongs to the crackers.
What will be the internet be like when, say, 30% of the machines on the
net are 0wned by anyone who wants to telnet into them?
It will be complete and utter chaos. It will be unimaginable.
We are literally standing on the brink of worldwide catastrophe, the
meltdown of the entire world's computing infrastructure. We are right
now in a situation where a 15-year-old with a little free time between
classes can destroy the machines on which the world's economy depends,
and destroy it so thoroughly that it will take six months to clean up.
This is a national crisis. This should be on the front page of the New
York Times. The President of the United States should be urging people
to upgrade their browsers. But you cannot even find news about this on
the homepage of the Microsoft website!
Let me repeat that: YOU CANNOT FIND INFORMATION ABOUT HOW TO UPGRADE
YOUR BROWSER ON THE MICROSOFT HOMEPAGE.
In fact, even if you know to go to microsoft.com/security, you still
have to go TWO MORE CLICKS before you get to the place where you can
BEGIN TO DOWNLOAD THE PATCH.
And the worst part? If (when!) this 15-year-old kid just takes the
final logical step and writes the worm that pulverizes the internet,
the newspapers and TV and radio and magazines will all just quote
Microsoft about how unfortunate this is, and how Microsoft had a patch
out in time, and how writing such a worm needs to be punishable by
serious, serious punishment, the kind of serious, serious punishment
which will be really serious to 15-year-olds.
The worst part -- the very thought of blaming Microsoft will never be
uttered, not breathed nor even considered, by a single pundit or talking
head or newspaper editor, because -- the underlying thought, which
everybody accepts without ever consciously considering -- what other
choice do we have?
Jamie McCarthy jamie@mccarthy.vg http://jamie.mccarthy.vg/