|Home » News » Roundups
Fudding the Fudders
Newsbytes is running a follow-up story on the Online Solutions discovery, something both Online Solutions and 'Weld Pond' see as a serious security hole in all versions of Internet Explorer going back several years. There's even a very extensive discussion of the hole at Slashdot.
This then is the hole:
- Internet Explorer sends files to the operating system for execution.
When downloading a file, Internet Explorer asks you typically if you want the file saved to disk or opened. Most sane people will download the file, inspect it carefully, and then and only then - and only maybe - have it executed or 'opened'.
- Internet Explorer uses the built-in MIME type to determine if the file is to be saved, opened, etc.
This Content-Type header information can of course be forged - and that's the security hole.
While it is true that Microsoft deliberately bound Internet Explorer to their Windows operating systems, and while it therefore may be true that the best interests of users were not a top priority in its design, the only way this 'hole' can be exploited would seem to be if the user can be duped. The default action for any download is to save to disk. Any sane sensible user will do this anyway. If a completely brainless user automatically clicks 'OK' or hits 'Enter', the file should be downloaded rather than opened.
The Online Solutions discussion of the 'hole' makes all of this perfectly clear. In fact, Online Solutions concludes its discussion with the following paragraph, which should dismiss any fears that this is much more than 'fudding the fudder'.
Opening a file type previously considered safe, e.g. plain text or HTML file isn't safe with IE. Users of the browser should avoid opening files directly and save them to disk instead (if opening them is necessary at all). If this flaw is being exploited, the file save dialog will reveal that the file is actually an executable program. Dealing with files from an untrusted source isn't advisable anyway.
Trashing IE (and MS) completely is always a wise move, but to do it just to avoid this supposed 'security hole', what Newsbytes and 'Weld Pond' call 'potentially one of the most severe ever', is way more than overreacting.
Slashdot: Another Gaping Microsoft Security Hole Goes Unpatched