July 31, 2004

The latest IE flaw is interesting

An excerpt of one of the two vulnerabilities responsible for today's security update:


In Microsoft Security Bulletin MS04-025, Microsoft describes a critical vulnerability in the way Internet Explorer processes .GIF and .BMP images. An attacker can use malicious images on a web page or in HTML-formatted email messages. If the attacker can convince a user to visit the web page, open the message, or otherwise view the image, the attacker may be able to gain control of the user's machine.

This effects systems as old as Windows 98 first edition running Internet Explorer 5.0. Thus a core part of the way that the Windows Operating system has displayed 25 year old image formats since 1999 contains a root exploit. There was a similar vulnerability to PNG images on Unix platforms due to bugs in the Zlib library a couple of years ago.. however the life cycle of the vulnerability was several months instead of half a decade, and in Windows everything essentially runs as root.

I blame these constant, and ever more laughable windows security problems on their closed source software model. There are dangers in running software on your machine that can only be audited for security by the people who get rich selling it to you. There are many rants to be had in situations like this, and counter-rants, but this I feel is the largest problem with closed source applications. The code simply doesn't "get out enough" and winds up with these sociological disorders.

Posted by jesse at July 31, 2004 12:06 AM
Comments