Buffer overflow in Microsoft Internet Explorer gopher code

pivx · 2002/08/08

response...

alice and others...

our fix fixes the problems the MS work around creates under some software configurations (62% of all responding persons applying the fix had this problem).

I assure you, SecurityFocus, TechTV and other sources tested this before the recomended it to their millions of viewers and or subscribers. That is 'only' the credability that we bring to the table.

Let me know if you have any other questions... I will be happy to answer them.

I hope our fix helps some of you.

Alice · 2002/08/08

From the gopher_smoker download page:

Name: Gopher Smoker v0.06
OS: Win95, 98, ME, 2000, XP
Screenshot: screenshot.6
Program Info: gopher.info
File Size: 257k
PAD: offline

Note: We do not include the VB6 runtime in the standard download due to conserve space and simplify the process for the user. If you need this runtime, click here to download it or here. ( link to Visual Basic 6.0 Runtime Module SP5 6.00.8964 )
Click to expand...

How can you tell if you need the VB6 runtime? This is getting way too complicated

brett · 2002/08/08

IE6 SP1 is in the pipeline and it would appear that the gopher issue shall be addressed within this release (if not before). Details here or here.

Alice - if you have msvbvm60.dll in Windows/System32 you have Runtime 6.

Alice · 2002/08/08

Thanks. brett. I was just coming here to post that I found the mskb articles (the gopher_smoker page has links for two different files, btw, VBRun60sp5.exe and VBRun60.exe) -

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q192461
FILE: VBRun60.exe Installs Visual Basic 6.0 Run-Time Files

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q290887
FILE: VBRun60sp5.exe Installs Visual Basic 6.0 SP5 Run-Time Files

Now have to figure out which one, if any, I need to install, or if it makes a difference.

Think I'll just wait for Microsoft's fix!

EDIT: Yes I do have msvbvm60.dll in Windows System, Visual Basic Virtual Machine version 6.00.8268 dated 9/25/1998 -thanks again.

brett · 2002/08/08

Alice - unless there are reports of this vulnerability being exploited, I think I'll wait too

BTW - if you're running XP or 2K, you almost certainly have Runtime 6 already.

Welshjim · 2002/08/08

Alice and brett--As reported earlier I have installed the manual fix for Gopher and the Gopher test site is now successfully (?) blocked. I have done nothing about FTP and HTTP, and so far have not experienced any problems, but I have not consciously accessed any such sites.
Alice, I hate to tell you, but while typing this post I am listening to Emma Kirtland (?) singing something by Amy Beech on WNYC courtesy of Windows Media Player (v7.1). So I figure it cannot get too much better than this and that I am skating pretty close to edge already. So I agree with you and will not install the pivx fix. I'll wait and see what MS finally offers, if anything.
FWIT--I have not installed the original June patch for WMP (although I did install the November patch). I understand MS has included something called Digital Rights Management in that fix, which has nothing to do with my security.

Alice · 2002/08/09

Hi Jim,

Guess it's easy enough to undo the gopher proxy workaround if you run into any problems with Outlook Express, WMP, etc., but in my case, it's my husband who uses Internet Explorer. He listens to internet radio all the time (using both Real Player and WMP) always has AIM going and uses Outlook Express for e-mail, so it's best if I don't hobble the pc to protect myself from a threat that may be remote.

I haven't installed the 26 June 2002 Cumulative Patch for Windows Media Player either - http://www.microsoft.com/technet/security/bulletin/MS02-032.asp - but I do plan to install it soon. I'll have to read up on DRM - I just found http://www.microsoft.com/windows/windowsmedia/drm.asp

Here is the portion of the WMP patch's EULA.txt that has gotten so much attention, copied from the July 24th version of the patch which I have already downloaded (opened in WinZip):

* Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ( "Secure Content "), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.
Click to expand...

FWIW, here'a a C/P from a recent Newsgroup posting:

From: Jerry Bryant [MS] (jbryant@online.microsoft.com)
Subject: Re: BEWARE: New EULA lets MS ADMIN YOUR Systems!
Newsgroups: microsoft.public.security
Date: 2002-07-02 16:37:26 PST

Thank you everyone for your concern on this issue. It would appear that some clarification is in order.

For in-depth information on how this process works, please see: Managing Automatic Updating and Download Technologies in Windows XP:
http://www.microsoft.com/WindowsXP/pro/techinfo/administration/manageautoupdate/default.asp

For this particular issue, it is important to point out the following:
> To ensure resilience of the DRM system that protects digital content, Windows Media DRM is designed so that content owners can quickly contain the impact should a breach of their secure content occur.
> The language in the EULA for this security update is an agreement to allow Microsoft and owners of content secured with Windows Media DRM to limit the damage to the content owner in the rare case where a player application is compromised - meaning it would play back protected content in an unauthorized way.
> If a player application is found to be compromised, Microsoft would work with the effected parties (i.e. content providers and ISVs) to understand the breach and determine the best of course of action. Revoking the application's right to playback protected content is one possible outcome. If so, that application is placed on an exclusion list, which contains a list of compromised applications that should not be allowed to play back secure content.
> Whenever a user's DRM-capable player application acquires a license from a license server, the DRM revocation list on the user's system will be updated.
> When a known compromised application attempts to access protected content, the access will fail and a user will be informed of the situation and directed to a web site for upgrading their player. Users make the decision whether or not to upgrade their player; it is not automatically updated.
> If users decide not to upgrade to a new version of the compromised player, they can use a different player to play the protected files, because their license to those files is preserved. They can also continue to use the revoked application for content not protected by DRM.
> For the ISV, this process is somewhat similar to the situation of a consumer losing her credit card. After verifying the credentials of the consumer, the credit card company revokes the old credit card and issues a new card to her. This language in the EULA is used to let users know that this kind of system to protect legitimately purchased digital content is in place. (snip)

Q & A
Q. Why is this EULA just now showing up in this security update if this has been a capability of Windows Media DRM for a long time?
A. The same EULA text is in Windows Media 7.1 and an expanded version is in the Windows XP EULA.

Q. What's to keep Microsoft from simply placing any application it wishes on the revocation list that is downloaded to users' machines? Couldn't Microsoft simply put the RealPlayer on that list?
A. Microsoft has developed this capability of Windows Media DRM for the benefit of the entire DRM ecosystem, which includes content providers, ISVs and consumers alike. Microsoft always works closely with the ISV whose application is compromised per the terms of the DRM licensing agreement to remedy any breach.

Q. What steps does Microsoft go through before it determines to add an application to that revocation list?
A. The last thing anybody wants to do is to revoke an application. All other options are investigated first.

Q. Do other ISVs or application providers know that their application is at risk of being essentially shut down by Microsoft?
A. Absolutely. This is part of the Windows Media SDK licensing process

Please let me know if I can help to clarify this any further.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
Click to expand...

Welshjim · 2002/08/09

Alice--Thanks for your research into what Windows Media Player's DRM is about and what MS "says ". I suppose I am a little concerned that MS would like to be able to download whatever they would like to my PC when this "fix" is installed. Maybe or maybe not this particular download is good for motherhood and apple pie, but in the future? And without asking me?

shadowhawk · 2002/08/10

Why does this whole DRM thing smack of 1984 and Big Brother to me?

Alice · 2002/08/23

Microsoft just released a patch for the gopher protocol vulnerability.

It's included in the August 22, 2002 Cumulative Patch for Internet Explorer.

see Microsoft Security Bulletin MS02-047
Cumulative Patch for Internet Explorer (Q323759)
Link to MS02-047

Log in or Sign up

Buffer overflow in Microsoft Internet Explorer gopher code

pivx Inactive

Alice Banned

brett Inactive Alumni Thread Starter

Alice Banned

brett Inactive Alumni Thread Starter

Welshjim Inactive

Alice Banned

Welshjim Inactive

shadowhawk Inactive

Alice Banned

Share This Page

Log in or Sign up

Buffer overflow in Microsoft Internet Explorer gopher code

pivx Inactive

Alice Banned

brett Inactive Alumni Thread Starter

Alice Banned

brett Inactive Alumni Thread Starter

Welshjim Inactive

Alice Banned

Welshjim Inactive

shadowhawk Inactive

Alice Banned

Share This Page

Useful Searches