Microsoft patches UI race condition holes in IE

Microsoft has finally fixed some UI race condition holes in Internet Explorer. I think the holes they just fixed include some of the holes I first reported to them in March 2004 and posted to Full Disclosure in July 2004, and which were known the whole time to allow e.g. spyware installation.

Microsoft's fix involves disabling the "Run" button for about a second. One interesting difference between Microsoft's fix and Mozilla's fix is that Internet Explorer doesn't make the button visibly disabled; instead, it makes the button ignore clicks and keypresses for a short period of time. This works well given Microsoft's short timeout of 1 second (compared to Firefox's 2-3 seconds, which might be overkill).

4 Responses to “Microsoft patches UI race condition holes in IE”

  1. Adam Sacarny Says:

    It might be best to move to a more Microsoft-like solution, which could simply be dropping the disabled time down to 1 second. However it does make sense to keep it greyed out, and even to keep the time indicator ( “(3)…(2)…(1)”.) Can you say hidden pref??

    Still, this was a very nice catch on your part, and I’m happy with the additional security even if it requires waiting a few seconds to install an XPI.

  2. Ben Basson Says:

    Overkill is better than underkill, I say stick with it as-is.

  3. Nathar Leichoz Says:

    I’ve always wondered whether the countdown-before-enabling-button technique would work. Back when I was using IE 4, I accidentally installed an ActiveX control because of that very reason (typing “y” without looking at the screen) although that website wasn’t actually exploiting a race condition, it merely happened by chance. But regarding the solution, I never thought anyone would actually use it. I’ve always felt that it was a probabilistic compromise and therefore not a “clean” enough solution. i.e., It only helps people who type fast, but for people who type real slow, the 3 second delay may not be long enough.

    How about using the secure key combo technique used in WinNT? Their login box instructs you to type the Ctrl+Alt+Del combo before the login box will appear. Although it is designed to solve another security problem, it may well serve to product against accidental typing. Firefox could do the same thing. On the Install dialog, instruct users to press a key combo to replace the “Yes”.

  4. jhermans Says:

    A special key-combo ? That’s not very friendly for people with only 1 hand. I know, you have StickyKeys etc …, but it’s still not friendly.