Tun da farko mu game da rashin lahani na kwana-kwana da aka gano a cikin Internet Explorer, wanda ke ba da damar yin amfani da fayil ɗin MHT na musamman da aka shirya don zazzage bayanai daga kwamfutar mai amfani zuwa sabar mai nisa. Kwanan nan, wannan raunin, wanda kwararre kan harkokin tsaro John Page ya gano, ya yanke shawarar bincika da kuma nazarin wani sanannen ƙwararre a wannan fanni - Mitya Kolsek, darektan ACROS Tsaro, kamfanin binciken tsaro, kuma wanda ya kafa sabis na micropatch 0patch. Shi cikakken tarihin bincikensa, wanda ke nuna cewa Microsoft ya raina girman matsalar sosai.
Abin ban mamaki, da farko Kolsek bai iya sake haifar da harin da John ya bayyana da kuma nunawa ba, inda ya yi amfani da Internet Explorer yana gudana akan Windows 7 don saukewa sannan kuma ya buɗe fayil ɗin MHT na mugunta. Kodayake manajan tsarinsa ya nuna cewa system.ini, wanda aka shirya za a sace daga kansa, an karanta shi ta hanyar rubutun da aka ɓoye a cikin fayil ɗin MHT, amma ba a aika shi zuwa uwar garken nesa ba.
"Wannan ya yi kama da yanayin yanayin yanar gizo," in ji Kolsek. "Lokacin da aka karɓi fayil daga Intanet, aiwatar da aikace-aikacen Windows da kyau kamar masu binciken gidan yanar gizo da abokan cinikin imel suna ƙara lakabin zuwa wannan fayil ɗin a cikin tsari. tare da sunan Zone.Identifier dauke da kirtani ZoneId = 3. Wannan yana ba wa sauran aikace-aikace damar sanin cewa fayil ɗin ya fito ne daga tushen da ba a amince da shi ba don haka ya kamata a buɗe shi a cikin akwatin yashi ko wani yanayi mai ƙuntatawa."
Mai binciken ya tabbatar da cewa IE a zahiri ya saita irin wannan alamar don fayil ɗin MHT da aka sauke. Kolsek ya yi ƙoƙarin sauke wannan fayil ɗin ta amfani da Edge kuma ya buɗe shi a cikin IE, wanda ya kasance tsohuwar aikace-aikacen fayilolin MHT. Ba zato ba tsammani, cin zarafi ya yi aiki.
Da farko, mai binciken ya duba “mark-of-the-Web”, ya nuna cewa Edge kuma yana adana tushen asalin fayil ɗin a cikin madadin bayanan bayanan baya ga mai gano tsaro, wanda zai iya tayar da wasu tambayoyi game da sirrin wannan. hanya. Kolsek yayi hasashe cewa ƙarin layin na iya rikitar da IE kuma ya hana shi karanta SID, amma kamar yadda ya fito, matsalar ta kasance a wani wuri. Bayan dogon nazari, kwararre kan tsaro ya gano dalilin a cikin shigarwar guda biyu a cikin jerin abubuwan da ke sarrafa damar shiga wanda ya kara da hakkin karanta fayil ɗin MHT zuwa wani sabis na tsarin, wanda Edge ya ƙara a can bayan loda shi.
James Foreshaw daga ƙungiyar rashin lahani na ranar sifili - Google Project Zero - tweeted cewa shigarwar da Edge ya ƙara suna komawa ga masu gano tsaro na rukuni don kunshin Microsoft.MicrosoftEdge_8wekyb3d8bbwe. Bayan cire layi na biyu na SID S-1-15-2 - * daga jerin ikon samun damar fayil ɗin ƙeta, amfani ba ya aiki. Sakamakon haka, ko ta yaya izinin da Edge ya ƙara ya ƙyale fayil ɗin ya ketare akwatin yashi a cikin IE. Kamar yadda Kolsek da abokan aikinsa suka ba da shawara, Edge yana amfani da waɗannan izini don kare fayilolin da aka zazzage daga samun dama ta hanyar ƙarancin amana ta hanyar tafiyar da fayil ɗin a cikin keɓantaccen wuri.
Bayan haka, mai binciken ya so ya fahimci abin da ke haifar da gazawar tsarin tsaro na IE. Wani bincike mai zurfi ta amfani da Utility Monitor na Process da IDA disssembler ƙarshe ya nuna cewa ƙudurin Edge ya hana aikin Win Api GetZoneFromAlternateDataStreamEx daga karanta rafin fayil ɗin Zone.Identifier kuma ya dawo da kuskure. Don Internet Explorer, irin wannan kuskuren lokacin neman alamar tsaro na fayil ya kasance ba zato ba tsammani, kuma, a fili, mai binciken ya yi la'akari da cewa kuskuren ya yi daidai da gaskiyar cewa fayil ɗin ba shi da alamar "mark-of-the-Web", wanda ta atomatik ya sa ta amintacce, bayan me yasa IE ya ƙyale rubutun da aka ɓoye a cikin fayil ɗin MHT don aiwatarwa da aika fayil ɗin gida da aka yi niyya zuwa uwar garken nesa.
"Kin ga abin ban tsoro a nan?" ya tambayi Kolsek. "Wani fasalin tsaro mara izini wanda Edge yayi amfani da shi ya kawar da wani abu mai wanzuwa, babu shakka mafi mahimmancin fasalin (alamar-Web) a cikin Internet Explorer."
Duk da haɓakar mahimmancin raunin, wanda ke ba da damar yin amfani da rubutun mugunta azaman amintaccen rubutun, babu wata alama da ke nuna cewa Microsoft na da niyyar gyara kwaro nan ba da jimawa ba, idan ta taɓa gyarawa. Don haka, har yanzu muna ba da shawarar cewa, kamar yadda a cikin labarin da ya gabata, ku canza tsoho shirin don buɗe fayilolin MHT zuwa kowane mai bincike na zamani.
Tabbas, binciken Kolsek bai tafi ba tare da ɗan PR ba. A ƙarshen labarin, ya nuna ƙaramin faci da aka rubuta a cikin yaren taro wanda zai iya amfani da sabis na 0patch wanda kamfaninsa ya haɓaka. 0patch yana gano software mai rauni ta atomatik akan kwamfutar mai amfani kuma yana amfani da ƙananan faci zuwa gare ta a zahiri a kan tashi. Misali, a cikin yanayin da muka bayyana, 0patch zai maye gurbin saƙon kuskure a cikin aikin GetZoneFromAlternateDataStreamEx tare da ƙimar da ta yi daidai da fayil ɗin da ba a amince da shi da aka karɓa daga hanyar sadarwar ba, ta yadda IE ba zai ƙyale duk wani rubutun da aka ɓoye a aiwatar da shi daidai da ginin- a manufofin tsaro.
source: 3dnews.ru